the main › Programs › DIOS difference from DDOS. What are dangerous DOS and DDOS attacks? Vulnerabilities in operating systems, software, device firmware

DIOS difference from DDOS. What are dangerous DOS and DDOS attacks? Vulnerabilities in operating systems, software, device firmware

DOS-Ataka (attack type "Denial of Service", from English Denial of Service) - Attack on the computing system in order to bring it to failure, that is, the creation of such conditions under which legitimate (legitimate) users of the system cannot access the resource system provided by the system (servers), or this access is difficult. The failure of the "enemy" system can be a step to mastering the system (if there is any critical information in the freelancer - for example, a version, part of the program code, etc.). But it is more often a measure of economic pressure: the downtime of the service that brings income, accounts from the provider and the care measures for the attack will noticeably beat the "goal" on the pocket.

If the attack is performed simultaneously with a large number of computers, talk about DDOS-Attack (from the English. Distributed Denial Of Service, Distributed Type Refusal Attack). In some cases, the actual DDoS attack causes unintentional action, for example, placement on the popular Internet resource links to the site placed on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, therefore, the failure to maintain the part of them.

Types of DOS-attacks

There are various reasons because of which a DOS condition may occur:

* Error in program code, resulting in referring to an unused fragment of the address space, fulfilling an invalid instruction or other indifferent exceptional situation when the server-server program is an emergency completion. A classic example is the appeal to zero (eng. NULL) address. Insufficient verification of user data, leading to an infinite or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or highlighting a large amount of RAM (up to the exhaustion of the available memory).

* Flood (English flood - "Flood", "Overflow") - an attack associated with a large number of usually meaningless or formed in the incorrect format of requests to a computer system or network equipment, which has a goal or leading to the refusal of the system due to system exhaustion Resources - processor, memory or communication channels.

* Second Roda attack - Attack, which seeks to cause a false triggering system and thus lead to the inaccessibility of the resource. If the attack (usually flood) is performed simultaneously with a large number of IP addresses - from several dispersed on the network of computers - in this case it is called a distributed attack on the refusal of maintenance (DDOS).

Types of flora

Flood is called a huge flow of meaningless requests from different computers in order to take an "enemy" system (processor, RAM or communication channel) work and this temporarily to bring it out of order. The concept of "DDoS-attack" is almost equivalent to the concept of "flood", and in everyday life and the other often interchangeable ("tongue the server" \u003d "CDDS's the server").

To create a flood can be used as ordinary network utilities like Ping (this is known, for example, the Internet community "Jacket") and special programs. The possibility of DDOS is often "sewn" into the botnets. If a "intersite scripting" type will be detected on the site with high traffic, or the ability to enable pictures from other resources, this site can also be applied to the DDoS attack.

Any computer that communicates with the external world via TCP / IP protocol is subject to such types of flood:

* Syn-Flood - With this form, a large number of SYN packets via the TCP protocol are sent to the attacked node (opening queries). At the same time, on an attacking computer, after a short time, the number of available for opening sockets (software network sockets, ports) is exhausted and the server stops responding.

* UDP-flood - This type of flora attacks not a computer target, but its communication channel. Providers reasonably suggest that UDP packets must be delivered first, and TCP can wait. A large number of UDP packages of different sizes score a communication channel, and a TCP server stops responding.

* ICMP-flood - The same, but using ICMP packets.

Many services are arranged so that a small request can be caused by a wide consumption of computing power on the server. In this case, it is not attacked by a communication channel or the TCP subsystem, but the service (service) - flood of such "patients" of requests. For example, web servers are vulnerable to HTTP-flood, - To remove a web server, it can be used as the simplest GET / and a complex request to the database like get /index.php?Search\u003d<случайная строка>.

Detection of DOS attacks

It happened that the negative effects of attack (flood attacks) were poured into unnecessary costs of payment of redundant Internet traffic, which turned out only when an invoice from the Internet provider is obtained. In addition, many methods for detecting attacks are ineffective near the attack object, but are effective on network trunk channels. In this case, it is advisable to set the detection systems exactly there, and not wait until the user who has attacked himself will notice it and will apply for help. In addition, to effectively counteract DOS attacks, you need to know the type, nature and other characteristics of DOS attacks, and promptly obtain this information just allow the detection system.

DOS-attack detection methods can be divided into several large groups:

* signature - based on high-quality traffic analysis,

* statistical - based on quantitative traffic analysis,

* hybrid (combined) - combining the advantages of both the above-mentioned methods.

DOS-attack protection

The measures to counteract DOS attacks can be divided into passive and active, as well as preventive and reaction. Below is a brief list of basic methods.

