Networking Attacks And Denial Of Service Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Denial of service (Dos). A form of network attack that floods the network with large amounts of data packets and ties up mission-critical resources often was resulting in the network becoming overloaded and crashing.

Distributed Denial of service (DDoS)

A form of DoS attack that uses an array of systems connected to the Internet to stage a flood attack employing illegitimate network traffic against a single site.

Comparison of DoS and DDoS

Normally a DoS attacks is Denial of Service attacks which means a one computer or system and one internet or web connection will be flooded to a server by the packets and the main point of such a attack is to make overload the targeted servers bandwidth and also ither kind of resources. So by this attack it will make others to access to the sever and therefore blocking the website or anything else hosted on server. Whereas coming to DDoS attacks in most of the aspects it was similar to DoS but we can expect results in a different way. Instead of using one computer and internet connection contrastingly the DDoS attacks takes chances with many computers or systems and connections and the computers which were behind the attack are mostly distributed to all parts of the world and its part is known is botnet. The main difference between DoS and DDoS are is that target server will fully overloaded by huge number of requests where as in the coming to the case of former, it will be attacked with single attacker so obviously it would be harder to withstand on DDoS attacks

To compare the difference between DoS and DDoS we can clarify by a simple analogy. For example, if a teenager ringing your telephone repeatedly as a fact he was bored then you might get tired to pick or answering the call so you may start ignoring the call frequently. So by this a teenager has performed DoS attacks on you successfully to your telephone service and its caused because you been denied normal telephone services although you denied by yourself and it is possible to trace the attacker

In case the teenager duped radio station and make them to believe that you have got a tickets for a special concert at low price then you might receive a number of calls from unknown numbers so in this case of DDoS example also you will be denying calls of telephone services but it was like distributed nature of attack which means you have no idea from where the call is coming or it is known number or not. So tracing also pointless as it is difficult to identify the real attacker. So because the real attacker has not phoned you and he used third party in these attacks.

So by this analogy The DoS and DDoS attacks supposedly take the advantage on to response of the stimulus and later it can exploit on weakness of the system and the tools for the DoS and DDoS attacks were really simple and the skills required to attack on system is not high.

Securing DoS and DDoS attacks

There are dangerous attacks particularly in DoS attacks which are stand out. They are mainly

Smurf or Fraggle -

It is most destructing DoS attacks and in this attack the attackers will be sending ICMP request to the address which is broadcasted and the requesters source address is the victims IP address as seen in figure. Once the request is received

Then all the machines in domain send replies to victims IP address then victim will be crash once received large size packet flood. Basically Smurf attack uses bandwidth consumption to target and destruct victims' network. The attacker proceeds with low bandwidth (such as the 56K modem) can flood and destruct or disable a victim network with bandwidth high.

Securing from this attack

In case you found out attacked by Smurf attack then you have to possibly block the packets that were offended at external router so by that it will block the bandwidth upstream of the router. In cases you can prevent the Smurf attack which is ready to initiate in to your site by customizing your router that is external to block packets which were out bonded from your site that indicates a source address which is not in a subnet block.

In case to avoid being an intermediary and supporting some others DoS attempt then customize you're to block all network directed broadcast packets. So don't allow ICMP packets to be broadcasted through your router. This may you to retain the ability to show a broadcast-directed ping inside your network by taking an outsider's ability to exploit this kind of behavior.

SYN flood

This was the most destructing DoS attack before the Smurf was created. It basically uses reserved starvation to succeed in DoS attack. For example during a TCP flow a server receives a SYN request from client the client receives response SYN ACK from server and at last client sends a final ACK back to server but coming to SYN flood attack the attacker will be sending multiple SYN requests to victim's server with fake source address for getting return address. Though it won't get the response because of fake address but it can create DoS because the victim servers which need to be connected will be waiting for these bogus ACKs.

