CERT FAQ on Denial of Service attacks.
aa308bbdd7a84b75ac107867e1d3be42b7e8b8e32a695161cc3c74c92478cca7<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>CERT/CC Denial of Service</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#FFFFFF" VLINK="#C7AA05" LINK="#004A6B" ALINK="#DDB30B">
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="50%">
<A HREF="http://www.sei.cmu.edu/"> <IMG SRC="http://www.cert.org/images/cmu_sei.gif" WIDTH="239" HEIGHT="37" ALT="The CERT/CC is
part of the Software Engineering Institute at Carnegie Mellon University" BORDER="0"> </A></TD>
<TD WIDTH="50%" VALIGN="middle" ALIGN="right">
<IMG SRC="http://www.cert.org/images/improvingsecurity.gif" WIDTH="123" ALT="Improving Security" HEIGHT="19" ALIGN="bottom"> </TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="54">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="54" ALT="" HEIGHT="1"></TD>
<TD WIDTH="18%">
<A HREF="http://www.cert.org/nav/index.html"><IMG SRC="http://www.cert.org/images/certcc_head.gif" WIDTH="189" ALT="CERT® Coordination Center" HEIGHT="18" BORDER="0"></A></TD>
<TD WIDTH="85%" BGCOLOR="#DCDCDC">
<P ALIGN="left"><SMALL><SMALL><FONT FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/index.html">Home</A> |
<A HREF="http://www.cert.org/nav/whatsnew.html">What's New</A> |
<A HREF="http://www.cert.org/faq/cert_faq.html">FAQ</A> |
<A HREF="http://www.cert.org/contents/contents.html">Site Contents</A> |
<A HREF="http://www.cert.org/contact_cert/contactinfo.html">Contact Us</A> |
<B><A HREF="http://search.cert.org:8765/">SEARCH</A></B>
</FONT></SMALL></SMALL></TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="1" BORDER="0" CELLPADDING="5">
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" ALIGN="left"><P ALIGN="left">
<FONT SIZE="1" COLOR="#004A6B" FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/nav/aboutcert.html">About Us</A> |
<A HREF="http://www.cert.org/nav/alerts.html">Alerts</A> |
<A HREF="http://www.cert.org/nav/training.html">Education and Training</A> |
<A HREF="http://www.cert.org/nav/events.html">Events</A> |
<A HREF="http://www.cert.org/ftp/">FTP Archives</A> |
<A HREF="http://www.cert.org/nav/securityimprovement.html">Improving Security</A> |
<A HREF="http://www.cert.org/nav/other_sources.html">Other Resources</A> |
<A HREF="http://www.cert.org/nav/reports.html">Reports</A> |
<A HREF="http://www.cert.org/research/">Survivability Research</A></FONT></TD>
</TR>
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" HEIGHT="12"></TD>
</TR>
</TABLE>
</DIV>
<!-- This section leaves a table definition open. -->
<!-- Each document must close it somewhere else. -->
<DIV ALIGN="left">
<TABLE WIDTH="100%" BORDER="0">
<TR>
<TD WIDTH="47" VALIGN="top">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1">
</TD>
<!-- This section opens the table cell that contains the gray side bar. -->
<!-- This table cell is closed at the end of sidebar include. -->
<!-- A new table cell is also begun at the end of the sidebar -->
<!-- The table cell, row, and table must be ended in the main document -->
<TD VALIGN="top">
<DIV ALIGN="left">
<TABLE WIDTH="100" HEIGHT="225" ALIGN="left" CELLSPACING="0" BORDER="0" CELLPADDING="7">
<TR>
<TD BGCOLOR="#DCDCDC" VALIGN="top" HEIGHT="175">
<FONT FACE="Helvetica, Geneva, Arial" COLOR="#004A6B"><SMALL><SMALL>
<P><A HREF="http://www.cert.org/incident_notes/">Incident Notes</A>
<P><A HREF="http://www.cert.org/vul_notes/">Vulnerability Notes</A>
<P><A HREF="http://www.cert.org/security-improvement/">Security Improvement Modules</A>
<P><A HREF="http://www.cert.org/tech_tips/">Tech Tips</A>
<P><A HREF="http://www.cert.org/other_sources/tool_sources.html">Sources of Tools</A>
<P><A HREF="http://www.cert.org/nav/training.html">Training</A>
<P><A HREF="http://www.cert.org/nav/alerts.html">Alerts</A>
<P><A HREF="http://www.cert.org/y2k-info">Y2K</A>
</SMALL></SMALL></FONT>
</TD>
<TD WIDTH="3" VALIGN="top" ROWSPAN="2"></TD>
</TR>
<TR>
<TD VALIGN="top" HEIGHT="5"></TD>
</TR>
</TABLE>
</DIV>
<!-- starts new table cell for table begun in titlebar -->
</TD>
<TD WIDTH="100%" VALIGN="top">
