A denial of service can be a significant event on any network. In this video, you’ll learn about DoS events, the fundamentals of a distributed DoS, DoS on a wireless network, and the process of troubleshooting a denial of service.
<< Previous: Troubleshooting Operating System Security IssuesNext: Troubleshooting ICMP and ARP >>
Bad guys use a denial of service to try to make a service become inaccessible or to make it completely fail. They try to overload the service by sending it a lot of information at one time. So the service is so busy responding to the denial of service attack that it can’t take care of legitimate requests. Some denial of service attacks are very smart at what they go after.
If there is a known vulnerability to an application or to an operating system, they’ll go after that vulnerability to bring down the service. That’s why it’s always important to keep your operating systems and your applications at the latest versions and patched, that way the bad guys don’t have a way into this application by taking advantage of a vulnerability.
Sometimes, this becomes a competitive advantage where one competitor might bring another competitor down with a denial of service. Once they get you off the network, they’re the only service available to provide that particular product or service, and they definitely will have a competitive advantage over you. Sometimes, a denial of service is so that you can smoke screen a different kind of attack occurring somewhere else.
We often see this with DNS spoofing. We can bring down your DNS and bring up our DNS so that we now are the authority for all the name services and that becomes a very easy way for the bad guys to take control of your network by bringing down a different part of it. And, of course, a denial of service doesn’t have to include a lot of technology. You could turn off the power to an entire building, and you’ve now created a very effective denial of service.
A distributed denial of service means that the denial of service takes place from many different locations. You have a large army of devices, and they’re all descending on one location at one time using up all of your bandwidth or all of the resources for that service. You’re wondering why all of the bad guys spend so much time installing malware and taking control of your computer, this is one of the very good reasons why they do that, because now they control your system. And they can have your computer participate in a distributed denial of service without you even knowing that it’s happening.
There can be thousands or even millions of devices under the control of some of these botnets. The Coreflood botnet was taken down in April 2011. There were 2.3 million devices infected with Coreflood. And the ZeroAccess botnet had 2.2 million devices as part of that botnet in 2012. This is what we call asymmetric threat. This means that the attacker probably has a lot fewer resources available than the device that they’re attacking. But because they’re able to combine all of their resources together, they can easily overwhelm the resources at the victim.
A somewhat obvious denial of service for a wireless network would be to disrupt the entire wireless spectrum all at one time. If you can somehow put your signal on the 2.4 gigahertz and the 5 gigahertz bands, then obviously, your access points will not be able to use those frequencies. You can think of this as the microwave oven affect. When you turn on a microwave oven that’s not well shielded, it’s sending out so much energy that it is affecting all of your wireless frequencies. And, of course, there are rogue devices that you can get to put onto a network and disrupt all of the frequencies in those wireless ranges.
Another method is to send 802.11 disassociation frames to all of the devices on the wireless network. That’s a more intelligent attack, and that’s another good reason why you want to maintain an encryption method on all of your wireless networks. It’s difficult to prevent a denial of service attack, especially one that is distributed. Often, this looks like normal legitimate traffic, and it’s hard to differentiate between what traffic may be an attack and what traffic may be legitimate.
Your firewall might be useful to block denial of service traffic that’s coming in out of state. In this way, the firewall is only going to allow traffic that is the legitimate part of an existing session, and if it does not belong to that session, it drops it at the firewall. Some routers and firewalls can block traffic based on where the traffic is coming from, and if it’s coming inbound to the router or firewall based on the interface.
With this method, the router or firewall is looking at the source address and comparing that to the interface that it’s received on. If it’s not coming inbound to the correct interface, it drops all of the traffic. In some cases, you may be able to take advantage of reputation-based filtering where there’s a large number of users around the world and they can differentiate between what devices may be good and what devices may be bad.