Securing from this attack

Micro blocks - Allocating a micro record instead of giving a connection object which results to a memory failure. Newer implementations for the incoming SYN object allocate as little as 16 bytes

SYN cookies - This is new prevention against SYN flood. In these SYN cookies it had got their sequence number on each side. With response to SYN, the machine which is attacked configures a sequence number which is called 'cookie' of that connection then it will forget all things. It had a feature of creating the forgotten or lost information about the connection when the following packets enter.

DNS attacks

On previous versions of BIND (Berkeley internet name domain) the attackers were successfully poisoning the cache on DNS server and were looked up to a zone and they were not served by server.

Securing from this attack

Defending the root server - The database of root server is very small and it changes infrequently, and it's better to download the whole copy of root database and go for daily updates, and also be in charge with current reloads. Deploy and scale up root servers using 'anycast' address which allows multiple machines in different kind of locations as if it is a single server.

Defending your Organization- If organization is served with intranet then you should make sure to provide different and separate views of DNS to your internal users and external customers. This will make internal DNS isolate from being attacked by the external resources. Its best option to copy the root zone to insulate the organization from avoiding DDoS attacks in future.

Securing from DDoS attacks

The DDoS are combination with four types and they were Trinoo, TFN, TFN2K, stecheldraht.

Generally there are two approaches to defense or secure and they were

Preventive defense

Reactive defense

Preventive Defense

Its better to eliminate the DDoS attacks altogether found in system

Hosts always should be guarded against unwanted traffic from or towards the machine.

Maintain the protocols and software clean and up to date

Frequent scanning of machine to check whether any anomalous behavior

Computer and its applications were accessed to monitoring and also installing security patches, virus scanners , firewall systems, intrusion detection systems.

Sensors were held to monitor the traffic of the network and also send back the information to a server to find the 'health' of the network.

By protecting the computer not only reduces of being not only a victim but also zombie.

Always testing the system for drawbacks and failures and make sure to correct it.

Reactive Defense

Respond to attack immediately once you detect in machine

Try to restrict or reduce the impact of attack on victim

The main detection strategies are

Signature detection

- Searching for patterns in observed network traffic that there may be a chance to match known attack from a data

- The attacks were found out easily and reliably but it had no knowledge on detecting new attacks

Anomaly detection

-The parameters of observed network traffic and normal traffic should

be compared

- In this new attacks can be detected

Modern Techniques of Defending

Honey pots

Low interaction honey pots

Competing the services and operating systems

The implementation is safe and ease

The basic operating system should not be interacted by attacker and it could it happen with specific services.

High interaction honey pots

The honey pot is not a software to install in computer, it's kind of a whole architecture

It is a network that is created to be attacked

All activities regarding this were recorded and attackers will be trapped

A Honeywell is a gateway which allows incoming traffic and also controls outgoing traffic too by the technologies like intrusion prevention system


2) Intrusion detection system and intrusion prevention system.

Intrusion detection system

An IDS is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. It was the process that events will be monitored and occurring in a computer network and estimating for the possible signs which are kind of threats which violates standard security policies or computer security policies which were maintained.

There are two types in intrusion detection system and they were network based and host based IDS.

In a network based intrusion detection system the sensors were placed at choke points in a network which to be monitored frequently in demilitarized zone (DMZ). By this network traffic will be captured by sensor and estimates the content of individual packets for the malicious traffic.

In a Host based intrusion detection system, generally the sensor have a software agent and host will be covered and monitored on which it is installed including log system, file system and also kernel.

Intrusion Prevention system

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. For example when any kind malicious or attack detected then it will automatically drop some offending packets but allows other normal packets to pass. This technology can be considered as further extension of Intrusion detection technology.

Similarly to IDS this IPS has got two types and they were network based and Host based IPS.

In Host based IPS the Intrusion prevention application is attached and lied on particular IP address generally on one system. This HIPS supports traditional finger print based and heuristic anti virus detection methods and it does not require regular updates for a new malware.

In network based IPS the intrusion application/hardware and specific actions which were taken to avoid an intrusion on a particular network host with having another IP address on around network.

