427 Botnet fm qxd

Figure 2.5 illustrates a SYN Flood attack. A SYN flood attacker sends just
the SYN messages without replying to the receiver’s response.The TCP speci-
fication requires the receiver to allocate a chunk of memory called a control
block and wait a certain length of time before giving up on the connection. If
the attacker sends thousands of SYN messages the receiver has to queue up
the messages in a connection table and wait the required time before clearing
them and releasing any associated memory. Once the buffer for storing these
SYN messages is full, the receiver may not be able to receive any more TCP
messages until the required waiting period allows the receiver to clear out
some of the SYNs. A SYN flood attack can cause the receiver to be unable to
accept any TCP type messages, which includes Web traffic, FTP,Telnet, SMTP,
and most network applications.
Figure 2.5
SYN Flood Example
Other DDoS attacks include:
■
UDP Flood
. In a UDP Flood attack, the attacker sends a large
number of small UDP packets, sometimes to random diagnostic ports
(chargen, echo, daytime, etc.), or possibly to other ports. Each packet
requires processing time, memory, and bandwidth. If the attacker
sends enough packets, then the victim’s computer is unable to receive
legitimate traffic.
www.syngress.com
48
Chapter 2 • Botnets Overview
SYN
SYN
SYN
SYN
SYN
SYNACK
SYNACK
SYNACK
SYNACK
Bot Client Spoofing
Computer B’s Address
Computer A
Computer B
Waiting for Response to SYNACK
Waiting for Response to SYNACK
Waiting for Response to SYNACK
Waiting for Response to SYNACK
Waiting for Response to SYNACK
Waiting for Response to SYNACK
Waiting for Response to SYNACK
427_Botnet_02.qxd 1/9/07 9:49 AM Page 48

■

Download 6,98 Mb.

Do'stlaringiz bilan baham: