Denial of Service Attack

Denial of Service Attack is a form of attack conducted against a system or network that occurs when a malicious user consumes so many resources that none are left for others.

What is Denial of Service Attack (DoS attack)?

A form of attack conducted against a system or network that occurs when a malicious user consumes so many resources that none are left for others. The resources attacked might include processors, disk space, memory, modems, telephone lines, and so on.

A hacker might launch a denial of service attack using software that automates attempted access to shared resources on a network exposed through the Internet.

How it works

Denial of service attacks are often launched by hackers who want to bring down a Web server on the Internet. A common example of an attack is the SYN attack, a protocol-level attack that is intended to render the Web server's networking services unavailable.

SYN flooding is a type of attack in which Transmission Control Protocol (TCP) connection request packets (SYN packets) are sent in large numbers to a Web server. These packets use a false or «spoofed» source IP address to hide the attacker. SYN packets are used to place the TCP ports in the SYN _RECEIVED, or «half-open», state on the Web server and then do nothing with them until they time out.

If enough of these ports are half-opened, the server cannot service requests from normal clients until the unused ports expire. Unfortunately, it takes time for the half-opened ports to time out because, when a SYN packet is received, the server generates a SYN-ACK packet to acknowledge the request and then waits for a final ACK from the requester before fully opening the port for a communication session. (This is called a TCP three-way handshake.)

However, that final ACK is not received because the source address in the SYN packet was spoofed. The SYN-ACK packet is thus retransmitted several times at increasingly longer time intervals until, after a total time of 189 seconds (in the implementation of TCP/IP on Microsoft Windows platforms), the server finally gives up and closes the half-open port. For that time period, the requested port is unavailable to perform any other services.


If users try to connect to your Web server and receive error messages such as «The connection has been reset by the remote host», a SYN attack might be under way on your machine. (When the maximum number of TCP ports are in use [open or half-open] on a machine, the machine usually responds to any further connection attempts with a reset.)

To determine whether such an attack is in progress, type netstat -n -p tcp at the command prompt to see whether there are a large number of ports in the half-open SYN_RECEIVED state. If so, try using a network protocol analyzer such as Network Monitor to further examine the situation. You might need to contact your Internet service provider (ISP) to investigate the problem more closely.

If your server is under a heavy SYN attack, one fix you can try on Windows NT platforms running Microsoft Internet Information Server (IIS) is to decrease the default timeout for terminating half-open TCP connections. Open the TcpMaxConnectResponseRetransmissions parameter in the registry and set it to 3, 2, or even 1 to reduce the timeout to 45, 21, or 9 seconds, respectively.

However, if you set this parameter too low, legitimate connections might experience timeouts. Windows 2000 and Windows NT 4 Service Pack 3 have corrected this problem. A fix is available for Windows NT version 3.51 from Microsoft.

You may be interested in: