Apache Security - Ivan Ristic [61]
Controversial content
Some may choose to attack you because they do not agree with the content you are providing. Many people believe disrupting your operation is acceptable in a fight for their cause. Controversial subjects such as the right to choose, globalization, and politics are likely to attract their attention and likely to cause them to act.
Unfair competition
In a fiercely competitive market, you may end up against competitors who will do anything to win. They may constantly do small things that slow you down or go as far as to pay someone to attack your resources.
Controversy over a site you host
If your job is to host other sites, the chances of being attacked via a DoS attack increase significantly. With many web sites hosted on your servers, chances are good that someone will find one of the sites offending.
Extortion
Many attempts of extortion were reported in the past. Companies whose revenue depends on their web presence are especially vulnerable. Only the wealthiest of companies can afford to pay for infrastructure that would resist well-organized DoS attacks. Only the cases where companies refused to pay are publicly known; we do not know how many companies accepted blackmail terms.
* * *
The Alan Ralsky DoS
In November 2002, Alan Ralsky, a well-known bulk-email operator, gave an interview describing what he does and how he makes money sending bulk email. The interview received wide publicity reaching most technology-oriented web sites and, eventually, the very popular Slashdot technology news site. In the interview, Alan disclosed the purchase of a new home, and soon the address of the home found its way into a Slashdot comment.
In an apparent retribution by the readers, Alan Ralsky was subscribed to hundreds of snail-mail mailing lists for ads, catalogues, and magazines. Subscriptions caused huge quantities of mail to arrive on his doorstep every day, effectively preventing Ralsky from using the address to receive the mail he wanted. Here is a list of articles that describe the situation:
"Spam king lives large off others' email troubles" (Detroit Free Press) by Mike Wendland (http://www.freep.com/money/tech/mwend22_20021122.htm)
"Another Millionaire Spammer Story" (http://slashdot.org/article.pl?sid=02/11/22/1658256&tid=111)
"DOS Attack Via US Postal Service" (http://slashdot.org/article.pl?sid=03/04/15/2027225&tid=172)
* * *
DoS attacks can be broadly divided into five categories:
Network attacks
Self-inflicted attacks
Traffic spikes
Attacks on Apache (or other services in general—e.g., FTP)
Local attacks
These types of attacks are described in the rest of this chapter.
Network Attacks
Network attacks are the most popular type of attack because they are easy to execute (automated tools are available) and difficult to defend against. Since these attacks are not specific to Apache, they fall outside the scope of this book and thus they are not covered in detail in the following sections. As a rule of thumb, only your upstream provider can defend you from attacks performed on the network level. At the very least you will want your provider to cut off the attacks at their routers so you do not have to pay for the bandwidth incurred by the attacks.
Malformed Traffic
The simplest network attacks target weaknesses in implementations of the TCP/IP protocol. Some implementations are not good at handling error conditions and cause systems to crash or freeze. Some examples of this type of attack are:
Sending very large Internet Control Message Protocol (ICMP) packets. This type of attack, known as the Ping of death, caused crashes on some older Windows systems.
Setting invalid flags on TCP/IP packets.
Setting the destination and the source IP addresses of a TCP packet to the address of the attack target