What is a Denial of Service (DoS) Attack?
In the world of computing, a Denial of Service (DoS) attack is an attempt to flood a network to the point that intended visitors cannot enter. The basic purpose of a network is that it must be available to use, DoS attacks purposefully disrupt this availability. While the types of and techniques used to carry out a DoS attack will vary, they all focus on taking advantage of router vulnerabilities in order to enter and disrupt a particular network. Understanding these vulnerabilities and how to best address them are important for all users to understand but especially important for those professionals preparing for the CompTIA Security+ or (ISC)2 CISSP exams.
Today’s DoS Attack
Many people will wrongly assume that performing a DoS attack can no longer be successful due to the number of protections available to hinder it. However, while the Smurf and Fraggle DoS attacks originally used to disrupt a network have lost their luster and often times cannot produce successful results for a hacker, this doesn’t mean that networks are all immune to a Denial of Service attack.
It used to be, in the cases of a Smurf or Fraggle attack that a hacker could utilize an Internet Control Management Protocol (ICMP) or User Datagram Protocol (UDP), respectively, to send out an abnormal broadcast echo or ping with a spoofed address. However, today’s smart Cisco routers will automatically block this type of illegitimate traffic from infiltrating the network.
In order for a DoS attack to successfully work nowadays, attackers must first tunnel into the network, change the IP address and then ping from within. Most people assume that this process is made more difficult with the incorporation of firewalls, but the fact of the matter is that provided the right skills it is not very difficult to bypass a firewall of even an Intrusion Detection System (IDS); which is normally the most sophisticated detection system installed on a network today. However, by simply encrypting the ICMP with the source address the packet will easily bypass the security features and begin the DoS attack that can leave your network useless.
Reactive vs. Passive System
While systems need to have a firewall and IDS in place to detect a security breach, only using these two defense mechanisms leads to a passive system. In order to truly create a secured network and prevent a DoS attack from disrupting critical infrastructures a reactive system also needs to be implemented.
Firewalls, though a necessary security feature, are still considered a passive system because they can only block what the owner tells them to stop. They act as a police checkpoint and can monitor network traffic from the outside to prevent intrusion but they are incapable of signaling intrusion from within the network. Additionally, a firewall can only block the data it reads and can identify as information it is supposed to block. If it can’t read the data trying to enter the network, in the case of fragmented or encrypted packets, then it is unable to block it. Firewalls have the capability of reassembling fragment packets but only if the owner tells it to do so.
While most security professionals command the firewall to recreate the packets, they still can’t decrypt incoming data. The only way to identify encrypted threats is through Intrusion Detection Systems (IDS), which can go a step forward and decrypt and recreate fragmented data, detect a suspected intrusion then signal the owner to it. However, neither system takes a proactive approach to assessing a new threat and eliminating that. Additionally, neither can evaluate encrypted or fragmented packets travelling between or through the networks so an encrypted ICMP can still make it through to broadcast the ping internally.
A more secured system to have in place would be an Intrusion Prevention System or IPS which is reactive to the threats it detects. This system can open and inspect encrypted packets trying to enter the network. Additionally, when it does uncover suspicious activity it can automatically reset the connection or reprogram the firewall to block future traffic from the source of the malicious content. In this way it not only detects the suspected packets but it proactively addresses the issue without further commands from the owner, as would be the case with an IDS.
However, the downside of an IPS is that while it can unencrypt packets trying to infiltrate the network in order to do so, it is time consuming and slows down the entire network, which disrupts the availability you are trying to protect with it.
Creating the Best Protection for Your Network
There are ups and downs to implementing both passive and reactive networks, however, in order to create a truly secure system you need to incorporate aspects from both systems. To do so efficiently, first take the time to really understand your network, IP Address scheme and ultimately decide which areas need more or less security. While this will depend heavily on your industry or business needs, typically servers and critical infrastructures will always need a higher level of protection in place.
Once you understand your individual needs, begin incorporating the systems that support those needs. If an area is considered a critical infrastructure and needs a high degree of security, then implement an IPS. On the other hand, if network speed is more crucial than security, leave out the time consuming IPS and you will be fine with a simple firewall and IDS in place.
Finally, make sure you have a firewall in place throughout the system to block ICMP and never allow source IP Addresses from the internal network or inbound interface.
By following these simple guidelines and understanding the network you have in place you will create a balance of reactive and passive system that can keep your network safe even when you’re not looking.