DoS attacks are the most publicised form of attack, and are also among the most difficult to completely eliminate. Even within the hacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. 

Still, because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. If you are interested in learning more about DoS attacks, researching the methods employed by some of the better-known attacks can be useful.

DoS attacks can consist of the following: 

• IP spoofing
• DDoS

IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. IP spoofing can use either a trusted IP address in the network or a trusted external IP address.

Uses for IP spoofing include the following:

• Injecting malicious data or commands into an existing data stream

• Diverting all network packets to the hacker who can then  reply as a trusted user by changing the routing tables

• IP spoofing may only be one step in a larger attack.

IP spoofing is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.

To engage in IP spoofing, hackers must first use a variety of techniques to find an IP address of a trusted host and then modify their packet headers to appear as though packets are coming from that trusted host. Further, the attacker can engage other unsuspecting hosts to also generate traffic that appears as though it too is coming from the trusted host, thus flooding the network.

Routers determine the best route between distant computers by examining the destination address. The originating address is ignored by routers. However, the destination machine uses the originating address when it responds back to the source. In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system.

For example, an attacker outside your network pretends to be a trusted computer, either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that your network trusts and provides specified resource access to. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers so that it appears that the packets are coming from the trusted system.

The goal of the attack is to establish a connection that allows the attacker to gain root access to the host and to create a backdoor entry path into the target system.

Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the attacker must change all routing tables to point to the spoofed IP address. Another approach the attacker could take is to simply not worry about receiving any response from the applications. For example, if an attacker is attempting to get a system to mail a sensitive file, application responses are unimportant.

If an attacker manages to change the routing tables to divert network packets to the spoofed IP address, the attacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can. Like packet sniffers, IP spoofing is not restricted to people who are external to the network.

IP spoofing can also provide access to user accounts and passwords, or it can be used in other ways.

For example, an attacker can emulate one of your internal users in ways that prove embarrassing for your organization. The attacker could send e-mail messages to business partners that appear to have originated from someone within your organization. Such attacks are easier when an attacker has a user account and password, but they are also possible when simple spoofing attacks are combined with knowledge of messaging protocols.

When attacks involve specific network server applications, such as an HTTP server or an FTP server, the attacker focuses on acquiring and keeping all the available connections supported by that server open. This strategy effectively locks out valid users of the server or service.

DoS attacks can also be implemented using common Internet protocols, such as TCP and ICMP. For example: Ping of Death and Teardrop attacks exploit limitations in the TCP/IP protocols.

While most DoS attacks exploit a weakness in the overall architecture of the system being attacked rather than a software bug or security hole, some attacks compromise the performance of your network by flooding the network with undesired, and often useless, network packets and by providing false information about the status of network resources.

The threat of DoS attacks can be reduced through the following three methods:

Anti-spoof features: Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk. This configuration includes filtering at least to an RFC 2827 level.

If hackers cannot mask their identities, they might not attack.

Anti-DoS features: Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time.

Traffic rate limiting: An organization can implement traffic rate limiting with its ISP. This type of filtering limits the amount of nonessential traffic that crosses network segments at a certain rate. A common example is to limit the amount of ICMP traffic allowed into a network because it is used only for diagnostic purposes. ICMP-based DDoS attacks are common.

 - CITC - NTS Support Centre