DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to its customers. When this attempt derives from a single host of the network, it constitutes a DoS attack. Meaning, when one computer and one internet connection is used to flood a server with packets, with the aim of overloading the targeted server’s bandwidth and resources, it is defined as DoS attack. Read here for mitigation techniques: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html
It is also possible that a lot of malicious hosts coordinate to flood the victim with an abundance of attack packets, so that the attack takes place simultaneously from multiple points. This type of attack is called a Distributed DoS. DDoS attack, uses many devices and multiple Internet connections, often distributed globally into what is referred to as a botnet. A DDoS attack is, therefore, much harder to deflect, simply because there is no single attacker to defend from, as the targeted resource will be flooded with requests from many hundreds and thousands of multiple sources. Read here for mitigation techniques:
In a typical MAC flooding attack, a switch is fed many ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.
Read here for mitigation techniques: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html
A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port. Read here for mitigation techniques:https://supportforums.cisco.com/docs/DOC-14318
Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and (IP offset * 8) + (IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
A ping sweep consists of Internet Control Message Protocol (ICMP) Echo requests sent to multiple hosts, this is done to determine which machines are alive and which ones aren’t. Simply block ICMP request messages IN on the OUTSIDE interface of the firewall.
A DoS attack occurs when a stream of ICMP echo requests (pings) are broadcast to a destination subnet. The source addresses of these requests are falsified to be the source address of the target. For each request sent by the attacker, many hosts on the subnet will respond flooding the target and wasting bandwidth. The most common DoS attack is called a “smurf” attack, named after an executable program and is in the category of network-level attacks against hosts. DoS attacks can be easily detected when error-message logging of the ICMP Unreachable Destination Counters feature is enabled. Read here for mitigation techniques and other configuration: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/hticmpun.pdf
Flood with spoofed source addresses, ports and FIN or RST flag on. If the attacker guesses the sequence numbers, port combinations and source address of an existing flow this flow will be terminated. Since there is low probability for a successful guess, the attacker's goal is likely to overwhelm network or end host with excess packets and the flag is just there to bypass security systems that may block other packet types.
Sends PING request to a broadcast address, machines reply to the spoofed victim's address in the request. Read here for mitigation techniques: http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
Fraggle attack UDP variant of Smurf attack.Spoofed UDP packets are sent to broadcast addresses to port 7 (echo port), replies go to the victim's address.
If attackers rapidly send SYN segments without spoofing their IP source address, we call this a direct attack. This method of attack is very easy to perform because it does not involve directly injecting or spoofing packets below the user level of the attacker's operating system. It can be performed by simply using many TCP connect() calls, for instance. To be effective, however, attackers must prevent their operating system from responding to the SYN-ACKs in any way, because any ACKs, RSTs, or Internet Control Message Protocol (ICMP) messages will allow the listener to move the TCB out of SYN-RECEIVED. This scenario can be accomplished through firewall rules that either filter outgoing packets to the listener (allowing only SYNs out), or filter incoming packets so that any SYN-ACKs are discarded before reaching the local TCP processing code.
When detected, this type of attack is very easy to defend against, because a simple firewall rule to block packets with the attacker's source IP address is all that is needed. This defense behavior can be automated, and such functions are available in off-the-shelf reactive firewalls.
Read here for mitigation techniques:
Another form of SYN flooding attacks uses IP address spoofing, which might be considered more complex than the method used in a direct attack, in that instead of merely manipulating local firewall rules, the attacker also needs to be able to form and inject raw IP packets with valid IP and TCP headers. Today, popular libraries exist to aid with raw packet formation and injection, so attacks based on spoofing are actually fairly easy.
For spoofing attacks, a primary consideration is address selection. If the attack is to succeed, the machines at the spoofed source addresses must not respond to the SYN-ACKs that are sent to them in any way. A very simple attacker might spoof only a single source address that it knows will not respond to the SYN-ACKs, either because no machine physically exists at the address presently, or because of some other property of the address or network configuration. Another option is to spoof many different source addresses, under the assumption that some percentage of the spoofed addresses will be unrespondent to the SYN-ACKs. This option is accomplished either by cycling through a list of source addresses that are known to be desirable for the purpose, or by generating addresses inside a subnet with similar properties.
If only a single source address is repetitively spoofed, this address is easy for the listener to detect and filter. In most cases a larger list of source addresses is used to make defense more difficult. In this case, the best defense is to block the spoofed packets as close to their source as possible.
Read here for mitigation techniques: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html