<FONT FACE="Helvetica, Geneva, Arial">
<SMALL>
<H2>CERT<SUP>®</SUP> Coordination Center</H2>
<H1>Denial of Service</H1>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<P>
<OL TYPE="1">
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#1">Description</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#2">Impact</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3">Modes of Attack</A>
<OL TYPE="A">
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3A">Consumption of Scare Resources</A>
<OL TYPE="1">
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3A1">Network Connectivity</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3A2">Using Your Own Resources Against You</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3A3">Bandwidth Consumption</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3A4">Consumption of Other Resources</A></LI>
</OL>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3B">Destruction of Alteration of Configuration Information</A></LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#3C">Physical Destruction or Alteration of Network Components</A></LI>
</OL>
</LI>
<LI><A HREF="http://www.cert.org/tech_tips/denial_of_service.html#4">Prevention and Response</A>
</OL>
<A HREF="http://www.cert.org/tech_tips/denial_of_service.html#history">Revision History</A>
</P>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<P>
<OL TYPE="1">
<LI><A NAME="1">Description</A>
<P>
This document provides a general overview of attacks in which the
primary goal of the attack is to deny the victim(s) access to a
particular resource. Included is information that may help you respond
to such an attack.
</P>
<P>
A "denial-of-service" attack is characterized by an explicit attempt
by attackers to prevent legitimate users of a service from using that
service. Examples include
<P>
<UL>
<LI>attempts to "flood" a network, thereby preventing legitimate
network traffic
<LI>attempts to disrupt connections between two machines, thereby
preventing access to a service
<LI>attempts to prevent a particular individual from accessing a
service
<LI>attempts to disrupt service to a specific system or person
</UL>
</P>
Not all service outages, even those that result from malicious
activity, are necessarily denial-of-service attacks. Other types of
attack may include a denial of service as a component, but the denial
of service may be part of a larger attack.
</P>
<P>
Illegitimate use of resources may also result in denial of service.
For example, an intruder may use your anonymous ftp area as a place to
store illegal copies of commercial software, consuming disk space and
generating network traffic
</P>
</LI>
<LI><A NAME="2">Impact</A>
<P>
Denial-of-service attacks can essentially disable your computer or your
network. Depending on the nature of your enterprise, this can
effectively disable your organization.
</P>
<P>
Some denial-of-service attacks can be executed with limited resources
against a large, sophisticated site. This type of attack is sometimes
called an "asymmetric attack." For example, an attacker with an old PC
and a slow modem may be able to disable much faster and more
sophisticated machines or networks.
</P>
<LI><A NAME="3">MODES OF ATTACK</A>
<P>
Denial-of-service attacks come in a variety of forms and aim at a
variety of services. There are three basic types of attack:
<P>
<UL>
<LI>consumption of scarce, limited, or non-renewable resources</LI>
<LI>destruction or alteration of configuration information</LI>
<LI>physical destruction or alteration of network components</LI>
</UL>
</P>
<P>
<OL TYPE="A">
<LI><A NAME="3A">Consumption of Scarce Resources</A>
<P>
Computers and networks need certain things to operate: network
bandwidth, memory and disk space, CPU time, data structures,
access to other computers and networks, and certain
environmental resources such as power, cool air, or even water.
<OL TYPE="1">
<LI><A NAME="3A1">Network Connectivity</A>
<P>
Denial-of-service attacks are most frequently executed
against network connectivity. The goal is to prevent
hosts or networks from communicating on the network.
