Learn everything about (Distributed) Denial of Service Attacks (aka DoS or DDoS attacks), how they work, how dangerous they are and how to prevent them.

1. Denial of Service Attack: Definition
Denial of Service: Definition
Denial of Service (commonly referred to as DoS ­ not to confuse with MS­DOS) describes a
situation where an application or service is not reachable for its intended audience anymore, ie.
it “denies service”.
So the definition of Denial of Service is simply that a service or application that’s usually
reachable is not reachable ­ likely because of an attack and not a simple bug ­ we’ll go into
more detail about this later on.
What Is Denial of Service?
We already discussed the definition of Denial of Service above. Let’s continue with why and
how an online service would experience a DoS.
The reason of a Denial of Service can simply be a random malfunction of the service or
application or a malfunction triggered by an exploit. For example a person with malicious intent
would send a specifically crafted command to the application designed to make it crash,
effectively resulting in a Denial of Service.
However most bugs that would result in a DoS get fixed sooner than later. That’s why the bad
guys instead take advantage of flaws in the TCP, UDP and other network protocols to make an
intended target unreachable to its audience.
So, while Denial of Service simply defines the unavailability of a service that’s normally
available, it mostly refers to attacks carried out over networks such as the internet that are
designed to take the target offline. Let’s check this out in more detail.
What Is a Denial of Service Attack?
The best way to define a ​Denial of Service attack​ is that it’s a type of cyber attack that aims at
making a particular target service unreachable to its audience. Because DoS vulnerabilities in
applications are not too common and for the most part get patched rather quickly, most Denial
of Service attacks are carried out by taking advantage of flaws in network protocols.
A simple Denial of Service attack usually originates from a single or very few sources ­ the
source normally being a server or PC connected to the internet. A DoS attack normally aims at

2. vulnerabilities in an application that would result on a DoS, or tries to overload CPU or RAM
resources of the target machine.
In some cases a single attack source can also have larger resources, such as a 10Gbit/s
internet connection, which would allow the attacker to instead of aiming at the application itself,
just hammer the victim with more network traffic than it can handle. If the target machine has
only say a 100Mbit/s connection and the attacking machine has a 10Gbit/s, it will be easy to
clog the network, rendering the victim unreachable over the internet.
If the Denial of Service attack targets the CPU and RAM resources, the attacking machine
would usually flood the victim with requests, such as HTTP requests if the target is a website, in
order to exhaust the resources of the server the website is running on.
Generally there are two types or kinds of Denial of Service attacks, which are:
● Network Layer Attacks (Layer 3 and Layer 4)
● Application Layer Attacks (Layer 7)
Network layer attacks target layer 3 and 4 of the OSI model and as the name suggests they try
to exhaust the network capacity of a victim, which can be the uplink capacity, the network
interface controller capacity of the server or also the number of packets that the TCP/IP stack of
the operating system of the server can handle.
Application layer attacks usually target the application itself that the attacker wants to make
unreachable. This happens by sending seemingly legitimate requests to the application that it
processes as if they come from legitimate users. The attacker usually sends that many of such
requests, that it’s as if your application would have many thousands of users at the same time
that it has to handle instead of a few, effectively exhausting all CPU and RAM resources of the
server.
There are many many different subtypes of network and application layer attacks. Most of them
are ​Distributed​ Denial of Service attack types, which is why we’ll look at them in the next
chapter.
What Is a Distributed Denial of Service Attack?
While a simple Denial of Service attack originates just from one single or very few sources, a
Distributed​ Denial of Service attack (a.k.a. DDoS attack) originates from a network of many
sources, often many thousands.
This network of attack sources is often a so­called ​botnet​, which describes a network of infected
computers and/or servers that are in control of a hacker. The hacker can control all of the
infected machines from a so­called Command & Control server (CnC or C&C) and make them