Differences between IDS and IPS

Intrusion detection system will detect the possible intrusions and it notifies to administrator where as Intrusion Prevention system will also detect the intrusions but it also take some charge against attacks like terminating the connection which is harmful.

The major difference is IDS is a kind of reactive security mechanism and whereas IPS is proactive security mechanism. IDS will go for attacks in case the system found any attack is going to occur but IDS will go for direct and scan to make sure whether any suspicious malicious code is occurring so that it can straight away it can terminate it before receiving any attack intended. IDS is somewhat easier to construct for example IDS won't allow and it will reject of any traffic network trying to access 'etc/password ' but in this case IPS is more effective comparative to IDS and example is, an IPS can test the traffic and find out whether it is harmful enough or not before it receives intended recipient.

In other ways to compare the IDS and IPS, an IDS device is passive when it comes to basic and used to watch packets of data to transverse its network from a monitoring port and comparing the traffic to certain designed rules and setup an intimation like alarm when it finds any suspicious code. This IDS can find out several types of traffic which are harmful which would slip out by a typical firewall and also include network traffic against services, unaccess logins which comes under Host based attacks and also malware like Trojans, worms and viruses. To detect threats most IDS use detection methods like signature based detection and anomaly based detection. The main complaint received with the numerous of false positives the technology is willing to spit out some unwanted traffic which is prevented connected as bad. The trick behind this is to tune to the device to maximum indeed in terms of accuracy in finding real threats while reducing false threats

Whereas in IPS it has all features which were good in IDS but unlike to IDS the IPS will go along with traffic flow on network and disconnecting the attempts which are intend to attack as they were sent over wire. It can simply disconnect the user session to stop the attack by blocking access to the target from user account. IP address and by blocking the access to target host. Moreover IPS can respond to detection in two ways like it can reconstruct the security control to block the attack such as a firewall or router and some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.

Future of IDS and IPS- At present IDS solutions are like stand alone corner solutions. The market for IDS is some how integrated in to gateway security solutions which contains VPN, firewalls and other security web applications. Unlike IDS technology, IPS is keen to generate as a standalone solution. Considering from the view of algorithm point and also from computer power perspective there is much scope to improve for IPS and we can expext they remain as a single point solution for long time enough.

Securing against digital attacks

Cisco intrusion prevention system will protect the whole network with higher range of deployment and also can provide holistic network wide security protection. In this network defense will estimates and make sure to avoid unknown threats to a network which also includes direct attack against the servers and clients. Cisco bonded with thousands of security policies like web security and email security appliances to deliver a threat protection.

Cisco IPS is only IPS with global correlation capabilities, risk rating and its only IPS backed up by security intelligence of Cisco.

Snort has been one of the leading technology currently In security industry. Considering its strong and honest open source community. It has been one of the widely deployed intrusion and prevention technology in world. It still produces the leading prevention and detection technologies. For Snort the source fire VRT rules will take in charge and lead the industry to protect the users comfortably. VRT rules are kind of vulnerability based vs exploit based which means even a single VRT rule will attack any kind of vulnerability whether it is known or unknown and which results zero false negatives and lesser false positives and also fewer frequent updates.

For Snorts its open source roots are biggest asset because of its source code and non proprietary and creative which occurs at accelerated pace with comparative to proprietary models. The success can accomplished due to broad community of experts which they configure, review, test and improve the code.

McAfee Intrushield network IPS - To protect network against vast range of threats and attacks the organizations should deploy next generation intrusion prevention. This McAfee Intrushield provides most accurate and scalable threat protection. This will ensure by assuring assure the availability and security of critical network infrastructure through proactive and comprehensive threat prevention. Its platforms which built with purpose will protect the endpoints proactively and network architecture from known, DoS, zero attacks and encrypted attacks and also threats like spyware.

Firstly this technology blocks attacks before reaching their desire targets by giving perfect accuracy and critical performance for network surroundings. This is construct in VoIP protection and web client protection which will maintain in cases of critical applications and securing necessary information by defending botnets, spyware and VoIP threats.