An example of this type of attack is the "SYN flood"
attack described in
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding">
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding</A>
</BLOCKQUOTE>
In this type of attack, the attacker begins the process
of establishing a connection to the victim machine, but
does it in such a way as to prevent the ultimate
completion of the connection. In the meantime, the
victim machine has reserved one of a limited number of
data structures required to complete the impending
connection. The result is that legitimate connections
are denied while the victim machine is waiting to
complete bogus "half-open" connections.
</P>
<P>
You should note that this type of attack does not
depend on the attacker being able to consume your
network bandwidth. In this case, the intruder is
consuming kernel data structures involved in
establishing a network connection. The implication is
that an intruder can execute this attack from a dial-up
connection against a machine on a very fast network.
(This is a good example of an asymmetric attack.)
</P>
</LI>
<LI><A NAME="3A2">Using Your Own Resources Against You</A>
<P>
An intruder can also use your own resources against you
in unexpected ways. One example is described in
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial">
ftp://info.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial</A>
</BLOCKQUOTE>
In this attack, the intruder uses forged UDP packets to
connect the echo service on one machine to the chargen
service on another machine. The result is that the two
services consume all available network bandwidth
between them. Thus, the network connectivity for all
machines on the same networks as either of the targeted
machines may be affected.
</P>
</LI>
<LI><A NAME="3A3">Bandwidth Consumption</A>
<P>
An intruder may also be able to consume all the
available bandwidth on your network by generating a
large number of packets directed to your network.
Typically, these packets are ICMP ECHO packets, but in
principle they may be anything. Further, the intruder
need not be operating from a single machine; he may be
able to coordinate or co-opt several machines on
different networks to achieve the same effect.
</P>
</LI>
<LI><A NAME="3A4">Consumption of Other Resources</A>
<P>
In addition to network bandwidth, intruders may be able
to consume other resources that your systems need in
order to operate. For example, in many systems, a
limited number of data structures are available to hold
process information (process identifiers, process table
entries, process slots, etc.). An intruder may be able
to consume these data structures by writing a simple
program or script that does nothing but repeatedly
create copies of itself. Many modern operating systems
have quota facilities to protect against this problem,
but not all do. Further, even if the process table is
not filled, the CPU may be consumed by a large number
of processes and the associated time spent switching
between processes. Consult your operating system vendor
or operating system manuals for details on available
quota facilities for your system.
</P>
<P>
An intruder may also attempt to consume disk space in
other ways, including
<UL>
<LI>generating excessive numbers of mail messages.
For more information, please see
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/tech_tips/email_bombing_spamming">
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming</A>
</BLOCKQUOTE>
</LI>
<LI>intentionally generating errors that must be
logged
</LI>
<LI>placing files in anonymous ftp areas or network
shares, For information on proper configuration
for anonymous ftp, please see
<BLOCKQUOTE>
<A HRE="ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config">
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config</A>
</BLOCKQUOTE>
</LI>
</UL>
In general, anything that allows data to be written to
disk can be used to execute a denial-of-service attack
if there are no bounds on the amount of data that can
be written.
</P>
<P>
Also, many sites have schemes in place to "lockout" an
account after a certain number of failed login attempts.
A typical set up locks out an account after 3 or 5
failed login attempts. An intruder may be able to use
this scheme to prevent legitimate users from logging
in. In some cases, even the privileged accounts, such
as root or administrator, may be subject to this type
of attack. Be sure you have a method to gain access to
the systems under emergency circumstances. Consult your
operating system vendor or your operating systems
manual for details on lockout facilities and emergency
entry procedures.
</P>
<P>
An intruder may be able to cause your systems to crash
or become unstable by sending unexpected data over the
network. An example of such an attack is described in
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/cert_advisories/CA-96.26.ping">
ftp://info.cert.org/pub/cert_advisories/CA-96.26.ping</A>
</BLOCKQUOTE>
If your systems are experiencing frequent crashes with
no apparent cause, it could be the result of this type
of attack.