3. for example simultaneously send HTTP GET requests to a target, which would be a form of
layer 7 DDoS attack.
Distributed Denial of Service attacks can do much more harm than a simple Denial of Service
attack. That’s because it often involves way too many attack sources ­ effectively source IP
addresses ­ to simply block the source IP(s) with a firewall or ACL. Their size is often
tremendous and can take down whole networks or data centers, which makes them difficult to
combat.
Let’s look more closely at what types of network and application layer attacks can be used as
part of a (Distributed) Denial of Service attack.
Network and Transport Layer DDoS Attacks (Layer 3­4)
There are basically two subsections that network layer attacks can be split into.
1. High Volume Attacks
2. High Packet Count Attacks
The high volume network layer attacks mostly aim at exhausting the network capacity of a
server or the network segment of one (read access or distribution switch). These attacks are
mostly using the UDP protocol because that allows a variety of amplification DDoS attacks and
also makes it possible to send large single packets to a target IP.
Those volumetric attacks are usually measured in bits, such as Megabits per second and
Gigabits per second. There are volumetric DDoS attacks ranging from 50Mbit/s to 400Gbit/s, the
latter mostly being reflection attacks (a.k.a. DrDoS ­ Distributed Reflected Denial of Service).
Common UDP­based High Volume DDoS Attack Types:
● DNS Amplification
● NTP Amplification
● SNMPv2 Amplification
● NetBIOS Amplification
● SSDP Amplification
● CHARGEN Amplification
● QOTD Amplification
● RIPv1 Amplification (NEW)
● Multicast DNS (mDNS) Amplification DDoS (NEW)
● Portmap Amplification DDoS (NEW)
● Direct UDP Flood

4. We can’t cover how each attack works exactly, however Distributed Reflected Denial of Service
attacks usually take advantage of UDP­based online applications that send back a large request
to a small query.
The attacker would typically spoof (meaning “fake”) his IP address to make it look as if the
network packets that the attacker sends originate from the victim’s IP address. Now if the
attacker sends many small packets requesting a larger response from one of the above listed
vulnerable applications, the application will send back the response to the victim’s IP address,
because it thinks the victim requested the data, where in fact it didn’t but the attacker did by
spoofing the IP address of the victim.
This results in an amplification of attack power, because very small requests result in rather
large responses, meaning the attacker needs few resources to send the fake requests, while the
responses to those requests exhaust the resources of the victim quickly due to them being
multiple (up to 20 or more) times larger.
Common TCP­based High Packet Count DDoS Attack Types:
● SYN Flood
● SSYN Flood (Spoofed SYN Flood)
● SYN­ACK Flood
● ACK Flood
● TCP Fragment Flood
● TCP­RST Flood (TCP Reset Attack)
● TCP Flag Abuse Flood
TCP­based Distributed Denial of Service attacks usually involve a high amount of packets per
second being sent to the victim’s IP address. The packets are generally small but plenty. They
usually don’t overwhelm the throughput of a network as UDP­based Distributed Denial of
Service attacks do, but they can still easily make a server’s network card go down and overload
the operating system’s TCP/IP stack.
The amount of packets per second commonly gets counted in Kpps (kilo/thousand packets per
second) and Mpps (million packets per second). TCP­based attacks with as little as 50Kpps
(50,000 packets per second) can already take down servers or applications on the targeted port
and many attacks range up to 8Mpps (8 million packets per second) and more.
To fully understand how and why TCP­based attacks work so well in bringing down targets, you
have to dig deep into how the TCP protocol and especially the TCP handshake works. This is
out of scope of this article, but it’s a good start to ​read what Wikipedia has to say about it​ if you
want to dig deeper.

5. Application Layer DDoS Attacks (Layer 7)
While a network or transport layer attack mostly aims at the IP address and the server as a
whole, an application layer DDoS attack directly targets the application that the attacker wants
to make unavailable.
This type of attack aims at exhausting the CPU and RAM resources of the server(s) an online
application such as a website is being hosted on, by basically simulating a tremendous amount
of users until there are no resources left to handle the requests of the actual users.
Layer 7 DDoS attacks are ​one of the hardest Distributed Denial of Service attacks to detect​,
because the malicious requests often imitate the ones of legitimate users of the application,
which can make it very hard to distinguish between what’s real traffic and what’s malicious
traffic.
Common Layer 7 DDoS Attack Types:
● HTTP GET Flood
● HTTP POST Flood
● HTTP HEAD Flood
● HTTP Connection Flood
As you may notice all of the listed application layer attacks utilize the HTTP protocol. That’s
because HTTP floods are by far the most common type of layer 7 attacks. There are however
more types of layer 7 attacks out there that speak the protocol of the application they target.
The effectiveness of HTTP floods can be dramatically increased by sending the malicious
requests to particularly resource hungry parts of the web application, such as search forms or
login pages.
Application layer DDoS attacks often originate from botnets, but during the past couple of years
there has been a huge increase in layer 7 attacks that originate from outdated and exploited
WordPress and Joomla! installations. The name of a very popular exploit toolkit to infect such
outdated CMSes and abuse them for layer 7 attacks is ​itsoknoproblembro​, which has been
broadly used to execute HTTP GET and POST flood attacks.
Another very common method of starting HTTP floods is to abuse the ​Pingback​ (XML­RPC)
feature of the WordPress CMS. We recently covered the ​anatomy of WordPress Pingback
DDoS attacks and how to mitigate it with NGINX​.

