display | more...

Very prolific on cable networks and amoungst IRC lamers, denial of service attacks against the windows TCP/IP stack have become increasingly common in the past few years, starting with the now famous winnuke attack, which just happened to appear at the same time as the internet became popular amongst the masses, and according the 15 year old script kiddiez.

That's not to say that it's a windows only problem, for example Teardrop effected linux as well, there was a BSD attack in late 1998, and Sun attacks have existed for years. It's just that windows has a lot more of them of late, partially due to a poorly designed TCP/IP stack, partially due to it being the most popular target

An information systems attack in which no access to the system(s) is gained, but rather a loss of service is incurred, typically the loss of all network connectivity and services.

See: buffer overflow attack, SYN attack, teardrop attack, smurf attack
A method of censorship currently practiced by those who are not authorities. A DOS attack works by sending a large number of phony pings or page view requests to a specific server, overwhelming it. Those servers that are not shut down by the attack are slowed to a crawl as they try to filter out the few real requests from the fake ones.

DOS attacks are difficult to track, because the packets received by the server have forged their return address to be a bogus IP.

The improvement of server technology has made a DOS attack from a single computer difficult, when not impossible. Thus, the Distributed Denial of Service attack, or DDOS, has come about. A DDOS attack works like this:

  1. The hacker/cracker/script kiddie breaks into a bunch of computers and installs a slave program on them.
  2. Our Bad Guy picks out his target.
  3. The Bad Guy uses his own computer to tell his slave computers to start sending phony page view requests to the target.
  4. The target gets overwhelmed with page view requests from dozens, if not hundreds of slave computers.
In February of 2000, several large sites, including Yahoo, Amazon.com, Buy.com and E*Trade were hit in rapid succession by parties as yet unknown in a massive DDOS attack.

A DOS attack itself should not be confused with hacking or cracking, as the attacker never gains any access to the target machine.

Actually, a DoS attack is not necessarily random (or even targeted) vandalism. Such an attack can be a crucial part of a well-planned break-in: for example, if the target network is guarded by an Intrusion Detection System, the cracker would do well to first take down that system so that it doesn't interfere with (or record) what happens next. Furthermore, after a successful DoS on a key server (DNS, for example), the cracker might be able to pose as that server and give responses that help them to break into other systems.


A Denial of Service attack is an often successful attempt by a perpetrator to render an internet service (most usually a web site) useless - hence it denies legitimate users access to the service.

The methods used vary in complexity, with smaller sites require less complex measures to take them down. It should be noted that the service itself need not be broken into in order to perform the attack, although other innocent machines may be compromised.

A Simple Attack

The simplest attack probably consists of pinging a host with as quickly as possible with as many packets as possible. This will only affect the smallest of servers, and obviously the attacking machine must be capable of higher-capacity operations than the victim, if it is to survive. A more punishing attack can consist of HTTP GET packets, which will stress the processor of the victim more; and take more bandwidth.

Servers (and the routers providing their connection to the net) often have filters to discard such a flood of packets from a single source in order to fend off these attacks, although IP Spoofing may be used to avoid this defence.

Distributed Denial of Service

A Distributed DOS attack requires that many servers attack at a specific time. The reason for doing this is that the total combined bandwidth of the attackers will be higher than the bandwidth of the victim.

Often, the attacking machines will be owned by innocent bystanders who won't know their machine is compromised. A common method of synchronising attacks is for compromised machines to log onto and watch an IRC channel set up by the perpetrators. On the command, many thousands of machines will attack a given site, from many different directions. As the machine becomes unstable, its routers start to notify upstream routers of problems. The messages now start passing both ways - DOS messages one way, and 'router busy' messages passing back up the stream. Many, many machines can be taken down by a comprehensive attack.

The Slashdot Effect

A distributed attack is regularly, and accidentally launched against servers by a phenomenon known as the slashdot effect. Due to the number of people reading /. and the few stories which are posted, a new story will generate thousands upon thousands of hits on a site as people follow the links posted. Many of the world's smaller servers creak and eventually break under the pressure.

An IRC Example

The simplest attack possible on IRC is for a user to repeatedly hit the return key, so that messages scroll off the screens of most users before they have a chance to read them. Again, many IRC servers have protection against this flooding, and users will be kicked off the system, and probably banned.


There are often political, religious or other ideological motives behind a DOS attack, and mercenary crackers are sometimes recruited by militant action groups to perform them. Other groups may simply want to find out how much abuse a large site is capable of taking before it creaks under the pressure.

In many jurisdictions it is illegal to launch such an attack.

Log in or register to write something here or to contact authors.