</P>
<P>
There are other things that may be vulnerable to denial
of service that you may wish to monitor. These include
<P>
<UL>
<LI>printers</LI>
<LI>tape devices</LI>
<LI>network connections</LI>
<LI>other limited resources important to the
operation of your organization</LI>
</UL>
</P>
</P>
</LI>
</OL>
</P>
</LI>
<LI><A NAME="3B">Destruction or Alteration of Configuration
Information</A>
<P>
An improperly configured computer may not perform well or may
not operate at all. An intruder may be able to alter or destroy
configuration information that prevents you from using your
computer or network.
</P>
<P>
For example, if an intruder can change the routing information
in your routers, your network may be disabled. If an intruder
is able to modify the registry on a Windows NT machine, certain
functions may be unavailable.
</P>
<P>
For information on configuring UNIX machines, see
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines">
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines</A>
</BLOCKQUOTE>
For information on configuring Microsoft Windows NT machines,
please see
<BLOCKQUOTE>
<A HREF="http://www.microsoft.com/security/">
http://www.microsoft.com/security/</A>
</BLOCKQUOTE>
</P>
</LI>
<LI><A NAME="3C">Physical Destruction or Alteration of Network
Components</A>
<P>
The primary concern with this type of attack is physical
security. You should guard against unauthorized access to
computers, routers, network wiring closets, network backbone
segments, power and cooling stations, and any other critical
components of your network.
</P>
<P>
Physical security is a prime component in guarding against many
types of attacks in addition to denial of service. For
information on securing the physical components of your
network, we encourage you to consult local or national law
enforcement agencies or private security companies.
</P>
</LI>
</OL>
</P>
</LI>
<LI><A NAME="4">Prevention and Response</A>
<P>
Denial-of-service attacks can result in significant loss of time and
money for many organizations. We strongly encourage sites to consider
the extent to which their organization could afford a significant
service outage and to take steps commensurate with the risk.
</P>
<P>
We encourage you to consider the following options with respect to your
needs:
<P>
<UL>
<LI>Implement router filters as described in Appendix A of
CA-96.21.tcp_syn_flooding, referenced above. This will lessen
your exposure to certain denial-of-service attacks.
Additionally, it will aid in preventing users on your network
from effectively launching certain denial-of-service attacks.
</LI>
<LI>If they are available for your system, install patches to guard
against TCP SYN flooding as described in
CA-96.21.tcp_syn_flooding, referenced above. This will
substantially reduce your exposure to these attacks but may
not eliminate the risk entirely.
</LI>
<LI>Disable any unused or unneeded network services. This can limit
the ability of an intruder to take advantage of those services
to execute a denial-of-service attack.
</LI>
<LI>Enable quota systems on your operating system if they are
available. For example, if your operating system supports disk
quotas, enable them for all accounts, especially accounts that
operate network services. In addition, if your operating system
supports partitions or volumes (i.e., separately mounted file
systems with independent attributes) consider partitioning your
file system so as to separate critical functions from other
activity.
</LI>
<LI>Observe your system performance and establish baselines for
ordinary activity. Use the baseline to gauge unusual levels of
disk activity, CPU usage, or network traffic.
</LI>
<LI>Routinely examine your physical security with respect to your
current needs. Consider servers, routers, unattended terminals,
network access points, wiring closets, environmental systems
such as air and power, and other components of your system.
</LI>
<LI>Use Tripwire or a similar tool to detect changes in
configuration information or other files. For more information,
see
<BLOCKQUOTE>
<A HREF="ftp://info.cert.org/pub/tech_tips/security_tools">
ftp://info.cert.org/pub/tech_tips/security_tools</A>
</BLOCKQUOTE>
</LI>
<LI>Invest in and maintain "hot spares" - machines that can be
placed into service quickly in the event that a similar machine
is disabled.
</LI>
<LI>Invest in redundant and fault-tolerant network configurations.
</LI>
<LI>Establish and maintain regular backup schedules and policies,
particularly for important configuration information.
</LI>
<LI>Establish and maintain appropriate password policies,
especially access to highly privileged accounts such as UNIX
root or Microsoft Windows NT Administrator.
</LI>
</UL>
</P>
<P>
Many organizations can suffer financial loss as a result of a
denial-of-service attack and may wish to pursue criminal or civil
charges against the intruder. For legal advice, we recommend that you
consult with your legal counsel and law enforcement.
