Thursday, 13 December 2012

Overview of Denial of Service

Technologically—the primary goal of an attack is to deny the victim(s) access to a particular resource. It is an explicit attempt by attackers to prevent legitimate users of a computer-related service from using that service. But, as any information and network security issue, combating denial of service is primarily an
exercise in risk management. To mitigate the risk, you need to make business decisions as well as technical decisions.
In general, systems and networks can be engineered to respond to a DoS attack by doing one of these things:
  •  Absorb the attack. This implies that additional capacity has already been planned for, installed, and tested before an attack begins. On the negative side, there is an additional resource cost for this excess capacity even when no attacks are currently under way.
  • Degrade services. Once the critical services have been identified, it may be possible to design the network, systems, and applications in such a way that noncritical services can be degraded in favor of keeping critical services functional through an attack. If the attack is protracted or extremely heavy, it may become necessary to completely disable noncritical services to provide additional capacity to critical services.
  • Shut down services. It is plausible that an organization could decide to simply shut down all services until an attack has subsided. While certainly not an optimal choice, it may be a reasonable response for some.
Your reaction to a DoS attack depends a great deal on the preparations made before an attack. Once an attack is under way, it may be too late to configure and install additional capacity or monitoring. These need to be in place ahead of time. It is also important to have communication plans in place.

How to Detect Denial Of Service Attack
A DoS attack can be detected via normal monitoring of inbound traffic volumes and other performance metrics. However, the first indication of attack often comes from internal help desk calls reporting that one or more services have become unavailable, or from external customers unable to contact your public web server. Upon examination, traffic volumes on the various network segments leading to the attack target may be found to be far higher than normal, perhaps saturated, or the target server's incoming connection queue may be filled, rendering the server unresponsive. Other substantiating evidence may be present, such as a marked increase in dropped packets on some segments or a substantial increase in firewall log entries. External connectivity may suffer, perhaps causing DNS lookups to fail and thus many second order internal failures. A DoS attack is generally not subtle, and makes itself known in ways that are hard to miss.

Note that it is also important to keep an eye on your outbound network utilization
numbers. This will help you detect the situation where an intruder has commandeered a
compromised machine inside your perimeter and is using it to generate flood traffic
against an external host.


No comments:

Post a Comment