What does the ICMP flood does as a type of denial of service attack site an example?

What is “denial of service”?

A denial of service occurs when a legitimate user is denied access to a network, system, device, or other resources that they are otherwise authorized to access. That can include their email, e-banking account, public online services, etc.

Denial of service can result from a cyber attack known as a denial of service attack (DoS), whose explicit aim is to achieve this effect.

A denial of service attack is the deliberate flooding of a machine or network with bogus traffic to overwhelm them and make their service unavailable. It can lead to the target server crashing or simply being unable to respond to legitimate requests. 

Denial of service attacks usually do not lead to system compromise, data loss, or theft. However, a DoS attack can cause a significant loss of time and resources to the targeted service since it can last anywhere between a few hours and several months.

Unlike a distributed denial-of-service (DDoS) attack, a DoS attack is executed via a single machine.

How a denial-of-service attack works

The mechanism of a DoS attack is pretty straightforward: it seeks to overwhelm the capacity of the attack target via traffic. The specific way of executing such an attack will depend on the vulnerability of the targeted system. 

For example, one way of doing this is by sending many requests with fabricated return addresses (i.e., they are junk) to a server. This makes it impossible for the server to verify their source. It can lead to a server simply exhausting its RAM or CPU capacity, and crashing. 

A multitude of different DoS attacks exists. Depending on the attack vector, DoS attacks either seek to flood or to crash a system. The three main types of DoS attacks are:

• Application-layer attacks are intended to crash a specific application or service rather than a whole network. It is usually achieved by flooding the app with malicious HTTP requests and making it unable to respond further. Application-layer attacks are measured in requests per second (RPS).
  
• Protocol or network-layer attacks exploit weaknesses in network protocols and procedures by targeting infrastructure and network management tools. They seek to disrupt a whole network instead of a single application. These attacks are measured in packets per second (PPS) or bits per second (BPS).
  
• Volumetric attacks are the most common type of DoS attack. It seeks to overwhelm a target’s bandwidth capacity by flooding it with fake requests. It creates network congestion and makes it impossible for legitimate traffic to pass. The magnitude of these attacks is measured in bits per second (BPS).

How to know if a DoS attack is happening

It may be difficult to spot a DoS attack, as interferences may initially appear non-malicious. You can use several criteria to determine if you are being attacked with a DoS. The three most common symptoms of an attack, according to the United States Computer Emergency Readiness Team (US-CERT), include:

• Prolonged network performance (opening files or accessing websites)
• Unavailability of a particular website, or
• An inability to access any website

Denial of service attack examples

There are many different types of DoS attack techniques. Following are several different examples of how a DoS can be executed, depending on the vulnerability of the target server. Some of them have fallen out of use because their vulnerabilities have been removed, whereas others persist and are being used.

DoS attack: ACK scan, SYN scan, FIN scan

These scan techniques use similar approaches to check whether ports at the attack target are open and can be exploited. They are used to gather information as well as deny service.

For example, the ACK scan technique is used by attackers to gather information about a target’s firewall or Access Control List (ACL) configuration. It features a scan via a packet with an acknowledgment (ACK) flag that seeks to identify hosts or ports that are filtered or cannot be scanned in another way. Attackers watch the response from the router to understand the setup.

The type of information that can be gleaned from this, particularly when combined with an SYN scan, is the target’s type of firewall, its rule-set, and what kind of packets can get through to the host. 

At the same time, while collecting vulnerability information via a scan, the attackers may also flood a router’s open UDP/TCP ports to make it crash. By initiating a connection attempt but not acknowledging the server response from open ports, attackers can keep the ports open and continuously flood the server with new requests (also known as an SYN flood).

DoS attack: Smurf

In a Smurf attack, the malicious party will target a network whose configuration allows packets to be sent to all devices (hosts) on the network at once. That is accomplished by sending Internet Control Message Protocol (ICMP) packets to the IP broadcast address of the network whereby they reach all computers. 

These packets will have as their source address the IP address of the target (i.e., the source address will be fabricated). By default, the devices on the network will then respond to the packets by replying to the spoofed source address. This will be to flood the target machine with traffic and overload it or shut it down completely.

There are few differences between Smurf and what’s known as an ICMP flood or Ping of death. 

DoS attack: SYN flood

An SYN flood, also known as a half-open attack, is a technique that exploits the Transmission Control Protocol (TCP)/IP three-way handshake. During an SYN flood, an attacker repeatedly sends connection requests, i.e., SYN (synchronization) packets, to all ports on a server. Typically, a server then responds with synchronization acknowledged (SYN/ACK) packets from every port that is currently open. If a port is closed, it will respond with a reset (RST) packet. 