* Prevention. Preventing the reasons for those who encourage certain individuals to organize and take DOS attacks. (Very often, kiberataks are generally the consequences of personal offensive, political, religious and other disagreements, provoking the behavior of the victim, etc.)

* Filtration and blackholing. Blocking traffic emanating from attacking machines. The effectiveness of these methods is reduced as the attack object approaches the object and increases as the attacking machine approaches.

* Elimination of vulnerabilities. It does not work against flood attacks for which the "vulnerability" is the limb of certain system resources.

* Establishing resources. Absolute protection naturally does not give, but is a good background to apply other types of protection against DOS attacks.

* Dispersal. Construction of distributed and duplication of systems that will not stop serving users, even if some of their elements become unavailable due to DOS attack.

* Evasion. The direct goal of the attack (domain name or IP address) away from other resources, which are often also affected together with the direct goal of the attack.

* Active response. Impact on sources, organizer or attack management center, both technogenic and organizational and legal means.

* The use of equipment for the reflection of DOS attacks. For example, DefensePro® (RADWARE), perimeter (MFI Soft), Arbor Peakflow® and from other manufacturers.

* Acquisition of service to protect against DOS attacks. Actually in case of frethom of the bandwidth of the network channel.

On the computing system to bring it to failure, that is, the creation of such conditions under which legal (legitimate) users of the system cannot access the resources provided by the system (servers), or this access is difficult. The failure of the "enemy" system can be a step to mastering the system (if in an abnormal situation of software gives any critical information - for example, a version, part of the program code, etc.). But it is more often a measure of economic pressure: the downtime of the service that brings income, accounts from the provider and the care measures for the attack will noticeably beat the "goal" on the pocket.

If the attack is performed simultaneously with a large number of computers, talk about DDOS-Attack (from English. Distributed Denial Of Service, distributed Type of Refusal of Service). In some cases, the actual DDoS attack causes unintentional action, for example, placement on the popular Internet resource links to the site placed on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, therefore, the failure to maintain the part of them.

Types of DOS-attacks

There are various reasons because of which a DOS condition may occur:

Error In the program code, resulting in an unused fragment of the address space, fulfilling an invalid instruction or other unserver exceptional situation when the server-server program is alarming. A classic example is the appeal to zero (eng. nULL) Address.
Insufficient user data verification, leading to an infinite or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or allocating a large amount of RAM (up to the exhaustion of the available memory).
Flood (eng. flood. - "Flood", "Overflow") - an attack associated with a large number of usually meaningless or incorrect requests for a computer system or network equipment, which has a goal or leading to the refusal of the system due to the exhaustion of system resources - processor, Memory or communication channels.
Second Roda attack - Attack, which seeks to cause a false triggering system and thus lead to the inaccessibility of the resource.

If the attack (usually flood) is performed simultaneously with a large number of IP addresses - from several dispersed on the network of computers - in this case it is called distributed attack on refusal to maintenance ( DDOS.).

Operation of errors

Exploit Called the program, a program code fragment or a sequence of software commands that use vulnerabilities in the software and applied to the attack on a cybersystem. Of the exploits leading to the DOS attack, but unsuitable, for example, to capture control over the "enemy" system, the most famous WinNuke and Ping of Death (ping death).

Flood

About flood as a violation of network etiquette, see flood.

Flood. Call a huge flow of meaningless requests from different computers to take an "enemy" system (processor, RAM or communication channel) work and this temporarily withdraw its failure. The concept of "DDoS-attack" is almost equivalent to the concept of "flood", and in everyday life and the other often interchangeable ("tongue the server" \u003d "CDDS's the server").

Flood of communication channel and TCP subsystem

Any computer that communicates with the external world via TCP / IP protocol is subject to such types of flood:

Syn-flood - with this form of flood attack on the attacked node, a large number of SYN packets are sent to the TCP protocol (compound queries). At the same time, on the attacking computer, after a short time, the number of available for opening sockets (software network sockets, ports) and the server stops responding.
UDP flood - this type of flora attacks not a computer-goal, but its communication channel. Providers suddenly suggest that the UDPs should be delivered first, and TCP can wait. A large number of UDP packages of different sizes score a communication channel, and a TCP server stops responding.
ICMP flood - the same, but using ICMP -packs.

Flood Applied Level

Detection of DOS attacks

It is believed that special means for identifying DOS attacks are not required, since the fact of DOS attack cannot be noticed. In many cases, this is true. However, successful DOS attacks were often observed, which were noticed by victims only after 2-3 days. It happened that the negative effects of attack ( flood"Atasy) poured into unnecessary costs of payment of redundant Internet traffic, which turned out only when an invoice from the Internet provider is obtained. In addition, many methods for detecting attacks are ineffective near the attack object, but are effective on network trunk channels. In this case, it is advisable to set the detection systems exactly there, and not wait until the user who has attacked himself will notice it and will apply for help. In addition, to effectively counteract DOS attacks, you need to know the type, nature and other characteristics of DOS attacks, and promptly obtain this information just allow the detection system.