Proactively protects Web browsers and desktops from cyber-attacks, spyware, botnets, and other forms of malware. It prevents the download of unwanted programs, while protecting against unauthorized network access. Intrushield built-in Web-client protection complements McAfee's Perimeter and System Protection solutions by providing an additional layer of network protection



SQL injection is a code injection technique that exploits a security vulnerability occurring in a database layer of an application. The presence of vulnerability will there when user input is filtered incorrectly for string literal escape characters embedded in SQL statements.

Attacks exploited web applications

We will have a look the various attacks that were exploited this vulnerability to this web applications .There are generally four types of attacks and these were valid to database servers.

Authorization bypass (SQL manipulation)

From this technique the attacker will gain access to the privileges of the first user who is new in database. Mainly to bypass the log on screen the attacker will use this technique.

The SQL statement used for this technique is

SQL= "SELECT Username FROM Users WHERE Username= "&strInputUsername&"'AND Password = '"&strInputPassword&"'"

StrAuthorizationChk = ExecQuery(SQL);

If StrAuthorizationChk= "" then

BoolAuthnticated = False;


BoolAuthenticated = True;

End If

The above SQL statement with code shows will be used for authentication and this statement takes mainly two user input and they are strInput username and strInput password .This problem is try to find out the username which lies in user table which has got equal to strInputUserName and value in the Password column equal to strInputPassword. By executing the statement line 2 and in case if it founds any match the StrAuthorizationChk string will be having username on it.

Inputs should be modified or else a valid user will be authenticated and by giving input values

Login name: 'OR'

Password: 'OR'

By giving these values the SQL query will changes as below

SELECT Username from Users WHERE Username = "OR "=" AND Password =" OR "="

So by this it finds a username by showing' nothing' and it is equal password which shows 'nothing' so the attacker can login.

Exploiting Insert

Many sites like user registration and shopping carts will take inputs from user and storing all the details later they may display to other for some purpose. By this user info was stored in back end by using INSERT statement. Incase administrator monitors the content then it will found out.

Injecting Subselect -

Generally an insert statement looks like this: Insert in to table name values ('valuefour', 'valuefive', 'valuesix')

If only the above sample statement used by application

INSERT INTO TableName Values (' " & strvaluefour & " ' , ' " & strvaluefive & " ' )"

And from this the user input values are as follows

Name: ' + (SELECT TOP 1 Fieldname from TableName) + ' 


Phone: 6204732

Atlast the SQL statement will result as follows

NSERT INTO tableName values (' " ' + (SELECT TOP 1 Fieldname FROM tableName ) + ' ' , '' , '6204732')

Exploiting system stored procedures

The databases were used most to store procedures to perform many operation system database. If only SQL string is injected successfully by attacker then procedures were stored can be exploited. Mostly you not able to find anything output on screen though it executes a stored procedure which is in case of a normal SQL statement.


SomeAsp.asp?city=pune'; EXEC master.dbo.xp_cmdshell' cmd.exe dir c:

Sample stored procedure

Buffer overflow vulnerability

MS SQL server 2000 is the quick sample of vulnerability for this product. In one of the database console commands once a buffer overflow vulnerability was reported which ships with Microsoft SQL server 7.0 and this issue could exploit for the execution of arbitrary code with privileges of SQL server process.


Mass SQL Injection targets Chinese websites -

Websites were affected by Mass Injection in countries like china and Taiwan that has dangerous implanted Malware in large number of websites as reported by Security Company.

This could be happen by SQL injection where the attacker tries to exploit the custom web application vulnerabilities and in entry field he entered SQL code like Login. In case the attempt is successful the attacker can gain access to data on database by using the application and injection harmful malicious code into website. The attacker was known to be using Google search engine to find out which are the websites vulnerable to the attack and SQL injection attack engine that is tailored to attack Web sites using SQL Server

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748).


