Which of the following usually happens in a malicious denial of service attack?

Denial-of-Service [DOS] Attacks

Denial-of-service [DOS] attacks attempt to prevent normal usage of a system or service. DOS attacks can take many forms. An attacker may send a malformed or bad request to a system, hoping that request will cause the system to crash. An attack may also send a flood of valid requests to a system, hoping that the system cannot handle the volume of requests being sent. This volume may either cause the system to crash or just prevent the system from processing valid requests.

Oftentimes, in order to implement a successful denial-of-service attack, you need to have more than one performing the attack. This is especially the case when the attack is attempting to flood the device with requests. This is called a distributed denial-of-service attack [DDOS]. The perpetrator of a DOS attack will recruit other systems to help perform the attack. Oftentimes, these other systems will be part of a botnet. The DOS coordinator will install software or agents on the infected system that will cause them to send the desired requests to the system under attack.

Denial-of-Service Attacks

DoS attacks are designed to deprive an organization of access to the SAN and the resources it contains. These types of attacks can take many forms, but they usually involve one of the following:

Saturating a component with so much traffic that it cannot perform its primary function of delivering data to hosts

Taking advantage of a known vulnerability and crashing a component in the SAN

Gaining access to the management interface and deleting LUNs to deprive the owner of access to the data

A new type of attack that has surfaced recently also fits into this category. An attacker gains access to the data, usually through a host, encrypts the data, and then demands payment to decrypt the data [that is, extortion]. The following are DoS attack countermeasures:

Partitioning the LAN while the SAN component management interfaces are on can prevent an attacker from ever gaining access to those components to implement a DoS attack. This includes disabling those interfaces when they are not in use.

Defense-in-depth will force an attacker to defeat several security layers to launch the DoS attack, reducing the probability of success and increasing the probability of detection before the attack can be launched.

Deploying VSANs will prevent DoS traffic on one SAN from interfering with the others in the event of a successful attack.

Maintaining up-to-date protected replicas of all data can allow easy recovery in the event a DoS attack results in data being deleted or encrypted.

5.3.1.1 Denial of Service [DoS]

DoS attacks are a set of, technically different, attacks that all result in a service being temporarily unavailable. The attacks usually involve exhaustion of a certain resource of a service or its underlying infrastructure making it unreachable for the intended users. These resources might include memory, the number of processes available, or network bandwidth available, and once underway are often very difficult to mitigate. Distributed Denial of Servie [DDoS] attacks usually involve a large number of infected machines [bots] to generate load on the resource that is to be exhausted.

In their simplest form, DoS attacks target a specific system that needs to provide public access to provide its service but they are not limited to this case. DoS attacks can also be launched from within a network after an initial intrusion of a vulnerable node in the network. Furthermore, communication mediums can be targeted as well as protocol flaws or the nodes in the network.

Denial of Service Attack

A DoS attack occurs when an attacker floods the victim with bogus or spoofed packets with the intent of lowering the response rate of the victim. An extension of a DoS attack is a distributed DoS [DDoS] attack, in which an attacker takes control of multiple nodes in the network, leading to a distributed flood attack against the victim. In the worst-case scenario, it makes the victim totally unresponsive. For instance, in a WSN environment where nodes have limited computational capacity, a DoS attack from a resource-abundant adversary can overwhelm the nodes by flooding packets, which will exhaust communication bandwidth, memory, and processing power. From an attacker’s point of view, this attack is also useful in wireless networks where nodes are required to deliver time-critical data. Jamming the wireless links can also lead to a DoS attack [discussed subsequently].

Denial-of-Service Attacks against Logical IDS

Denial-of-service attacks against logical IDS are more in line with the classical DoS attack. In this case, we need to provide a sufficient number of events for the IDS to track, so that it can no longer account for all of the events that are taking place. In environments where wireless network access exists, or where they can be injected, this can be a very easy attack to mount, as it can potentially be performed from remote, and can be used to cover up attacks that are taking place in the actual facility.

1.2 Denial of Service in WSNs

Denial of Service [DoS] attacks indeed aim at reducing, or even annihilating, the network’s ability to achieve its ordinary tasks, or trying to prevent a legitimate agent from using a service [6]. Because of the limited resources of their nodes, WSNs tend to be rather vulnerable to DoS attacks. Concrete attacks include jamming the communications, monopolizing the channel [“greedy” attacks] or attempting sleep deprivation on “normal” sensors, for example. They are launched from the outside as well as from the inside of the network: a compromised sensor node can be used in order to send corrupted data at a high rate, either to twist the results or to drain the nodes’ energy faster. Attacks can target all layers of the network, although we mainly focus here on the Media Access Control [MAC] and routing layers. The problem we tackle is the development and analysis of detection mechanisms which are efficient both in terms of detection [i.e., they guarantee a high rate of detection of compromised nodes] and in terms of energy [i.e., they guarantee a balanced energy consumption throughout the network].

Denial-of-service attacks

Denial-of-service attacks occur when some malicious event attempts to make a resource unavailable. This is a very broad category of attacks, and can include anything from loss of communications with the device, to inhibiting or crashing particular services within the device [storage, input/output processing, continuous logic processing, etc.]. DoS attacks in traditional business systems do not typically result in significant negative consequences if resolved in a timely manner. Access to a web page may be slowed, or email delivery delayed until the problem is resolved. However, while there are rarely physical consequences associated with the interruption of services, a well-targeted DoS could bring very important systems off-line, and could even trigger a shutdown.

Automation systems are deployed to monitor or control a physical process. This process could be controlling the flow of crude oil in a pipeline, converting steam into electricity, or controlling ignition timing in an automobile engine. The inability of a controller such as an SIS to perform its action is commonly called “Loss of Control [LoC]” and typically results in the physical process being placed in a “safe” state—shutdown! This means that even simple disruptions of control functions can quickly translate into physical plant disturbances that can further lead to environmental releases, plant shutdowns, mechanical failure, or other catastrophic events. In the case of the HMI, it is not directly connected to the mechanical equipment; however, in many manufacturing industries, the inability of the HMI to perform its function can lead to “Loss of View [LoV],” which often requires the manufacturing process to be shut down if view of data cannot be restored in a timely manner. In the case of an automobile’s ignition control system, if the controller stops performing, the engine stops running!

A hacker typically does not boast of a DoS attack on an Internet-facing website [unless you are part of a hacktivist group], but because a DoS can result in LOV or LOC, a similar DoS attack on an ICS can lead to far greater consequences: an oil spill, a plant fire and explosion, or spoiled batches of products. Denial of service in industrial environments is much more than an inconvenience, but can lead to significant consequences if not managed accordingly.

9.2.4.1 Examples

DoS attacks can take many forms and some include, but are not limited to:

broadcasting on the same frequency as the wireless network and rendering it unusable;

establish multiple login sessions so that legitimate users cannot access their systems;

generating multiple large files to use all disk space;

sending illegal requests to an application to crash it;

sending malformed TCP/IP packets to crash the system;

sending processor intensive requests to effectively fully use all CPU power;

using bandwidth by generating large volumes of traffic. This is not usually possible from a single attacking machine as corporate bandwidth precludes this so multiple attacking machines are used to create a distributed denial of service [DDoS] attack.