Understanding Denial-of-Service Attacks

You may have heard of denial-of-service attacks launched against websites,
but you can also be a victim of these attacks. Denial-of-service attacks can
be difficult to distinguish from common network activity, but there are some
indications that an attack is in progress.

What is a denial-of-service (DoS) attack?

In a denial-of-service (DoS) attack, an attacker attempts to prevent
legitimate users from accessing information or services. By targeting your
computer and its network connection, or the computers and network of the
sites you are trying to use, an attacker may be able to prevent you from
accessing email, websites, online accounts (banking, etc.), or other
services that rely on the affected computer.

The most common and obvious type of DoS attack occurs when an attacker
"floods" a network with information. When you type a URL for a particular
website into your browser, you are sending a request to that site's computer
server to view the page. The server can only process a certain number of
requests at once, so if an attacker overloads the server with requests, it
can't process your request. This is a "denial of service" because you can't
access that site.

An attacker can use spam email messages to launch a similar attack on your
email account. Whether you have an email account supplied by your employer
or one available through a free service such as Yahoo or Hotmail, you are
assigned a specific quota, which limits the amount of data you can have in
your account at any given time. By sending many, or large, email messages to
the account, an attacker can consume your quota, preventing you from
receiving legitimate messages.

What is a distributed denial-of-service (DDoS) attack?

In a distributed denial-of-service (DDoS) attack, an attacker may use your
computer to attack another computer. By taking advantage of security
vulnerabilities or weaknesses, an attacker could take control of your
computer. He or she could then force your computer to send huge amounts of
data to a website or send spam to particular email addresses. The attack is
"distributed" because the attacker is using multiple computers, including
yours, to launch the denial-of-service attack.

How do you avoid being part of the problem?

Unfortunately, there are no effective ways to prevent being the victim of a
DoS or DDoS attack, but there are steps you can take to reduce the
likelihood that an attacker will use your computer to attack other
computers:
* Install and maintain anti-virus software (see Understanding Anti-Virus
Software for more information).
* Install a firewall, and configure it to restrict traffic coming into and
leaving your computer (see Understanding Firewalls for more
information).
* Follow good security practices for distributing your email address (see
Reducing Spam for more information). Applying email filters may help you
manage unwanted traffic.

How do you know if an attack is happening?

Not all disruptions to service are the result of a denial-of-service attack.
There may be technical problems with a particular network, or system
administrators may be performing maintenance. However, the following
symptoms could indicate a DoS or DDoS attack:
* unusually slow network performance (opening files or accessing websites)
* unavailability of a particular website
* inability to access any website
* dramatic increase in the amount of spam you receive in your account

What do you do if you think you are experiencing an attack?

Even if you do correctly identify a DoS or DDoS attack, it is unlikely that
you will be able to determine the actual target or source of the attack.
Contact the appropriate technical professionals for assistance.
* If you notice that you cannot access your own files or reach any
external websites from your work computer, contact your network
administrators. This may indicate that your computer or your
organization's network is being attacked.
* If you are having a similar experience on your home computer, consider
contacting your internet service provider (ISP). If there is a problem,
the ISP might be able to advise you of an appropriate course of action.
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2004 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed to increase awareness.

Terms of use

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST04-015.html

For instructions on subscribing to or unsubscribing from this mailing list, visit
http://www.us-cert.gov/cas/signup.html.

Comments

Post a Comment

Popular posts from this blog

TCP/IP 明確擁塞通知 (ECN)

Image
當路由器擁塞的程度已經達到填滿傳入封包緩衝區而開始捨棄封包時,會影響網路而縮減頻寬,對資料損失敏感或具時效性的傳輸量流動會進而受到衝擊,而且可能在擁塞之後產生連結閒置時間。TCP/IP 明確擁塞通知 (ECN) 讓路由器能夠通知「傳輸控制通訊協定」(TCP) 對等體,由於網路擁塞,緩衝區已滿。TCP 對等體會以減緩資料傳輸來回應,協助防止封包損失。 明確擁塞通知(Explicit Congestion Notification) TCP/IP 的 ECN 支援同時使用 IP 及 TCP 標頭中的未使用位元。 • 在 (IP) 網際網路層上,轉送封包時,傳送主機必須能夠表示有能力執行 ECN,而路由器則必須能夠指出所遇到的擁塞狀況。 • 在 (TCP) 傳輸層,TCP 對等體必須彼此表明有能力執行 ECN。接收端對等體必須能夠通知傳送端對等體,已經從遇到擁塞狀況的路由器接到封包;傳送端對等體必須能夠通知接收端對等體,已經從接收端對等體接到擁塞指標,並且已經降低傳輸速率。 IP 中的 ECN 支援 IP 標頭中的 8 位元 [Type of Service (TOS)] 欄位最先定義於 RFC 791 中,指出封包由路由器進行非預設傳送的傳送優先順序、延遲、輸送量、可靠性,以及成本等特性。TOS 欄位在 RFC 2474 中重新定義,以包含 6 位元區別服務代碼點 (Differentiated Services Code Point, DSCP) 及兩個未使用的位元。DSCP 值表示的傳送優先順序會對應於先前在內部網路的路由器中設定的佇列。IP 中的 ECN 支援使用 RFC 2474 所定義 TOS 欄位的兩個未使用位元。[圖 1] 顯示 ECN 中 TOS 欄位的新定義。 圖 1:ECN 中 TOS 欄位的新定義 RFC 2474 所定義 TOS 欄位中的兩個未使用位元在 RFC 3168 中定義為 ECN 欄位,欄位的值如下: • 00 傳送主機不支援 ECN。 • 01 或 10 傳送主機支援 ECN。 • 11 路由器已遇到擁塞狀況。 具備 ECN 功能的主機傳送其封包時,會將 ECN 欄位設定為 01 或 10。對於具備 ECN 功能的主機所傳送的封包,如果路徑中的路由器具備 ECN 功能,但是正遇到擁塞狀況,則 ECN 欄位會設定為 11。一旦 ECN ...
Read More »