</P>
<P>
U.S. sites interested in an investigation of a denial-of-service attack
can contact their local FBI field office for guidance and information.
For contact information for your local FBI field office, please consult
your local telephone directory or see the FBI's field offices web page:
<BLOCKQUOTE>
<A HREF="http://www.fbi.gov/fo/fo.htm">
http://www.fbi.gov/fo/fo.htm</A>
</BLOCKQUOTE>
For more information, please see the web page of the FBI National
Computer Crime Squad (NCCS):
<BLOCKQUOTE>
<A HREF="http://www.fbi.gov/programs/nccs/compcrim.htm">
http://www.fbi.gov/programs/nccs/compcrim.htm</A>
</BLOCKQUOTE>
Non-U.S. sites may want to discuss the activity with their local law
enforcement agency to determine the appropriate steps that should be
taken with regard to pursuing an investigation.
</P>
<P>
If you are interested in determining the source of certain types of
denial-of-service attack, it may require the cooperation of your
network service provider and the administration of the networks
involved. Tracking an intruder this way may not always be possible. If
you are interested in trying do to so, contact your service provider
directly. The CERT(*) Coordination Center is not able to provide this
type of assistance. We do encourage you to report your experiences,
however. This helps us understand the nature and scope of security
incidents on the Internet, and we may be able to relate your report to
other activity that has been reported to us.
</P>
</LI>
</OL>
</P>
<HR WIDTH="100%" NOSHADE>
This document is available from:
<A HREF="http://www.cert.org/tech_tips/denial_of_service.html">
http://www.cert.org/tech_tips/denial_of_service.html</A>
<HR WIDTH="100%" NOSHADE>
<H2>CERT/CC Contact Information</H2>
<DL>
<B>Email:</B> <A HREF="mailto:cert@cert.org">cert@cert.org</A><BR>
<B>Phone:</B> +1 412-268-7090 (24-hour hotline)<BR>
<B>Fax:</B> +1 412-268-6989<BR>
<B>Postal address:</B><BR>
<DD>
CERT<SUP>®</SUP> Coordination Center<BR>
Software Engineering Institute<BR>
Carnegie Mellon University<BR>
Pittsburgh PA 15213-3890<BR>
U.S.A.<BR>
</DL>
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from<P>
<UL>
<A HREF="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</A>
</UL>
If you prefer to use DES, please call the CERT hotline for more
information.<P>
<H4>Getting security information</H4>
CERT publications and other security information are available from
our web site<P>
<UL>
<A HREF="http://www.cert.org/">http://www.cert.org/</A>
</UL>
To be added to our mailing list for advisories and bulletins, send email to
<A HREF="mailto:cert-advisory-request@cert.org">
cert-advisory-request@cert.org</A> and include <TT>SUBSCRIBE
your-email-address</TT> in the subject of your message.
<P>
Copyright 1999 Carnegie Mellon University.<BR>
Conditions for use, disclaimers, and sponsorship information can be found in<P>
<UL>
<A HREF="http://www.cert.org/legal_stuff.html">http://www.cert.org/legal_stuff.html</A>
</UL>
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
<HR WIDTH="100%" NOSHADE>
<B><U>NO WARRANTY</U></B><BR>
<B>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</B>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<TABLE>
<A NAME="history">
<TR>
<TD>
<FONT SIZE="3" FACE="Helvetica, Geneva, Arial">
Revision History
</TD>
</TR>
<TR>
<TD WIDTH="30%" VALIGN="TOP">
<FONT SIZE="2" FACE="Helvetica, Geneva, Arial">
Oct 02, 1997<BR>
Feb 12, 1999<BR>
</TD>
<TD WIDTH="70%" VALIGN="TOP">
<FONT SIZE="2" FACE="Helvetica, Geneva, Arial">
Initial Release<BR>
Converted to new web format<BR>
</TD>
</TR>
</SMALL>
</TABLE>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<TABLE WIDTH="100%" HEIGHT="50%">
<TR>
<TD WIDTH="100%" VALIGN="TOP">
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
</DIV>
</BODY>
</HTML>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed