General Overview of Router DoS


A General Overview of:
Router Denial Of Service Attacks
(in plain english)
06-22-97

Most common attack is through what is commonly considered a "flood" or a
rapid xmission of packets with the sole purpose of denying service to the
target router. The most common port to attack on the target router is
port 7 (echo port) due to its greater need for system resources. The
typically "desired" effect when attacking a router in this manner is to
flood port 7 causing the routers internal processor to become overloaded
in the processing of these packets that its resources are too limited to
continue its intended purpose of routing  legitimate network traffic.
Variations on this method include attacking other ports on the target
router in an attempt to elicit the same effect, and attacking in the same
manner with "spoofed" source IP adresses (either constant or random). The
most common protocols used for this type of attack are UDP, SYN, and ICMP.
As in any other Denial Of Service attack of this nature bandwidth is a
major concern.

Example:

    Target Router = T1, echo port open.
 Attacking System = 28.8bps, UDP flood to port 7 of target router.
          Results = After approximately 15 minutes of this attack the
                    target routers available resources have been dropped to
                    under 20% causing the router to "lock up" or refuse to
                    process any network traffic, legitimate or not,
                    requiring the router to be manually rebooted.

(traceroute to your target, typically second or third to last hop
 will be a router. telnet to it (port 7), if open, it is most likely
 vulnerable to this form of attack)

If the target router in this example had been properly configured and had
only a minimal number of nessicary ports open (ie: telnet/23 admin/xx), the
required amount of bandwidth from the attacking system would be equivalent
to that of a T3 or greater to produce the same effects. Also helpful in
preventing these types of attacks is what is the addition of a redundant
backup router. In the even the first router has been rendered useless the
backup router takes its place and continues the routing of legitimate
network traffic. Also helpful but not very common is the placement of a
"filter" at the router upstream of the target router to prevent certain
unwanted "patterns" of packets to proceed to the target in question. This
is not a widely used method of preventing such attacks due to its lack of
intelligence in identifying the difference between legitimate network
traffic and unwanted traffic.

Other types of DOS attacks typically attempt to "trick" the target router
into thinking the upstream router no longer exists. Most commonly this is
accomplished by sending ICMP Unreachable packets with a spoofed source
address of the upstream router. When the target router recieves these
packets it attempts to verify that the upstream router is in fact no longer
there. During this process if the target router has been flooded enough to
prevent reaching the upstream router it will cease to process all network
traffic.

                                                    -zens