Denial of Service – CompTIA Security+ SY0-401: 3.2


Denial of service attacks are very difficult to defend against. In this video, you’ll learn about denial of service attacks and you’ll see how one of the first DoS attacks, the Smurf attack, was able to disrupt services on many networks.

<< Previous Video: Man-in-the-Middle AttacksNext: Replay Attacks >>


The most basic definition of a denial of service is when you are preventing a service from operating. And this can be done a number of different ways. In the computer and networking world, there are a lot of different ways to create a denial of service situation. If you are to overload a particular web server, for instance, with thousands or millions of people hitting it all at once, it would cause that server to be completely overwhelmed by the number of requests it’s getting and, therefore, not be able to provide services to the people that would really like to, legitimately, get access to that web server.

Denial of service is also designed to take advantage, sometimes, of a very specific vulnerability. For instance, there may be a router. When a router receives a particular kind of packet, it doesn’t know what to do with that packet. And it causes a problem inside the software of that router and may cause the router to stop forwarding traffic. This is something that many router manufacturers have had to deal with. And whenever they find a vulnerability like that, obviously they patch it very quickly.

But the bad guys know about these vulnerabilities. And if they find a router that isn’t patched, they may be able to find that particular design failure or that particular vulnerability and take advantage of it, completely bring that router down. Now that router has to be rebooted for it to be able to work properly.

You may also just want to cause an entire system to become unavailable, not for a malicious reason, necessarily, but more of a competitive advantage reason. We see this a lot in industrial espionage, when there is one particular organization that would like to keep their competition out of business. And they may do that through nefarious means, such as creating a denial of service situation.

This may also, of course, be a smokescreen for another kind of exploit. In a previous video, we talked about a man-in-the-middle attack. We talked about DNS spoofing. We’ve talked about DNS poisoning. And when you start to do those types of things, it may become very useful for you to create a diversion or to overload a legitimate server, so that you can take advantage of that. And you can become the legitimate server. You’re now available, that other machine no longer available. You’re now the new DNS server. And when it comes to DNS poisoning, that can be very, very, very useful, very helpful when you’re performing that type of attack.

This, of course, does not have to be a complex process for a denial of service. I mentioned the very basic definition of a denial of service is to prevent any access to that resource. One good way to do it would be to turn off the power. You don’t have to have a million systems hitting a web server at once. You simply go outside the building. You notice outside of the building the power, the big switch for the power system on the building, is not locked up. You walk up. You turn the switch. The entire building goes down. You’ve just created a denial of service situation.

When we’re talking about big time denial of service, though, we’re talking about many devices on the internet, participating all at once. Wherever we were looking at botnets, in our botnet video, we were talking about these botnets just sitting there and waiting for a command. And the bad guys may take an army of their robot network devices out there, send them a command that says, please take down a web server, send a denial of service attack to a particular site. And so you can use this army of computers to bring down that service. Use all the bandwidth, use as many resources available in that web server. If that web server can serve 1,000 users at once, hit them with 2,000. He’ll be so busy trying to serve that many systems, he won’t be able to operate and do anything for anyone else.

This is exactly the purpose of a botnet, not just to send spam, but to participate in these massive types of events. Coreflood was a really good example of this. This was taken down in April 2011. 2.3 million devices, it’s estimated, were participating in this Coreflood botnet. And these botnet command and control would send these devices out to take down individual systems. Becomes a bit of an issue when you’re trying to keep those websites up and running. There’s really very little you can do when that many systems are hitting you all at once.

This may also be something called an asymmetric threat, which means the attacker, the individual device, has fewer resources then the victim has. Sort of an odd situation. You’ve got all these individual boxes out there. They may be very tiny devices. But they are now all working together to take down a much larger giant. That becomes a real big issue. It’s very difficult to build a web server that would be able to accommodate 2.3 million requests all at once and, therefore, it’s very, very simple for these tiny, tiny little devices to take down those monster websites.

One of the very first denial of service attacks was one called a Smurf attack. And what was nice about the Smurf attack is you could get a lot of bang for your buck. And here’s what I mean by this. You would be a station out on the network. When the 192.168.1.22, let’s call you on this laptop, and you would like to take down the server that’s at 192.168.1.1. But one machine that’s sitting out here, it would be very, very difficult– because this is a big beefy server– it would be very difficult for one machine to take down that one server.

So the key to a Smurf attack is that you get to involve everybody else on the network. And the way you do that is through something that was very commonly done back in the day. This was back in the ’90s. This is a capability that, really, you don’t see much anymore. But you send a ping out, an ICMP echo request. Then you spoof the From address, even though you’re 1.22. You send the packet out and say, Hi. I’m 192.168.1.1. You pretend you’re the server. And you send it to the broadcast address for the subnet.

When all of these devices out here see this packet, they are all programmed to take in and react to broadcast addresses. Everybody must look at a broadcast frame. That’s the whole purpose of a broadcast. And they look at that and say, wow. That’s a ping. I need to now send this ping response back to the 1.1 address. And now everybody on the network sends a response back.

So by sending out this one packet, you can get an entire subnet sending back ping commands. And if you start streaming out those ping requests, obviously you’ll start multiplying the amount of ping responses going back to that individual server. And, hopefully, if this is your objective, you’re creating a denial of service situation for that server.

Now, the reality is that, today, our routers are not going to route these subnet requests, these broadcast requests, for a ping to the subnet. And our individual workstations these days are programmed not to respond to a request. You’ll still see one from time to time that won’t participate that way. And that may be an older system. Or it may be a type of operating system that will respond to that, but generally, you’ll find most systems won’t participate in a Smurf attack. But it was a very, very common way, in fact, one of the very first ways, to do a denial of service and make it very, very easy if you’re on that subnet, to take down one of these big servers, all with a single packet.