WHAT IS A DENIAL OF SERVICE ATTACK?
Denial of service is about without permission knocking off services, for example through crashing the whole system.
This kind of attacks are easy to launch and it is hard to protect a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be well behaved.
ARE SOME OPERATING SYSTEMS MORE SECURE?
Common statement regarding security is that Unix platforms are more secure than Windows, but you can’t say that
one Unix is more secure against denial of service, it is all up to theadministrator.
A comparison between Windows on one side and Unix on the
other could however be interesting.
Unix systems are much more complex and have hundreds of built in programs,
services… This always open up many ways to crash the system from
In the normal Windows network were is few ways to crash
the system. Although were is methods that always will work.
That gives us that no big different between Microsoft and Unix can
be seen regarding the inside attacks. But there is a couple of
- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.
- The average Unix administrator probably also have much mor
experience than the average Microsoft administrator.
The two last points gives that Unix is more secure against inside
denial of service attacks.
A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.
SOME BASIC TARGETS FOR AN ATTACK
1) SWAP SPACE
Most systems have several hundred Mbytes of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.
If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.
3) KERNEL TABLES
It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.
Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don’t even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.
A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don’t have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself…
A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.
A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.
These caches are found on Solaris 2.X:
Directory name lookup cache: Associates the name of a file with a vnode.
Inode cache: Cache information read from disk in case it is needed again.
Rnode cache: Holds information about the NFS filesystem.
Buffer cache: Cache inode indirect blocks and cylinders to realed disk I/O.
Well once inetd crashed all other services running through inetd no
longer will work.