5. Denial of Service Basics

This section covers basic info regarding "Denial of Service".

5.1 What is "Denial of Service"?

Denial of Service (DoS) is simply rendering a service offered by a workstation or server unavailable to others. This is a controversial subject, since some people think that DoS is not a hack, or rather juvenile and petty. While I can't think of very many reasons why you might want to engage in DoS, I still will continue to include this type of material in the Hack FAQ. What is more sad -- the fact that I include them, or the fact that there are so many of them?

Regardless of your feelings, DoS has been steadily gaining in popularity, be it hackers mad at other hackers, sys admins mad at spammers, or whatever -- virtually everyone I've run into that is aware of the potential of DoS at least has software to do it, admins included.

Reasons that a hacker might want to resort to DoS might include the following:

• A trojan has been installed, but a reboot is required to activate it.
• A hacker wishes to cover their tracks VERY DRAMATICALLY, or cover CPU activity with a random crash to make the site think it was "just a fluke".
• The hacker isn't a hacker at all, but a pissed off lamer who has a poor outlook and too much free time.
• The hacker is acting out of the need (or delusion) that the DoS serves a greater good, such as a DoS attack on Pro Life sites by Pro Choice believers.

Reasons that a Sys Admin might use DoS:

• A Sys Admin may want to ensure that their site is NOT vulnerable by testing out the latest patch.
• A Sys Admin has a runaway process on a server causing problems and cannot physically access the box (I have officially done this twice now).
• The Sys Admin isn't a Sys Admin at all, but a pissed off lamer who has a poor outlook and too much free time.

5.2 What is the Ping of Death?

The Ping of Death is a large ICMP packet sent by a workstation to a target. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or system hangs.

Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping -165527 -s 1 target" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available on the Internet.

Most systems have patches available to prevent Ping of Death from working.

5.3 What is a SYN Flood attack?

In the TCP/IP protocol, a three way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally the client responds to the SYN-ACK and the conversation is considered started.

A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.

This is a simplified version of what exactly happens. For more elaborate details and sample Linux code for creating a flood, see Phrack 48 file 13 by daemon9.

5.4 What are other popular Denial of Service attacks?

Most others involve ICMP packets (re: ping) and creating massive floods of ICMP traffic, or other packet malformations. Search the net for smurf.c or teardrop.c for more details.