system), ICMP echo-request floods, and ICMP-directed broadcasts (also known as smurf attacks) are similar to DDoS attacks; however, the scope of a DDoS attack is different. Victims of DDoS attacks experience packet flooding from many different sources, possibly spoofed IP source addresses that bring network connectivity to a halt. In the past, the typical DoS attack involved a single attempt to flood a target host with packets. With DDoS tools, an attacker can conduct the same attack using thousands of systems. In Figure , the hacker uses a terminal to scan for systems to hack. After handler systems are accessed, the hacker installs software on these systems. This software attempts to scan for, compromise, and infect agent systems. When the agent systems are accessed, the hacker then loads remote control attack software to carry out the DDoS attack. DoS and DDoS Attack Mitigation
When attacks involve specific network server applications, such as an HTTP server or an FTP server, the attacker focuses on acquiring and keeping open all the available connections that the server supports. This strategy effectively locks out valid users of the server or service. DoS attacks can also be implemented using common Internet protocols, such as TCP and ICMP. For example, the “Ping of Death” attack exploits limitations in the IP protocol. Most DoS attacks exploit a weakness in the overall architecture of the system rather than software bugs or security holes. Some attacks compromise the performance of your network by flooding the network with undesired and often useless network packets and by providing false information about the status of network resources. You can reduce the threat of DoS and DDoS attacks using the methods listed in Figure :

• Anti-spoof features: Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk of attack. These features include an appropriate filtering with access lists, unicast reverse path forwarding that looks up the routing table to identify spoofed packets, disabling of source route options, and others.
• Anti-DoS features: Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time. This method is also known as SYN-flooding prevention and can be configured on the router by limiting the overall number of half-open TCP sessions that can go through the router, by limiting the number of half-open sessions per minute, or by limiting the number of half-open sessions that are destined to a specific server.
• Traffic rate limiting: An organization can implement traffic rate limiting with the organization’s ISP. This type of filtering limits the amount of nonessential traffic that crosses network segments at a certain rate. A common example is to limit the amount of ICMP traffic that is allowed into a network because this traffic is used only for diagnostic purposes. ICMP-based DDoS attacks are common.

Web Links Ping of Death
http://insecure.org/sploits/ping-o-death.html

---

Content 5.2 Mitigating Network Attacks 5.2.8 IP Spoofing in DoS and DDoS IP spoofing is a technique a hacker uses to gain unauthorized access to computers. In IP spoofing, the intruder sends messages to a computer with an IP address that indicates that the message is coming from a trusted host. To engage in IP spoofing, hackers must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers to appear as though packets are coming from that trusted host. In addition, the attacker can engage other unsuspecting hosts to also generate traffic that appears as though this traffic too is coming from the trusted host, thus flooding the network.Routers determine the best route between distant computers by examining the destination address. The originating address is ignored by routers. However, the destination machine uses the originating address when the machine responds back to the source. In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. For example, an attacker outside your network pretends to be a trusted computer, either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that your network trusts and provides specified resource access to. To be successful, the intruder must first determine the IP address of a trusted system and then modify the packet headers so that the packets appear to be coming from the trusted system. The goal of the attack is to establish a connection that allows the attacker to gain root access to the host and to create a backdoor entry path into the target system. Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data that passes between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the attacker must change all routing tables to point to the spoofed IP address. Another approach the attacker could take is to simply not worry about receiving any response from the applications. For example, if an attacker is attempting to get a system to mail a sensitive file, application responses are unimportant. If an attacker manages to change the routing tables to divert network packets to the spoofed IP address, the attacker can receive all network packets that are addressed to the spoofed address and reply just as any trusted user. Like packet sniffers, IP spoofing is not restricted to people who are external to the network. IP spoofing can also provide access to user accounts and passwords or be used in other ways. For example, an attacker can emulate one of your internal users in ways that prove embarrassing for your organization. The attacker could send e-mail messages to business partners that appear to have originated from someone within your organization. Such attacks are easier to accomplish when an attacker has a user account and password, but the attacks are also possible when attackers combine simple spoofing attacks with knowledge of messaging protocols. These points are summarized in Figure . IP Spoofing Attack Mitigation
As shown in Figure , the threat of IP spoofing can be reduced, but not eliminated, using these measures:

• Access control configuration
• Encryption
• RFC 3704 filtering
• Additional authentication

Access Control Configuration
The most common method for preventing IP spoofing is to properly configure access control. To reduce the effectiveness of IP spoofing, configure the access control list (ACL) to deny any traffic from the external network that has a source address that should reside on the internal network. This configuration helps to prevent spoofing attacks only if the internal addresses are the only trusted addresses. If some external addresses are trusted, this method is not effective. Encryption
Another possible way to prevent IP spoofing is to encrypt all network traffic to prevent source and destination hosts from being compromised. RFC 3704 Filtering
You can prevent your network users from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your the IP range of your organization. This filtering denies any traffic that does not have the source address that was expected on a particular interface. For example, if an ISP is providing a connection to the IP address 15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24 can enter the ISP router from that interface. Note that unless all ISPs implement this type of filtering, the effectiveness is significantly reduced. Note
RFC 3704 covers ingress filtering for multihomed networks. It updates RFC 2827.