With the number of 'hacking' attacks being reported in the news increasing, this
page attempts to describe in general terms how one class of these attacks (denial-of-service)
work.



Types of Attack



We'll get into specific attacks in a bit, but in general terms, denial-of-service
attacks fall into four broad categories:





•  
Tying up a server


•  
Tying up CPU cycles or resources


• 
Disabling web traffic (this can also happen accidently)


• 
Mail bombs





What most people don't realize is that network communications consists of several
layers. Each layer has its own protocols for information transmission and security.
Toward the bottom is the actual telecommunications layer. Because this layer contains
the greatest concentration of traffic (after all, everything eventually gets reduced
to bits being sent over wires), it is probably the weakest link in the chain.
If your telcom layer can be interrupted, everything comes to a halt. In some companies,
if communications are interrupted for even a day, the company can be in serious
business trouble; those companies will often have triple-redundant routing (or
more) so that if one channel gets attacked, other channels are still available.



Specific Attacks



Below are descriptions of six denial-of-service attacks (there are more). The
descriptions are kept general and are readily available on the net. Please don't
ask for further details.







•   SYN Flood







The basic purpose of a SYN flood is to use up all new network connections at a
site and thus prevent legal users from being able to connect. TCP connections
are made by first sending a request to connect with an ID in it. The receiving
connection sends out an acknowledgment saying it's ready and then the sending
system is supposed to send an acknowledgment that the connection has been made.
The SYN (SYnchronize sequence Number) packet is the first of these and contains
the ID the receiver is supposed to reply to. If a fake ID is in that packet then
the receiving system system never gets a connection acknowledgment. Eventually,
the connection will time out and that incoming channel on the receiver will become
available again for another request. A SYN flood sends so many such requests that
all incoming connections are continuously tied up waiting for acknowledgments
that never come. This makes the server generally unavailable to legal users (unless
one happens to sneak in just at the moment one of the tied-up connections times
out).









•  Ping of Death







Ping (short for Packet Internet Groper) is a program that tests a TCP network
by sending an echo request, expecting a reply. The Ping of Death uses a test packet
larger than that allowed. This can result in either a system crash or problems
with network programs running on the targeted computer.









•   Mail Bombs







Unlike the E-mail virus hoaxes which say you can get a virus by simply reading
E-mail, the mail bomb is the sending of very large volumes of mail to a mail server.
Many can't handle large volumes of mail and this will cause legal users to be
denied service or maybe lost mail for legal users.









•   Host System Hogging







One of the oldest methods of attack, basically this involves causing a program
to run on the attacked system; a program that effectively ties up the CPU on the
system, making it unavailable to other users. When this happens, the operating
system generally crashes and takes the system down with it. Since this type of
attack has been around for some time, most operating systems have safeguards against
this built in. But, newer operating systems are sometimes vulnerable (e.g., at
this writing, 'hackers' are still finding some holes in NT that, in theory, could
be exploited by an ActiveX control or, perhaps, a Netscape plug-in; as found,
these holes are being plugged).









•   Rogue Applets







These attacks are not directed against a server but against users. Most user operatins
systems are not particularly secure and hostile applets embedded in web pages
have already been published which can, when downloaded and run, effectively put
the users' system into an infinite loop which requires a restart to end. This
is why it's very important to browse with automatic running of applets turned
off. If you get to a page that requires an applet and you trust the source, just
change your browser's security level and reload the page (but, don't forget to
turn automatic running off again when done).









•   Accidental Denial-of-Service







The internet is a complicated place and there is no single, central point of control
for everything. With so many individuals and companies involved, there are bound
to be errors. One happened in 1997 when a corrupted DNS table (the table that
connects domain names to their actual numerical locations) was released for distribution.
The error was quickly discovered but it took roughly three hours for the good
table to propogate across the internet and replace the bad one. During this time,
many systems could not be reached because the DNS table contained incorrect information.





Attacks can be sent by an individual or individuals or can be set up to be sent
automatically by programs known as Zombies that may have been installed in various
computers in advance of the attack. With Zombies, all the attacker need do is
send a single command and they perform the attack. This method can more easily
isolate the attacker from those who might want to find him/her as the attack itself
is coming from completely unrelated computers that may be half a world away.



What Can Be Done?



Often, nothing; particularly as a user (except for applet attacks which you can
prevent from loading). If a server you use is attacked, you must wait for the
administrator of that server to take actions; and, even those are sometimes hard
to take because it's often hard to trace where an attack is coming from (it takes
the cooperation of server administrators upstream to determine exactly where an
attack is coming from and by the time the research can be done the attack is often
over, only to be started from some other location).



Some specific attacks can be countered by upgrades to the network operating system;
so if you operate a server make certain you have the latest software and know
about all the various patches that have been issued for it relating to security.



The bottom line is, as in all cases of \"bad\" behavior, the ultimate solution would
be for an improvement in the behavior of those who would take servers down just
for the fun of it. Until those morals improve there will always be attacks and
countermeasures. Those in the middle just have to keep up to date.