Detecting a denial-of-service attack through packet analysis

A denial-of-service attack is typically launched by cybercriminals to lock out legitimate users from accessing services or resources on a particular network. DoS attacks can severely cause downtime and monetary loss to businesses and organizations while their resources and services are inaccessible. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network, and this can be accomplished by running a SYN flood where the attacker sends fake TCP connection requests that are never completed.

In a SYN flood, the target server receives a SYN request packet, which is immediately followed by a reset and acknowledgement packet, hence violating the normal TCP three-way handshake which confuses the server as it tries to authenticate requests, while at the same time, connected ports are occupied and made unavailable for further requests. The attack proceeds by saturating all open ports so that the legitimate users get locked out, overwhelming the server to either not respond or even crash.

Network administrators can however detect a DoS occurrence by packet monitoring and analysis or through use of an Intrusion Detection Systems (IDS) that identifies corrupt signatures by virtue of deviation from normal behaviour subsequently raising need for filtering and blocking any bogus traffic from interrupting the network. We can for instance use Wireshark, a common packet analyser, to detect a DoS attack through packet analysis as illustrated below.

 

Packet filter showing fabricated traffic

We can see two hosts 10.1.0.2 and 10.1.0.1 creating an incomplete TCP connection while sending themselves packets back and forth across the same source and destination ports, that is, port 2294 to 1 and 1 to 2294. On observing the request pattern, the synchronization packet [SYN] is followed by a reset and acknowledgement packet [RST, ACK], rather than the normal TCP handshake entailing [SYN], [SYN, ACK], and [ACK]. This kind of attack signature is obvious proof for a denial-of-service which calls for further action of protecting network resources.

Which steps can you take to combat DoS attacks?

  • Employ an Intrusion Detection System (IDS) that detects and redirects abnormal traffic away from your network. Upon detection the IDS can identify the source of the bogus traffic and drop the fabricated packets.
  • Configure a firewall to monitor and restrict traffic flowing into and out of the network. Firewalls and routers can fortunately reject bogus traffic but should be up to date with the latest security patches.

It has also been noticed over time that people are the weakest link in enforcing network security and in that respect, Summit Consulting Ltd brings you a Cyber Security Awareness Training  course at your premises to bring forth awareness on the various forms of cybercrime and attack schemes that could be executed on your network, alongside the defensive measures.

Join Summit Consulting Ltd in partnership with IFIS on our annual cyber-security awareness and risk management conference, which is scheduled to take place from the 16th – 18th October 2019. You need to get sensitized about all forms of fraudulent practices that can render your company insecure, followed by recommended remedies against those practices.

 

Share this

Leave a Comment

Scroll to Top
Chat with us
Chat with us
Questions, doubts, issues? We're here to help you!
Connecting...
None of our operators are available at the moment. Please, try again later.
Our operators are busy. Please try again later
:
:
:

The data collected by this form is used to get in touch with you. For more information, please check out our privacy policy
Have you got question? Write to us!
:
:

The data collected by the chat form is used to get in touch with you. For more information, please check out our privacy policy
This chat session has ended
Was this conversation useful? Vote this chat session.
Good Bad