Denial of Service Tools

Denial-of-service (or DoS) attacks are usually launched to make a particular service unavailable to someone who is authorized to use it. These attacks may be launched using one single computer or many computers across the world. In the latter scenario, the attack is known as a distributed denial of service attack. Usually these attacks do not necessitate the need to get access into anyone's system.

These attacks have been getting decidedly more popular as more and more people realize the amount and magnitude of loss, which can be caused through them.

What are the reasons that a hacker may want to resort to a DoS attack? He may have installed a Trojan in the victim's computer but needed to have the computer restarted to activate the Trojan. The other good reason also may be that a business may want to harm a competitor by crashing his systems.

Denial-of-service attacks have had an impressive history having, in the past, blocked out websites like Amazon, CNN, Yahoo and eBay. The attack is initiated by sending excessive demands to the victim's computer(s), exceeding the limit that the victim's servers can support and making the servers crash. Sometimes, many computers are entrenched in this process by installing a Trojan on them; taking control of them and then making them send numerous demands to the targeted computer.

On the other side, the victim of such an attack may see many such demands (sometimes even numbering tens of thousands) coming from computers from around the world. Unfortunately, to be able to gain control over a malicious denial-of-service attack would require tracing all the computers involved in the attack and then informing the owners of those systems about the attack. The compromised system would need to be shut down or then cleaned. This process, which sounds fairly simple, may prove very difficult to achieve across national and later organizational borders.

Even when the source(s) of the attack are traced there are many problems, which the victim may be faced with. He will need to inform all the involved organizations in control of the attacking computers and ask them to either clean the systems or shut them down. Across international boundaries this may prove to be a titanic task. The staff of the organization may not understand the language. They may not be present if the attack were to be launched during the night or during weekends.

The computers that may have to be shut down may be vital for their processes and the staff may not have the authority to shut them down. The staff may not understand the attack, system administration, network topology, or any number of things that may delay or halt shutting down the attacking computer(s). Or, more simply, the organization may not have the desire to help.

If there are hundreds or even thousands of computers on the attack, with problems like the ones mentioned above, the victim may not be able to stop the attack for days by which time the damage would have been done. His servers would be completely incapacitated to administer to so many demands and consequently would crash.

It is very simple for anyone to launch an attack because denial-of-service tools can easily be procured from the Net. The major versions of distributed denial of service attack tools are Trinoo (or trin00), TFN, TFN2K and Stacheldraht. Denial-of-Service tools allow the attackers to automate and preset the times and frequencies of such attacks so that the attack is launched and then stopped to be launched once again later. This makes it very difficult, in fact almost impossible, to trace the source of the attack.

These tools also provide another service by which the attacking computer can change its source address randomly thereby making it seem as if the attack is originating from many thousands of computers while in reality there may be only a few. Distributed denial-of-service attacks are a very perturbing problem for law enforcement agencies mainly because they are very difficult to trace. In addition, usually these attacks are directed towards very sensitive systems or networks sometimes even those that are vital to national security. Sometimes, even when the perpetrators can be traced, international extradition laws may prove to be a hitch in bringing them under the authority of the law.

The other types of DoS attacks are Ping of Death and SYN attacks. A Ping of Death attack involves a very large Internet Control Messaging Protocol (ICMP) packet and the receiving computer gets it in the form of data packets. Then it tries to reassemble it. When reassembled the packet proves to be too large for the buffers and overflows it. The consequences may be anything from reboots to system hangs.

The SYN attack on the other hand involves the three-way handshake of the TCP/IP protocol. First the client sends a SYN packet to the server. Then the server responds with a SYN-ACK. When the client responds to this, only then does the client-server conversation really start. Now in a SYN attack the client does not respond to the SYN-ACK. It waits till just before the service time expires and then sends another request. This way the server machine remains engaged. The above given process keeps on getting repeated till the server machine crashes. What one must remember is that "Denial of Service" is a generic term for a type of attack, which can take many forms. The Melissa virus came to be called a denial of service attack because it clogged networks and servers with the e-mail it generated.