Denial of Service Attacks

A "Denial of Service" (DoS) attack is one where the attacker tries to make some resource
too busy to answer legitimate requests, or to deny legitimate users access to
your machine.
Denial of service attacks have increased greatly in recent years. Some of the more
popular and recent ones are listed below. Note that new ones show up all the time,
so this is just a few examples. Read the Linux security lists and the bugtraq list and
archives for more current information.

• SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage
of a "loophole" in the way TCP connections are created. The newer Linux
kernels (2.0.30 and up) have several configurable options to prevent SYN flood
attacks from denying people access to your machine or services. See the Section
called Kernel Security for proper kernel protection options.
• Pentium "F00F" Bug - It was recently discovered that a series of assembly codes
sent to a genuine Intel Pentium processor would reboot the machine. This affects
every machine with a Pentium processor (not clones, not Pentium Pro or PII), no
matter what operating system it’s running. Linux kernels 2.0.32 and up contain a
work around for this bug, preventing it from locking your machine. Kernel 2.0.33
has an improved version of the kernel fix, and is suggested over 2.0.32. If you are
running on a Pentium, you should upgrade now!
• Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The
attacker sends a "flood" of ICMP packets to your machine. If they are doing this
from a host with better bandwidth than yours, your machine will be unable to
send anything on the network. A variation on this attack, called "smurfing", sends
ICMP packets to a host with your machine’s return IP, allowing them to flood
you less detectably. You can find more information about the "smurf" attack at
http://www.quadrunner.com/~chuegen/smurf.txt67
If you are ever under a ping flood attack, use a tool like tcpdump to determine
where the packets are coming from (or appear to be coming from), then contact
your provider with this information. Ping floods can most easily be stopped at the
router level or by using a firewall.
• Ping o’ Death - The Ping o’ Death attack sends ICMP ECHO REQUEST packets that
are too large to fit in the kernel data structures intended to store them. Because
sending a single, large (65,510 bytes) "ping" packet to many systems will cause
them to hang or even crash, this problem was quickly dubbed the "Ping o’ Death."
This one has long been fixed, and is no longer anything to worry about.
• Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP
fragmentation code on Linux and Windows platforms. It is fixed in kernel version
2.0.33, and does not require selecting any kernel compile-time options to utilize the
fix. Linux is apparently not vulnerable to the "newtear" exploit.
You can find code for most exploits, and a more in-depth description of how they
work, at http://www.rootshell.com using their search engine.