Security Dose: Denial-of-Service Attack

Security Dose: Denial-of-Service Attack

In a normal scenario, a business application is deployed to serve the users (internal: access application from the internal network, and external: where users are accessing application from the Internet). In TCP IP network, when user wants to access an application, establish a TCP session let’s say with a Web server (front end of the application where user interacts with an application) – data is transferred and received. 

When the job is completed, TCP session is disconnected. If all users behave nicely and conduct legitimate transactions, application servers are not overloaded and meal the end user requirement.

Figure 1: TCP SYN Flooding DoS Attack!
Figure 1: TCP SYN Flooding DoS Attack!

Let’s make this scenario a bit of complex where a malicious user finds a way to open a fake connection to the corporate application server. This communication starts with malicious SYN packet to the server and the source address is replaced with a fake IP address. There is no reason for server not to open a TCP session for this request and server response to the source with SYN-ACL response. 

There is no genuine source exists on the network who can respond to the SYN-ACK with ACK response so there is a half open connection in the connection table maintained by server – that remains there until there is timeout or administrator removes it. 

During this time frame, this attacker can try to open hundreds or thousands of such connections and eventually fills connection table. At this point, the server no longer able to maintain the connections with legitimate user so the application is inaccessible.

Idea here is halt the operations, deplete a system resource so that services become unavailable. This type of attack is called the Denial-of-Service Attack where the service are unavailable and there is business impact. This DoS attack can user TCP SYN flood [as explained in this example], ICMP echo packet, UDP packet flood, and etc.

The DoS attack is not limited to the simplest form as explained above, it can be more complex where multiple other systems are involved. Let’s say there is a controller sitting on the Internet and there are multiple systems that are affected by malicious code or malware. 

These infected systems are called the BOT that appears as normal – however remote controller system controls these bots and command them to initiate DoS attack against server. This type of attack is called the Distributed Denial-of-Service (DDoS) attack because the attack is distributed across the bots, all flooding and impacting services.

Hope you find this informative!  

  Continue Reading...