Linux Security HOWTO
: Network Security
: Denial of Service Attacks
Previous: sendmail, qmail and MTA's
Next: NFS (Network File System) Security.
8.8. Denial of Service Attacks
A "Denial of Service" (DoS) attack is one where the attacker tries to make
some resource too busy to answer legitimate requests, or to deny
legitimate users access to your machine.
Denial of service attacks have increased greatly in recent years. Some
of the more popular and recent ones are listed below. Note that new
ones show up all the time, so this is just a few examples. Read the
Linux security lists and the bugtraq list and archives for more
current information.
- SYN Flooding - SYN flooding is a network
denial of service attack. It takes advantage of a "loophole" in the
way TCP connections are created. The newer Linux kernels (2.0.30 and
up) have several configurable options to prevent SYN flood attacks
from denying people access to your machine or services. See
Kernel Security for proper kernel
protection options.
- Pentium "F00F" Bug - It was recently discovered that a series of
assembly codes sent to a genuine Intel Pentium processor would reboot
the machine. This affects every machine with a Pentium processor (not
clones, not Pentium Pro or PII), no matter what operating system it's
running. Linux kernels 2.0.32 and up contain a work around for this
bug, preventing it from locking your machine. Kernel 2.0.33 has an
improved version of the kernel fix, and is suggested over 2.0.32. If
you are running on a Pentium, you should upgrade now!
- Ping Flooding - Ping flooding is a simple brute-force denial
of service attack. The attacker sends a "flood" of ICMP packets to
your machine. If they are doing this from a host with better bandwidth
than yours, your machine will be unable to send anything on the
network. A variation on this attack, called "smurfing", sends ICMP
packets to a host with your machine's return IP, allowing them to
flood you less detectably. You can find more information about the
"smurf" attack at http://www.quadrunner.com/~chuegen/smurf.txt
If you are ever under a ping flood attack, use a tool like tcpdump
to
determine where the packets are coming from (or appear to be coming
from), then contact your provider with this information. Ping floods
can most easily be stopped at the router level or by using a firewall.
- Ping o' Death - The Ping o' Death attack sends
ICMP ECHO REQUEST packets that are too large to fit in the kernel data
structures intended to store them. Because sending a
single, large (65,510 bytes) "ping" packet to many systems will cause
them to hang or even crash, this problem was quickly dubbed the "Ping
o' Death." This one has long been fixed, and is no longer anything to
worry about.
- Teardrop / New Tear - One of the most recent exploits
involves a bug present in the IP fragmentation code on Linux and
Windows platforms. It is fixed in kernel version 2.0.33, and does not
require selecting any kernel compile-time options to utilize the fix.
Linux is apparently not vulnerable to the "newtear" exploit.
You can find code for most exploits, and a more in-depth description of how
they work, at http://www.rootshell.com using their search engine.
Linux Security HOWTO
: Network Security
: Denial of Service Attacks
Previous: sendmail, qmail and MTA's
Next: NFS (Network File System) Security.