 |
|
|
|
|
|
|
| Name of Attack |
Flooding Capabilities |
Short Description |
|
|
|
|
|
|
|
| Land |
TCP SYN |
Source and destination IP addresses are the same causing the response to loop. |
|
|
|
|
|
|
|
| SYN |
TCP |
Sending
large numbers of TCP connection initiation requests to the target. The
target system must consume resources to keep track of these partially
opened connections. |
|
|
|
|
|
|
|
| Teardrop |
TCP fragments |
Sends overlapping IP fragments |
|
|
|
|
|
|
|
| Smurf |
ICMP |
ICMP
(Internet Control Message Protocol) ping requests to a directed
broadcast address. The forged source address of the request is the
target of the attack. The recipients of the directed broadcast ping
request respond to the request and flood the target's network. |
|
|
|
|
|
|
|
| Ping of death |
ICMP |
ICMP packets greater than 65536 can bring down a system. |
|
|
|
|
|
|
|
| Open/close |
TCP, UDP |
The
open/close attack opens and closes connections at a high rate to any
port serviced by an external service through inetd. The number of
connections allowed is hardcoded inside inetd. |
|
|
|
|
|
|
|
| ICMP Unreachable |
ICMP |
The
attacker sends ICMP unreachable packets from a spoofed address to a
host. This causes all legitimate TCP connections on the host to be torn
down to the spoofed address. This causes the TCP session to retry and
as more ICMP unreachables are sent, a DoS condition occurs. |
|
|
|
|
|
|
|
| ICMP redirect |
ICMP |
ICMP redirects can cause data overload to the system being targetted. |
|
|
|
|
|
|
|
| IRDP |
ICMP |
ICMP
Router Discovery Protocol can be spoofed and cause fake routing entries
to be entered into a Windows machine. IRDP has no authentication. Upon
startup, a system running MS Windows95/98 will always send 3 ICMP
Router Solicitation packets to the 224.0.0.2 multicast address. If the
machine is NOT configured as a DHCP client, it ignores any Router
Advertisements sent back to the host. However, if the Windows machine
is configured as a DHCP client, any Router Advertisements sent to the
machine will be accepted and processed. |
|
|
|
|
|
|
|
| ARP redirect |
ARP |
Only local subnet can be attacked |
|
|
|
|
|
|
|
| Looping UDP ports |
UDP |
The attack uses 2 UDP services. Chargen (port 19) and echo (port 7), can be spoofed into sending data to each other. |
|
|
|
|
|
|
|
| IGMP flood |
IGMP |
|
|
|
|
|
|
|
|
| Fraggle |
UDP |
Same as Smurf, but rather than ICMP uses UDP to broadcast address for amplification. |
|
|
|
|
|
|
|
| UDP flood |
UDP |
Sending large numbers of UDP (User Datagram Protocol) packets to the target system, thus tying up network resources. |
|
|
|
|
|
|
|
| TCP flood |
TCP NUL, TCP RST, TCP ACK |
When
TCPs communicate, each TCP allocates some resources to each connection.
By repeatedly establishing a TCP connection and then abandoning it, a
malicious host can tie up significant resources on a server. |
|
|
|
|
|
|
|
| UDP reflectors |
UDP |
All
Web servers, DNS servers, and routers are reflectors, since they will
return SYN acks or RSTs in response to SYN or other TCP packets; query
replies in response to query requests; or ICMP Time Exceeded or Host
Unreachable in response to particular IP packets. By spoofing IP
addresses from slaves — a massive dDoS attack can be arranged. |
|
|
|
|
|
|
|
| URL attacks |
TCP |
URL
attacks attempt to overload an http server via various methods: http
bombing — continuous requests for the same homepage or large web page;
requesting the page with REFRESH so as to bypass any proxy server. Many
of these attacks are not zombie attacks but rather human executed — by
hundreds simultaneously. |
|
|
|
|
|
|
|
| VPN attacks |
TCP |
Using specially crafted GRE or IPIP packets to attack the destination address of a VPN. |
|