6. Denial of Service Attacks: How Dangerous Are They?
A Denial of Service attack can easily bring down any unprotected online service. The threat of
Denial of Service attacks (the distributed ones in particular) is increasing dramatically. The
reasons for that increased danger is that Distributed Denial of Service attacks get cheaper and
easier to initiate every day.
You don’t have to be a geek anymore or know anything about how a network, a network
protocol or the DDoS attack works ­ all it takes is a PayPal account, an internet connection and
the ability to read and follow simple instructions. Often the dumbest people are the most
dangerous and even they can effortlessly bring down your online service nowadays if you don’t
have an effective DDoS mitigation strategy in place.
Did you know that you can rent DDoS as an online service (a so­called ​booter​) that supports a
variety of different attack types, including layer 7 attacks and can bring down almost every
defenseless website for as little as $5 per month?
Common Motives of DDoS Attackers:
● Hacktivism​ ­ People who take down online presences “for the greater good”, or at least
they think they do.
● Vandalism​ ­ People who take down online services “for the lulz”.
● Revenge​ ­ Got banned on a forum? Why not DDoS the heck out of it to show them.
● Extortion​ ­ If you don’t pay us $$$, your online service won’t be online again any time
soon!
● Competition​ ­ If it just costs 5 bucks, why not take all your direct competitors offline to
swiftly increase sales?
● Politics​ ­ Yes, it’s actually common that people and groups of people get attacked for
political reasons by another party.
This should answer the question whether Distributed Denial of Service attacks are a threat.
They definitely are very dangerous to every type of online service, be it a website, a game
server or an e­mail server or anything else that’s connected to the internet. Even your home
connection can become the target of a (D)DoS attack.
Denial of Service Attack Protection
After reading through all this scary stuff you might ask yourself how you can protect your online
service from Denial of Service attacks.
The first rule of Denial of Service attack prevention is: Don’t be ​a cunt​. Seriously, we see a lot of
“revenge” attacks on forums and other websites because people badmouth other people or

7. groups of people. So not being a cunt might already decrease the chances of someone
attacking your online presence.
Of course this strategy won’t work if your competitors are criminals, you’re the victim of
extortion, are into politics or work in the financial sector (which is the one receiving the most
heavy DDoS attacks by the way).
So how do you effectively defend against DDoS attacks?
An effective Denial of Service attack prevention strategy starts at the network design and ends
at your application’s code. This means that the first step is to pick a data center that has the
capacity to swallow huge amounts of attack bandwidth without getting a hickup.
There are data centers and hosting providers that specialize in designing networks that are
resilient to Distributed Denial of Service attacks. Even if a provider has enough bandwidth
capacity, all that traffic still has to be scrubbed to filter out the bad attack traffic until only the
legitimate traffic remains when it reaches your application.
Due to the sheer volume of most attacks, it’s impossible to filter all of them directly on your
server. It requires special access control lists (ACLs) set up on the routing equipment (ideally at
carrier level) and a bunch of high­capacity DDoS mitigation devices that are basically firewalls
with say a capacity of 30Gbit/s each particularly designed to detect and filter DDoS traffic. This
usually involves a huge investment for the service provider.
A setup like this will make all servers hosted inside the network immune to DDoS attacks,
because they get filtered out before they can reach the servers or the application. Renting or
housing your hardware at such a secure facility will keep you safe and sound from those cyber
villains.
If you don’t want to move your data and hardware to a different facility, there is also something
called ​remote DDoS prevention​, that makes it possible to remotely protect applications from
attacks by routing the traffic through a DDoS scrubbing center that then sends back the clean
traffic to your insecure location.
In any case it’s unfortunately often more costly to stop DDoS attacks than to initiate them,
making the threat even more real and an obstacle for many online startups. JavaPipe
contributes to a safer online world as a DDoS protection provider that offers business­grade
DDoS prevention solutions for small money to support the needs of startups and small
businesses.