DOS-attack detection methods can be divided into several large groups:

signature - based on high-quality traffic analysis.
statistical - based on quantitative analysis of traffic.
hybrid (combined) - combining the advantages of both the above-mentioned methods.

DOS-attack protection

The measures to counteract DOS attacks can be divided into passive and active, as well as preventive and reaction.

Below is a brief list of basic methods.

Prevention. Preventing the reasons for those who encourage certain individuals to organize and take DOS attacks. (Very often, kiberataks are generally the consequences of personal offensive, political, religious and other disagreements, provoking the behavior of the victim, etc.)
Filtration and blackholing. Blocking traffic emanating from attacking machines. The effectiveness of these methods is reduced as the attack object approaches the object and increases as the attacking machine approaches.
Reverse DDOS. - Redirection of traffic used for attack on an attacker.
Elimination of vulnerabilities. Does not work against flood-All, for which the "vulnerability" is a limb of certain system resources.
Establishing resources. Absolute protection naturally does not give, but is a good background to apply other types of protection against DOS attacks.
Dispersal. Construction of distributed and duplication of systems that will not stop serving users, even if some of their elements become unavailable due to DOS attack.
Evasion. The direct goal of the attack (domain name or IP address) away from other resources, which are often also affected together with the direct goal of the attack.
Active response. Impact on sources, organizer or attack management center, both technogenic and organizational and legal means.
The use of equipment for the reflection of DOS attacks. For example, DefensePro® (RADWARE), perimeter (MFI Soft), Arbor Peakflow® and from other manufacturers.
Acquisition of service to protect against DOS attacks. Actually in case of frethom of the bandwidth of the network channel.

Notes

Literature

Chris Kaspersky Computer viruses from the inside and outside. - Peter. - St. Petersburg. : Peter, 2006. - P. 527. - ISBN 5-469-00982-3
Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederik. Analysis of typical security disorders in networks \u003d Intrusion Signatures and Analysis. - New Riders Publishing (English) SPb.: Publishing House Williams (Russian), 2001. - P. 464. - ISBN 5-8459-0225-8 (Russian), 0-7357-1063-5 ( English)
Morris, R.T. \u003d A weakness in the 4.2bsd UNIX TCP / IP Software. - Computing SCienece Technical Report No.117. - AT & T Bell Laborotories, Feb 1985.
Bellovin, S. M. \u003d Security Problems in the TCP / IP Protocol Suite. - Computer Communication Review, Vol. 19, No.2. - AT & T Bell Laborotories, April 1989.
\u003d Daemon9 / Route / Infinity "IP Spooling Demystified: Trust Realationship Exploitation". - Phrack Magazine, Vol.7, Issue 48. - Guild Production, July 1996.
\u003d DAEMON9 / ROUTE / INFINITY "PROJECT NEPTUNE". - Phrack Magazine, Vol.7, Issue 48. - Guild Production, July 1996.

Links

DOS-Ataka In the Open Directory Project Links catalog (

The goal of the DDOS attack can be both blocking a competitor's project or a popular resource and obtaining full control over the system. When promoting the site, they take into account that DOS conditions arise for the following reasons:

due to errors in the program code that lead to the fulfillment of invalid instructions, turning to the unused part of the address space, etc.;
due to insufficient verification of user data, which can lead to a long (or infinite) cycle, increased processor resource consumption, memory exhaustion, etc.;
because of the flood - an external attack by means of a large number of incorrectly formed or meaningless requests to the server. Distinguish the Flood TCP subsystems, communication channels and applied levels
because of the external influence, the purpose of which is to cause a false triggering of the protective system and, as a result, lead to the inaccessibility of the resource.

Protection

DDoS-attacks are complicated, since with a sufficiently long-term inoperability of the page server drop out of the index. To detect threats, signature, statistical and hybrid methods are used. The first is based on high-quality analysis, the second - on quantitative, the third combines the advantages of the previous methods. Counteractions are passive and active, preventive and reaction. The following methods are mainly applied:

elimination of personal and social reasons that encourage people to organize DDOS attacks,
blackholing and traffic filtering,
liquidation of code vulnerabilities during the search engine optimization,
extension of server resources, building duplicated and distributed systems to maintain users,
technical and organizational and legal impact on the organizer, sources or an attack management center,
installing DDoS-attack reflection equipment (Arbor PEAKFLOW®, DefensePro®, etc.),
buying a dedicated server for site hosting.

