Crime Branch Advisory
The Nigerian Scam
Denial of Service Tools
(or DoS) attacks are usually launched to make a particular service
unavailable to someone who is authorized to use it. These attacks
may be launched using one single computer or many computers across
the world. In the latter scenario, the attack is known as a distributed
denial of service attack. Usually these attacks do not necessitate
the need to get access into anyone's system.
These attacks have been getting decidedly
more popular as more and more people realize the amount and magnitude
of loss, which can be caused through them.
What are the reasons that a hacker
may want to resort to a DoS attack? He may have installed a Trojan
in the victim's computer but needed to have the computer restarted
to activate the Trojan. The other good reason also may be that a
business may want to harm a competitor by crashing his systems.
Denial-of-service attacks have had
an impressive history having, in the past, blocked out websites
like Amazon, CNN, Yahoo and eBay. The attack is initiated by sending
excessive demands to the victim's computer(s), exceeding the limit
that the victim's servers can support and making the servers crash.
Sometimes, many computers are entrenched in this process by installing
a Trojan on them; taking control of them and then making them send
numerous demands to the targeted computer.
On the other side, the victim of
such an attack may see many such demands (sometimes even numbering
tens of thousands) coming from computers from around the world.
Unfortunately, to be able to gain control over a malicious denial-of-service
attack would require tracing all the computers involved in the attack
and then informing the owners of those systems about the attack.
The compromised system would need to be shut down or then cleaned.
This process, which sounds fairly simple, may prove very difficult
to achieve across national and later organizational borders.
Even when the source(s) of the attack
are traced there are many problems, which the victim may be faced
with. He will need to inform all the involved organizations in control
of the attacking computers and ask them to either clean the systems
or shut them down. Across international boundaries this may prove
to be a titanic task. The staff of the organization may not understand
the language. They may not be present if the attack were to be launched
during the night or during weekends.
The computers that may have to be
shut down may be vital for their processes and the staff may not
have the authority to shut them down. The staff may not understand
the attack, system administration, network topology, or any number
of things that may delay or halt shutting down the attacking computer(s).
Or, more simply, the organization may not have the desire to help.
there are hundreds or even thousands of computers on the attack,
with problems like the ones mentioned above, the victim may not
be able to stop the attack for days by which time the damage would
have been done. His servers would be completely incapacitated to
administer to so many demands and consequently would crash.
It is very simple for anyone to launch
an attack because denial-of-service tools can easily be procured
from the Net. The major versions of distributed denial of service
attack tools are Trinoo (or trin00), TFN, TFN2K and Stacheldraht.
Denial-of-Service tools allow the attackers to automate and preset
the times and frequencies of such attacks so that the attack is
launched and then stopped to be launched once again later. This
makes it very difficult, in fact almost impossible, to trace the
source of the attack.
These tools also provide another
service by which the attacking computer can change its source address
randomly thereby making it seem as if the attack is originating
from many thousands of computers while in reality there may be only
a few. Distributed denial-of-service attacks are a very perturbing
problem for law enforcement agencies mainly because they are very
difficult to trace. In addition, usually these attacks are directed
towards very sensitive systems or networks sometimes even those
that are vital to national security. Sometimes, even when the perpetrators
can be traced, international extradition laws may prove to be a
hitch in bringing them under the authority of the law.
The other types of DoS attacks are
Ping of Death and SYN attacks. A Ping of Death attack involves a
very large Internet Control Messaging Protocol (ICMP) packet and
the receiving computer gets it in the form of data packets. Then
it tries to reassemble it. When reassembled the packet proves to
be too large for the buffers and overflows it. The consequences
may be anything from reboots to system hangs.
The SYN attack on the other hand
involves the three-way handshake of the TCP/IP protocol. First the
client sends a SYN packet to the server. Then the server responds
with a SYN-ACK. When the client responds to this, only then does
the client-server conversation really start. Now in a SYN attack
the client does not respond to the SYN-ACK. It waits till just before
the service time expires and then sends another request. This way
the server machine remains engaged. The above given process keeps
on getting repeated till the server machine crashes. What one must
remember is that "Denial of Service" is a generic term
for a type of attack, which can take many forms. The Melissa virus
came to be called a denial of service attack because it clogged
networks and servers with the e-mail it generated.