51
destination host keeps track of connections waiting to be
completed. This queue
typically empties quickly
in
few
milliseconds after
SYN/ACK
is
sent.
TCP
SYN
attack
exploits this design by
having
an attacking source
host
generate TCP SYN
packets with
random
source
addresses
toward
a
victim
host.
The
victim
destination host
sends
a
SYN/ACK back to the random source address and add an entry to the connection queue.
Because
the
SYN/ACK
is destined
for an
incorrect
or
nonexistent
host,
the
last
part
of
the
three-way
handshake
is
never completed
(known
as
half-open
connection), and
the
entry
remains
in
the
connection queue
until
the
time
expires,
and by
generating phony
TCP SYN
packets
from
random IP
addresses
at
a
rapid rate, an
intruder can
fill
up
the
connection queue
and
deny
TCP
services
to
legitimate
users.
There
is
no
easy
way
to
trace
the
originator because
the
IP
address
of
the
source
is
forged,
but
in
network
infrastructure, the
attack
can
be
constrained to
a
limited
area
if
a
router
or
firewall
intercepts
the
TCP
connection and
proxies on
behalf of
the
connection-initiating host
to
make
sure
that
the
connection is
valid
[8].
A
UDP
Flood
may
not
use
handshaking
connection mechanism.
Attacker
may
just
simply
send
large
number
of
forged
UDP
packets to significantly reduce the performance of the CPU of the server, for example.
Other
kind
of
DoS
is
well-known as
Ping
of
Death.
This
attack
exploits
the
vulnerability of
implementation of
TCP/IP stack. ICMP
echo request packets, which are
larger
than
65,535
bytes
and
fragmented, are
sent
to
the
target
and
causing
buffer
overflow
in
reassemble process. Modern operating systems
have already overcome this
problem
by
disregarding
oversized
packets.
Ping
can
also
be
flooded
to
the
system
so
that normal traffics fail to reach the system, known as Ping Flood.
 |