Usually, a client responds to the SYN/ACK packet with an acknowledged (ACK) packet during the handshake. This is done to confirm that it has received the server’s SYN/ACK, and then communication between them can commence. 

However, during an SYN flood, attackers use fake IP addresses to send the initial SYN packets. As a result, the server never gets a response to its SYN/ACK packets, and its ports remain open (occupied), and it cannot reset them (hence the name “half-open”). Before the connection attempt times out, further SYN packets are sent to these ports, prompting the server to keep them open and attempt to establish a connection. 

This is because ports are saturated with these requests, leading to a denial of service.

DoS attack: Teardrop

The Teardrop attack exploits a vulnerability associated with older operating systems and TCP/IP implementations. When packets are too large for intermediary systems like routers, the IP specification allows packet fragmentation. Afterward, fragments are reassembled.

However, a TCP/IP fragmentation reassembly bug can be found in many older systems. The bug consists of their inability to reassemble packets whose offset fields overlap. Attackers exploit this bug when launching a Teardrop attack by sending packets with overlapping and oversized payloads, making it impossible for the receiving system to reassemble them and ultimately leading to its crash.

DoS attack: ARP attack

Also known as an ARP spoofing attack, this technique involves sending Address Resolution Protocol (ARP) messages over a network to link the attacker’s MAC address to the IP address of its target (whether a server or gateway, such as a router).

When this is executed successfully, the traffic intended to lead to the target is instead received by the attacker, which leads to a denial of service. This type of attack can only be performed on local area networks that use ARS.

DoS attack: Fraggle attack

The Fraggle attack, also known as a UDP flood, uses the same approach as the Smurf attack by exploiting a vulnerability associated with sending traffic to the IP broadcast address of the target (such as a router). The main difference is that it uses User Datagram Protocol (UDP) traffic to flood a router or server instead of ICMP.

The effect is to spoof the IP address of the source of the request and then direct the traffic from the network back to the router, thereby flooding it.

Both the Fraggle and the Smurf attacks have largely been left behind as routers no longer forward packets sent to their broadcast address.

What is the difference between a DoS attack and a DDoS attack?

The main difference between a DoS and a distributed denial of service (DDoS) attack is the number of systems or devices used. Typically, a DoS attack will have a single IP address as its source. In contrast, a DDoS attack will be launched from multiple addresses synchronized, making it significantly harder to fend off.

In this way, DDoS has several advantages over a DoS attack:

• A more significant number of machines are used to execute the attack.
• Attack sources are dispersed, sometimes even across the globe, making it difficult to detect, contain, and ultimately shut down the attack.
• It is challenging to establish the actual attacker due to the sheer volume of systems involved.

One way of executing a DDoS is through what’s known as a botnet. A botnet is a group of compromised devices connected to the internet and controlled by the attacker. 

Through command and control software, attackers can take over devices with faulty or lacking security and use these to flood the target with requests. This means that the attacker does not need to own all the machines required to launch a DDoS but can take over vulnerable devices and use these.

With the advent of the Internet of Things (IoT), DDoS attacks have become significantly more common and easier to launch because many IoT devices are exposed and easy to take over. In some cases, a botnet comprises hundreds of thousands of devices. 

Due to the effectiveness of these attacks, recent years have seen a proliferation of DoS and DDoS attacks, and even DoS/DDoS as a service offered by hackers. 

How to prevent a denial of service attack

Denial of service attacks cannot be entirely prevented, but there are ways in which you can prepare to reduce their effect. Proactive steps which you can take include:

• Create a DoS response plan that covers all the aspects of handling an attack, including communication, mitigation, and recovery.
  
• Improve your network security and strengthen your overall security posture by installing antivirus and anti-malware software and setting up a firewall that monitors and manages incoming traffic.
  
• Sign up for a DoS protection service (intrusion detection system) that filters and redirects malicious traffic and can spot known attack signatures.
  
• Consider introducing network segmentation to separate systems into separate subnets and avoid flooding the whole network.
  
• Assess your security settings and practices and introduce improvements where necessary.

Video: DoS Attack Explained

FAQ

What is denial-of-service?

Denial of service (DoS) occurs when a service, website, or network is unavailable to its intended users who otherwise have a right to access it. It can be a result of a denial of service attack.

How do denial of service attacks work?

Generally, DoS attacks seek to flood or crash a service through vast amounts of traffic or exploit bug vulnerabilities in the system’s network configuration or infrastructure.

Are DoS attacks dangerous?

While DoS attacks usually can’t lead to data theft or loss (unless they are coupled with other attacks), they can effectively shut down service for hours or even months.

Is a denial of service attack (DoS) the same as distributed denial of service attack (DDoS)?

Both attacks seek to achieve the same goal, but while a DoS only uses one machine (or source), a DDoS harnesses the power of hundreds and thousands of machines to achieve its aims.