The level of threat directly depends on the strength and duration of the attack

DOS (DENIAL OF SERVICE) attacks

The logic of the attack is the creation of conditions under which ordinary or legitimate users of the system cannot access the resource provided by the site, or this access is difficult.

In most cases, DOS attack is a measure of commercial pressure sites. A simple site that brings income, accounts from the provider, the care measures from the attack will noticeably beat the owner of the resource for the pocket.
The goal of DOS attacks may also become political, religious or other motives when attackers do not agree with the content and policies of the site.

DOS Attack on the site may be a prelude to the site hacking if, if you fail to serve or the site code, it gives any critical information - for example, the software version, part of the program code, server paths, etc.).

In the case when the attack is performed simultaneously with a large number of computers, they talk about the DDoS attack (from the English. Distributed Denial of Service).

DDOS (Distributed Denial Of Service) Attacks

The technologies for holding DOS and DDOS attacks are diverse, from a simple input to the resource, before the technique of "smart" DOSA, attacking the concrete weak, or long running site scripts.

Often, intruders use vulnerabilities in server software. Older versions of server software are exposed to multiple vulnerabilities, including instability to DOS and DDOS attacks. Explients use these vulnerabilities to organize DOS and DDOS attacks.

The technique of "smart" ddosa is also an attack leading to a refusal of maintenance by exceeding the limits of installed hosting providers.

Almost all hosting has undocumented maintenance restrictions, such as the number of one-time appeal to the server file system, the load limit on the processor I.T.P. Possessing this information, the attacker sends an attack on the site or server to which is the excess of these limits.

Classification DOS and DDOS attacks:

Saturation of the bandwidth is an attack associated with a large number of meaningless requests to the site, in order to fail, due to the exhaustion of system resources - processor, memory or communication channels.
HTTP - Flood and Ping - Flood - primitive DOS attack, the purpose of which is to saturate the bandwidth and the site failure. The success of the attack directly depends on the difference in the size of the channel width of the attacked site and the attackering server.
Smurf - Attack (ICMP - FLUD) - one of the most dangerous DDOS attacks when the attacker uses a broadcast sending to check the working nodes in the system by sending a ping query. In it, the attacker sends a fake ICMP package. Then the address of the attacking changes to the address of the victim. All nodes will send her the answer to the ping request. Therefore, the ICMP packet sent by the attacker through a reinforcing network containing 200 nodes will be reinforced 200 times.
Fraggle - Attack (UDP - flood) - an attack similar to Smurf - an attack, where the UDP packages are used instead of ICMP packets. The principle of this attack is simple: ECHO commands are sent to the attacked server for a broadcast query. Then it is replaced by the IP address of the attacker on the IP address of the victim, which soon receives many response messages. This attack leads to a saturation of the bandwidth and complete failure to maintain the victim. If all the ECHO service is disabled, ICMP messages will be generated, which will also lead to the saturation of the strip.
The attack of SYN packets (SYN-flood) - the essence of the attack is as follows: two servers install a TCP connection, the installation of which is highlighted by a small amount of resources. By sending a few false requests, you can spend all the resources of the system to establish the connection. This is done by the replacement of the true IP to the non-existent IP address of the attacker server, when sending SYN packets. The server - the victim will create a queue from raw compounds, which exhausted its resources.
Determine the source of such an attack is extremely difficult, because True addresses of attacking servers are replaced by non-existent.

In some cases, the actual DDoS attack causes unintentional action, for example, placement on the popular resource links to the site, placed on a not very fast and productive server (slashdot effect).

The big influx of users also leads to exceeding the permissible load on the server and, therefore, failure to be maintained.

Protection against DOS and DDOS attacks

Universal protection against DOS and DDOS attacks do not exist.
Guaranteed protection against a powerful DDOS attack does not exist.

DOS or DDOs protection strategy directly depends on the type, logic and power of the attack itself

Site security audit

Guaranteed site protection from hacking and attacks

DOS attack is such an attack that leads to the paralysis of the PC or server. This is due to the fact that a huge number of queries are sent, which at a fairly high speed go to the attacked web resource. DDOS attack is an attack that is carried out simultaneously with a huge number of computers.

DIOS difference from DDOS. What are dangerous DOS and DDOS attacks? Vulnerabilities in operating systems, software, device firmware

Types of DOS-attacks

Types of flora

Detection of DOS attacks

DOS-attack protection

Types of DOS-attacks

Operation of errors

Flood

Flood of communication channel and TCP subsystem

Flood Applied Level

Detection of DOS attacks

DOS-attack protection

see also

Notes

Literature

Links

Protection

DOS (DENIAL OF SERVICE) attacks

DDOS (Distributed Denial Of Service) Attacks

Classification DOS and DDOS attacks:

Protection against DOS and DDOS attacks

Site security audit

Read more about DOS attack

Read more about DDOS attack