This article taken from http://www.allot.com/html/solutions_enterprise_dos_attacks.shtm
Malicious worms were recently distributed and unwillingly duplicated throughout the Internet. Unwilling accomplices' systems actively participated in scheduled and planned DoS (Denial of Service) attacks on unsuspecting sites. Infected systems increased the demand of bandwidth and server resources, thereby slowing down business-critical applications.
DDoS (Distributed Denial of Service) attacks are more intense and damaging than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an attack against a single host target. In February 2000, a variant of the Smurf and DoS attacks brought down Yahoo!, Buy.com, CNN.com, Amazon.com and other sites. In these attacks, hacker "agents" were loaded on hundreds of "Zombie" client machines. A master console then directed, past firewalls, all of the Zombie systems to become active and attack the victim.
Malicious traffic, disguised as legitimate traffic, passes firewalls that normally filter out illegal traffic. There is a need for a multilayer security system—one that enhances firewalls and protects network resources from attacks.
Glossary of DoS Attacks and Malicious Traffic:
- When a perpetrator sends a large number of ICMP echo (ping) traffic at IP
broadcast addresses, using a fake source address. The source address will be flooded with
simultaneous replies (See CERT Advisory: CA-1998-01).
- When a perpetrator sends a large number of UDP echo (ping) traffic at
IP broadcast addresses, all of it having a fake source address. This is a simple
rewrite of the Smurf code.
Ping of Death
- When an attacker sends illegitimate, oversized ICMP (ping) packets.
These attacks are targeted at specific TCP stacks that cannot handle this type of packet
and overload the victim's servers.
- When an attacker uses a fake Internet address so that the source address of an
IP packet is not the actual source. An attacker from outside of the network (i.e., from the Internet)
may send packets with a source address on the LAN. This deceives the internal servers into identifying
the attacker as a legitimate internal network user and the internal address becomes the victim.
Spoofing is used in most of the well-known DoS attacks.
- When an attacker sends a series of SYN requests to a target (victim). The target sends
a SYN ACK in response and waits for an ACK to come back to complete the session set up. Since
the source address was fake, the response never comes, filling the victim's memory buffers so
that it can no longer accept legitimate session requests.
- These "Peer-to-Peer" applications turn network clients into servers, using
expensive WAN bandwidth and potentially distributing worms throughout the network. Napster
is a well-known P2P application.
- This self-propagating code floods networks with email and adds registry entries to
users' clients. Worms may be transmitted via email, sharing infected files, or via Internet
Chat. Worms take advantage of "back doors" or "holes" in popularly used email software and
operation systems. "Malicious" worms may also erase or hide certain types of files.