Denial of Service

Objectives: Overview of DOS attacks and DDoS attacks, understanding the techniques of DoS/DDoS Attack Techniques, Understanding the Botnet Network, Understanding Various DoS and DDoS attack tools, DoS/DDoS countermeasures, Overview of DoS attack penetration testing

DoS/DDoS Concepts

  • Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resource to its legitimate users

  • Attackers flood a victim system with non-legitimate service requests

  • DDoS attack involves a multitude of compromised systems attacking a single targeted system (botnet)

DoS/DDoS Attack Techniques

  • Basic categories of the attacks

    • Volumetric Attacks: consumes the bandwidth of the target network or service

    • Fragmentation: overwhelms target’s ability of reassembling fragmented packets

    • TCP state-exhaustion attack: consumes connection state table present such as load balancers ,firewalls, app servers

    • Application layer attack: consumes app resources or service making it unavailable to other legitimate users

    • SYN Attack

      • Attacker sends a large number of SYN request to target server

      • Target machine sends back a SYN ACK in response to the request waiting for the ACK to complete session

      • Attacker never sends ack

    • ICMP flood attack: type of DoS where perpetrators send a large number of ICMP packets causing the system to stop responding to legitimate TCP/IP requests

      • To protect yourself: set a threshold limit that invokes a ICMP protection feature

    • Peer to Peer Attack: attackers instruct clients of p2p file sharing hubs to disconnect for their p2p network and connect to victims fake website. Attackers can launch massive DoS attacks and compromise websites

    • Permanent Denial-of-Service Attack: Also known as phlashing, refers to attacks that cause irreversible damage to system hardware

      • Unlike other DoS attacks,, it sabotages the system hardware

    • Application-Level Flood Attack: Application-level flood attacks results in the loss of services

      • Using this attack , attackers exploit weaknesses in programming source code to prevent in the application from processing legitimate requests

    • Distributed Reflection Denial of Service (DRDoS)

      • Also known as a spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application


  • Bots are software applications that run-automated tasks over the internet

  • A botnet is a huge network of compromised systems and can be used by an attacker to launch a DoS attack

  • Scanning Methods for Finding Vulnerable Machines: Random Scanning, Hit-list scanning, topological scanning, local subnet scanning, permutation scanning

  • DoS and DDoS attack tools

  • LOIC, GoldenEye


  • Techniques

    • Activity Profiling

      • Increases in activity levels, distinct clusters, average packet rate etc

    • Changepoint detection

      • Filters network traffic by IP addresses, targeted port numbers, stores traffic flow data in a graph that shows the traffic flow rate vs time

    • Wavelet-based signal analysis

      • Analyzes network traffic in terms of spectral components. Divides incoming signal into various frequencies for analyzation

  • DoS/DDoS countermeasure strategies

    • Absorbing the attack (requiring additional resources)

    • Degrading services (identify critical services and stop non-critical)

    • Shutting down the services

    • Deflect Attacks: Honeypots act as an enticement for an attacker. Serve as a means for gaining information about attackers, stores their activities

    • Ingress filtering: protects from flooding attacks. Enables originator be traced to its true source

    • Egress Filtering: scanning packet headers of IP address leaving a network. Ensures unauthorized or malicious traffic never leaves the internal network

    • Mitigate Attack: Load balancing, throttling

  • Post-Attack Forensics

    • Analyze traffic patterns for new filtering techniques, analyze router, firewall, and IDS logs , can update load-balancing and throttling countermeasures