Denial of Service Attacks

A Denial of Service (DoS) attackDos attack is not a virus but a method hackers use to prevent or deny legitimate users access to a computer.

DoS attacks are typically executed using DoS tools that send many request packets to a targeted Internet server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Any system that is connected to the Internet and is equipped with TCP-based network services is subject to attack.

For example, imagine a hacker creates a program that calls a local pizza store. The pizza store answers the telephone, but learns that it is a prank call. If the program repeats this task continuously, it prevents legitimate customers from ordering pizza because the telephone line is busy. This is a denial of service, and analogous to a DoS attack.

Many DoS attack tools are capable of executing a distributed DoS attack. For example, imagine the hacker secretly plants his program onto many computers on the Internet. This would have a bigger impact because there would be more computers calling the same pizza store. It would also be more difficult to locate the attacker, since the program is not running from the attacker's computer; the attacker is only controlling the computer that secretly had the program installed. This is an analogy for a Distributed DoS (DDoS) attack.

DoS tools such as TFN, TFN2K, and Trinoo are distributed DoS attack tools. The DoS attack tools can be secretly installed onto a large number of innocent systems that can be centrally managed by a hacker to initiate DoS attacks at targeted computers. Systems that unknowingly have DoS attack tools installed are called Zombie agents or Drones.

The methods of how and what resources are flooded differ based on the DoS tools used. For example, Smurf DoS attack uses a forged ICMP (Internet Control Message Protocol) echo request. Other DoS tools, like the TFN (Tribe Flood Network) family, use the SYN flooding technique, which creates half-open connections. More detailed descriptions of several DoS tools can be found later in this document.

How to combat a Dos attack It is difficult to trace the origin of the request packets in a DoS attack, especially if it is a distributed DoS attack. It is impossible to prevent all DoS attacks, but there are simple precautions server administrators can take to reduce the risk of being compromised by a DoS attack. For example, disabling ICMP response to protect from a Smurf-type attack or configuring a router to filter and check if an IP coming from the outside has an external IP (or vice versa) to avoid a TFN type attack.

Norton Internet Security 2001 can protect your computer from being used as a Drone or Zombie. It protects your computer by building an impenetrable barrier between your computer and hackers on the Internet. Learn more about Norton Internet Security 2001.

How can antivirus software help against DoS? Antivirus software detects viruses, it does not detect DoS attacks. However, it can play an important role in detecting the Zombie agents.

Antivirus software detects virus programs using a predefined signature. Often, tools such as TFN or Trinoo execute their attacks from compromised computers that have Zombie agents on which they are secretly installed. Zombies are not just the victims of the DoS attack, but they are used to perform the actual attack. By extracting a pattern or a signature from known Zombie agents, antivirus products can detect malevolent software on the compromised system. Antivirus software may also detect when a hacker is secretly installing Zombie agents. As of Feb 18, 2000, Norton AntiVirus can detect some common DoS agents such as TFN, TFN2K, Trinoo, and Stacheldraht.[1]

Reference

[1]http://securityresponse.symantec.com/avcenter/venc/data/dos.attack.html