The big challenge to attacks is that once we discover an attack, it's usually repaired or prevented or mitigated in some fashion fairly quickly. But there is one big exception that probably the biggest attack problem we have today. And that is a denial of service attack. A denial of service attack is designed to do one thing to deny service. Imagine that you've got some type of server out there could be a web server, an email server, DNS server, I don't care what it is. The whole idea behind a denial of service attack is that you have so many people coming in to talk to that server that it can't take care of anybody else.
So imagine you've got a little store and you've got a whole bunch of people trying to push in the front door. That is a denial of service attack. Now there are lots and lots of denial of service attacks out there. They've been around for close to 20 years, but I like to break them down into three big groups. The first one I'm going to call a volume attack. A volume attack is we're not really Doing anything evil in terms of how we're talking to the server, we're just doing a lot of talking so the server can't help anybody else.
The next type of denial of service attack is a protocol attack. A protocol attack does something with the underlying protocol, the web HTTP protocol or a DNS protocol. If you're talking to a DNS server that does something not normally accepted to the protocol that causes the server to do weird things, and keep it from answering quickly. The third type is what we call an application attack. An application attack works within the application conversation itself, doing naughty things that keeps the application that that server is running from being able to respond in a timely fashion. So let's go ahead and start off with the granddaddy of all a good old volumetric attack.
So here's my little network. I've got one server on this network and other computers doing something. Now one example of a volumetric attack would be a ping flood. In essence, one or more of the machines starts sending pings to the server. Now the trick is, is they just keep sending pings, and they don't wait for a response. And that can overwhelm the server.
Another example could be a UDP flood. In this case, the attacking machine is sending out all kinds of strange UDP requests to all kinds of different ports on the server. So the server has to deal with all of these incoming requests, and it has to respond back and that can overwhelm the machine. Now, the volumetric attacks I just showed you are pretty much easily negated today. For one thing, we're not going to let people from the outside try to fake these types of attacks. routers are by definition designed to stop that type of stuff.
However, we can still see as we get a little bit more into this episode, where we could still do volumetric attacks, although we make them a little bit smarter than this. Okay, so that's a volumetric attack. Remember, a volumetric attack doesn't really do anything wrong. It just does a lot of it. We're going to change that. Now.
With what's known as a protocol attack. So here we have our little server doing its server thing, it could be a web server DNS server again, I don't care. Now, a protocol attack is going to do naughty things to the protocol to create confusion. So in this particular example, we're going to create what's known as a SYN flood or a TCP SYN attack. Now, in this particular case, what we're talking about within a TCP IP conversation is that the client will send a SYN and then the server sends back a SYN ack, and this initiates conversation within TCP IP. However, what we're going to do with this case is we're going to have the client send out a sin after sin after sin keep trying to make all these connections.
Each one of these creates an extra connection to the server itself. And the client never responds, no matter how many sin acts are sent back in response, this can clog the system up beautifully. protocol attacks are still a huge problem out there when it comes to denial of service and they are Usually the most common form of denial of service attack out there. But there is another thing we can do. What we can also do is take advantage of problems within applications themselves. And let's go ahead and do an example of an application attack.
Okay. In this situation, I've got an old copy of the very, very popular Apache web server. And we're going to take advantage of something within the application to do something naughty. And in this case, we're going to do what's known as a Slow Loris attack. The Slow Loris is named because Loris is a slow animal, and it just does things really slow. So what it's going to do is the client is going to initiate a conversation with the Apache web server, and it'll get the conversation going, but then it just stops talking.
And the poor Apache web server is sitting there waiting for a response. In the meantime, the attacker is sending out more conversations and just not talking back. And as a result of that, the poor Apache server simply gets overwhelmed Waiting for these clients to talk, which never do. Now this is fairly easy to fix. And later versions of Apache simply lower their timeout value. And Slow Loris is not nearly as big of a problem as it used to be.
Now you can get in a lot more detail than simply the big three that I've broken down. For example, one great thing we can do is what's known as amplification. Let me show you that in action. So here's my little web server again. Now in this case, what we're going to do is what we call a smurf attack. A Smurf attack is a great example of an amplification attack because it simply does this.
We send in an ICMP packet into the network now, what we do is that the attacker spoofs the website's IP address, so it sends out a broadcast into the network, and then everybody in the network starts responding back except they're responding back to the target. And that would be a great example where one packet being sent into a network can generate lots and lots of packets. And that's amplification. Now of all the examples of denial of service I've shown you so far, we basically only have one attacker. Now, think about this for a minute, How hard would it be if we got a bunch of computers to work together to all attack one client. And that's really the big problem today, distributed denial of service attacks, let's take a look at DDoS.
So here's that poor little server one more time. Now this time, what we're going to do is we're going to attack that server, but not with just one individual computer someplace. What we can do is add a bunch of computers to it, and each one of these will start attacking. Now the problem here is that how do you do this? Well, you could call your buddies up. And you could all basically say go and start attacking simultaneously.
But usually what we will do instead is we will create a form of malware that generates what we call a botnet. now in this situation, all of these computers over here on the left have some form of malware on them. And they're controlled by a single computer somewhere else. So these individual computers are called zombies. And collectively, all of these computers under the control of a single system are known as a botnet. distributed denial of service attacks are the nightmare of the internet these days.
To give you an idea of just how bad DDoS attacks are, there are a number of websites from security companies that provide real time tracking of attacks as they're taking place. And I just happen to have one of my favorites up right now. This is from Norse Corp. And you can actually see it has this pretty graphics showing who's attacking who right now. And you can see the attack origins, you can see the types of attacks, you can see who they're going after. And then you can actually see what's taking place in terms of the attack. For example, you can see attack type and the port numbers that are actually being attacked.
In real time right now, DDoS is a huge issue today. And it's something we've always got to watch out for. Make sure you're comfortable with the basic types of denial of service attacks because you're going to see it on the exam.