集中式數位交換機(CENTREX)系統

一般公司行號採購電話系統時,大部分都是自行購置私用交換機(PBX)。其實除了PBX之外,亦可選擇電信公司提供的CENTREX電話系統。 所謂CENTREX電話系統,中文翻譯為「集中式數位交換機」,簡稱CENTREX虛擬總機。就是在電信公司在市話交換機上,附加用戶專用交換機(PBX)軟體的功能,使在CENTREX系統之各線獨用電話可兼有私用交換機的分機功能。在CENTREX系統中,電信公司將市話交換機的部分用戶定義為一個基本用戶群,該用戶群的用戶不僅擁有普通用戶的所有功能,而且擁有私用交換機的所有功能。CENTREX系統用戶的分機可以獨立計費,也不會因中繼數量不足而產生話路壅塞;除此之外,若同一公司有多個辦公地點,而均在同一市話交換機之供線範圍內,則全部之分機皆可以視為同一套總機之分機,這是一般私用交換機所不及的地方。以前因為CENTREX線路的申租費用較高、大部分是學校等建築物分散的用戶在使用。但隨著固網業務開放,CENTREX線路租用費用日益降低,將吸引人更多企業用戶捨棄自行建置PBX而改用CENTREX系統。 CENTREX系統的功能 一般來說,電信公司為CENTREX用戶提供下列一般及特殊功能: 一.外線直接撥入分機(DID) 不必另外申請,外線就可以直接撥入任一分機,分機亦可以不經總機之轉接,直接抓外線撥號。 二.分機限撥 每一分機可以做適當之限制,如限撥外線、長途、國際或限外線直接撥入分機等之各項限制。 三.電話轉接功能 當電話進來,完成通話之後,如要再找第三人時,可以利用本功能,將電話轉接到第三人,繼續通話而不必重撥。 四.來話保留(Call Hold) 接到電話時,如需要轉問其他人員,而不希望對方知道通話內容時,可以利用本功能將對方保留起來,進行詢問動作;完成後,在接回對方,繼續服務工作。 五.仲介電話功能 控制者可以利用本功能,自行控制要與甲方或乙方通話,當與甲方通話時,乙方成保留狀態,而聽不到甲方與控制者之通話內容;反之亦同。 六.呼叫代接功能 同一單位之電話可以設定為同一帶接群,當有同事不再位置上,而有電話進來時,可以利用呼叫代接功能代接其電話,而不必到他的位置上幫他接電話。 七.條件指定轉接 當電話忙線與電話進來而無法應答時,將電話轉到所設定之電話。 八.自動回叫(Call Back) 當你有急事要與對方聯繫,而對方又在電話中,不知對方何時完成...
Read More »

何謂"Trunking"?

您知道三層交換機技術中常提到的TRUNK是什麼意思嗎? 在技術領域中把TRUNK翻譯為中文是“主幹、幹線、中繼線、長途線”,不過一般不翻譯,直接用原文。同樣的名詞在不同場合中有不同的解釋: 1、 在網路的分層結構和頻寬的分配方面,TRUNK被解釋為“端口匯聚”,是頻寬擴展和鏈路備份的一個重要途徑。TRUNK把多個物理端口捆綁在一起當作一個邏輯端口使用,可以把多組端口的頻寬累加起來使用。TRUNK技術可以實現TRUNK內部多條鏈路互為備份的功能,即當一條鏈路出現故障時,不影響其他鏈路的工作,同時多鏈路之間還能實現流量負載均衡。 2、在電信網路的語音級的線路中,Trunk指的是“主幹網路、電話幹線”,即兩個交換局或交換機之間的連接電路或信道,它能夠在兩端之間進行轉接,並提供必要的訊號和終端設備傳輸。 3、 在Routing & Switching領域中,VLAN的端口聚合有的叫TRUNK,不過大多數都叫TRUNKING ,如CISCO。所謂的TRUNKING是用來在不同的交換機之間進行連接,以保證在跨越多個交換機上建立的同一個VLAN的成員能夠相互通訊。其中交換機之間互聯用的端口就稱為TRUNK端口。 TRUNKING是基於OSI第二層技術,如果你在2個交換機上分別劃分了多個VLAN(VLAN也是基於Layer2的),那麼分別在兩個交換機上的VLAN10和VLAN20的各自的成員如果要互通,就需要在A交換機上設為VLAN10的端口中取一個和交換機B上設為VLAN10的某個端口利用一條實體線路相連接。 那麼如果交換機上設定了10個VLAN就需要分別使用10條實體線路來跟另一個交換機上10個不同VLAN的端口互相連結。相對來說使用效率低落而且管理不易。如果交換機支援TRUNKING的話,事情就簡單多了,只需要2個交換機之間有一條實體連線,並將對應的端口設置為Trunk,這條線路就可以承載交換機上所有VLAN的資訊。這樣的話,就算交換機上設了上百個個VLAN也只要用1個端口就可以解決了。 如果交換機上相同VLAN的主機要相互通信,那麼可以通過共用的trunk端口就可以實現;如果是不同VLAN的主機之間要相互通信,就必需要通過第三方的路由功能的設備來實現。這也就是所謂的Inter-VLAN Routing。 【例】假設有兩個VLAN,分別為VLAN 1(Switch F...
Read More »