ASCII Encoded/Binary String Automated SQL Injection Attack

Number of websites was still vulnerable to attacks like SQL injection as indicated in Google cache and also were told Researchers. It is not fair to review out poor written websites and letting out and eliminate vulnerabilities by code methods. Though the given website less vulnerable in case and by mistake if it missed any security hole then it would be enough to happen SQL injection attack.

In this the attack is conducted with an botnets and it attacks it prospects every day. Asprox is the attack of botnets which is behind the attack and it used before for phishing attacks and they were sending the malware that fit for vulnerable to SQL injection through websites.

These are the variants which been injected by command HTTP GET

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500 ... 06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C ... 736F7220%20AS%20VARCHAR(4000));EXEC(@S);--

';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C ... 72736F72%20AS%20CHAR(4000));EXEC(@S);


Attacked via a Column sort

The attack which received by the victim is from appending additional SQL to ORDER by clause. Once hitting on the column header on page then query string receives a column number. From this the strings were joined end to end to form a SQL statement.

The server side ASP code looks like

sort = Request.QueryString("s")

If Len(sort) Then

sSQL = sSQL & " ORDER BY " & sort


sSQL = sSQL & " ORDER BY C.Created DESC "

End If

The hacker found out name of the table as well as column name and thereafter it would be easy to hack together.



There were several ways to stop and defend against and they were


Coding securely is most effective to stop or defense to avoid SQL injection attacks and its not difficult to defense using these techniques. There are two effective techniques to keep the application resistant against SQL injection which is done by using prepared statements and input is filtered to SQL statement . There is also a chance to use both technique's together.

Secure coding with Perl-

Perl covered over something which favors as in case if only database support various placeholders then they were used and making sure the attacker supplies characters won't be shown in SELECT statement as SQL characters. Incase placeholders are not supported by database then Perl's library will straight away excel it by using DBI quote function so that making chance to escape any dangerous characters.

This is an example of Perl code which got vulnerable Perl piece

$query = $sql->prepare("select ssn from customers where name = '$name'");


Here is the possible situation for the attacker to inject meta characters in $name variable for changing the SQL statement. The code can be changed by using the prepared statements

$query = $sql->prepare("select ssn from customers where name = ?");


Secure coding with PHP

To frame quick applications may be PHP could be best and apart from that it's so fast and also easy that developers forget frequently to sanitize their input before database queries delivered. These vulnerabilities are in packaged application though they were in open source or commercial. By this its clear that for SQL injections the PHP applications are most vulnerable.


The detection on attack is possible whether its in air too by watching host, web server and network. If the attack is found out then it is necessary to take actions to defend against attack and can also track down the attacker.

Network IDS-

Traditional Network Intrusion Detection Systems (NIDSs) of pattern matching rules work from database called signatures. If they were more specific and comprehensive on pattern then detection works will be more reliable. Some classes were there in SQL injection attack for which it can found some particular signatures such as like Cacti input validation vulnerability (CVE 2005-2148). Due to this weakness an NIDS signature will detect the exploiting condition of this and it was matched to particular URL's and strings which are on way to web server.

Responding to IDS alerts-

An alert signaled from network IDS doesn't mean that application is compromised and the signatures were placed to detect the attacks. Once watching the alert its better to go for a check whether the attack is already succeeded or still to be succeed. To progress this further it necessary to check whether attack may succeed then after begin doing conducting incident response to conclude whether victim stepped back or attack is under progress.

Block Attacks

Traditional firewalls won't come under network devices which works in a simple manner and they will allow access to outbound they won't allow inbound. In past few years the firewalls originated which allow access to specific protocols, hosts on inside where as in outside the hosts were blocked. Host firewalls like Zone alarms and TCP wrappers are firewalls with software equivalent and moreover you to allow installing them on add on packages to the hosts you need to protect.

Application firewalls

These firewalls were basically designed to prevent attacks against the applications and there two kinds of firewalls in this which main function is to secure application and the two types are web application firewall and database firewall.