Definition: Denial of Service Attack2. vulnerabilities in an application that would result on a DoS, or tries to overload CPU or RAM
resources of the target machine.
In some cases a single attack source can also have larger resources, such as a 10Gbit/s
internet connection, which would allow the attacker to instead of aiming at the application itself,
just hammer the victim with more network traffic than it can handle. If the target machine has
only say a 100Mbit/s connection and the attacking machine has a 10Gbit/s, it will be easy to
clog the network, rendering the victim unreachable over the internet.
If the Denial of Service attack targets the CPU and RAM resources, the attacking machine
would usually flood the victim with requests, such as HTTP requests if the target is a website, in
order to exhaust the resources of the server the website is running on.
Generally there are two types or kinds of Denial of Service attacks, which are:
● Network Layer Attacks (Layer 3 and Layer 4)
● Application Layer Attacks (Layer 7)
Network layer attacks target layer 3 and 4 of the OSI model and as the name suggests they try
to exhaust the network capacity of a victim, which can be the uplink capacity, the network
interface controller capacity of the server or also the number of packets that the TCP/IP stack of
the operating system of the server can handle.
Application layer attacks usually target the application itself that the attacker wants to make
unreachable. This happens by sending seemingly legitimate requests to the application that it
processes as if they come from legitimate users. The attacker usually sends that many of such
requests, that it’s as if your application would have many thousands of users at the same time
that it has to handle instead of a few, effectively exhausting all CPU and RAM resources of the
server.
There are many many different subtypes of network and application layer attacks. Most of them
are Distributed Denial of Service attack types, which is why we’ll look at them in the next
chapter.
What Is a Distributed Denial of Service Attack?
While a simple Denial of Service attack originates just from one single or very few sources, a
Distributed Denial of Service attack (a.k.a. DDoS attack) originates from a network of many
sources, often many thousands.
This network of attack sources is often a socalled botnet, which describes a network of infected
computers and/or servers that are in control of a hacker. The hacker can control all of the
infected machines from a socalled Command & Control server (CnC or C&C) and make them
4. We can’t cover how each attack works exactly, however Distributed Reflected Denial of Service
attacks usually take advantage of UDPbased online applications that send back a large request
to a small query.
The attacker would typically spoof (meaning “fake”) his IP address to make it look as if the
network packets that the attacker sends originate from the victim’s IP address. Now if the
attacker sends many small packets requesting a larger response from one of the above listed
vulnerable applications, the application will send back the response to the victim’s IP address,
because it thinks the victim requested the data, where in fact it didn’t but the attacker did by
spoofing the IP address of the victim.
This results in an amplification of attack power, because very small requests result in rather
large responses, meaning the attacker needs few resources to send the fake requests, while the
responses to those requests exhaust the resources of the victim quickly due to them being
multiple (up to 20 or more) times larger.
Common TCPbased High Packet Count DDoS Attack Types:
● SYN Flood
● SSYN Flood (Spoofed SYN Flood)
● SYNACK Flood
● ACK Flood
● TCP Fragment Flood
● TCPRST Flood (TCP Reset Attack)
● TCP Flag Abuse Flood
TCPbased Distributed Denial of Service attacks usually involve a high amount of packets per
second being sent to the victim’s IP address. The packets are generally small but plenty. They
usually don’t overwhelm the throughput of a network as UDPbased Distributed Denial of
Service attacks do, but they can still easily make a server’s network card go down and overload
the operating system’s TCP/IP stack.
The amount of packets per second commonly gets counted in Kpps (kilo/thousand packets per
second) and Mpps (million packets per second). TCPbased attacks with as little as 50Kpps
(50,000 packets per second) can already take down servers or applications on the targeted port
and many attacks range up to 8Mpps (8 million packets per second) and more.
To fully understand how and why TCPbased attacks work so well in bringing down targets, you
have to dig deep into how the TCP protocol and especially the TCP handshake works. This is
out of scope of this article, but it’s a good start to read what Wikipedia has to say about it if you
want to dig deeper.
6. Denial of Service Attacks: How Dangerous Are They?
A Denial of Service attack can easily bring down any unprotected online service. The threat of
Denial of Service attacks (the distributed ones in particular) is increasing dramatically. The
reasons for that increased danger is that Distributed Denial of Service attacks get cheaper and
easier to initiate every day.
You don’t have to be a geek anymore or know anything about how a network, a network
protocol or the DDoS attack works all it takes is a PayPal account, an internet connection and
the ability to read and follow simple instructions. Often the dumbest people are the most
dangerous and even they can effortlessly bring down your online service nowadays if you don’t
have an effective DDoS mitigation strategy in place.
Did you know that you can rent DDoS as an online service (a socalled booter) that supports a
variety of different attack types, including layer 7 attacks and can bring down almost every
defenseless website for as little as $5 per month?
Common Motives of DDoS Attackers:
● Hacktivism People who take down online presences “for the greater good”, or at least
they think they do.
● Vandalism People who take down online services “for the lulz”.
● Revenge Got banned on a forum? Why not DDoS the heck out of it to show them.
● Extortion If you don’t pay us $$$, your online service won’t be online again any time
soon!
● Competition If it just costs 5 bucks, why not take all your direct competitors offline to
swiftly increase sales?
● Politics Yes, it’s actually common that people and groups of people get attacked for
political reasons by another party.
This should answer the question whether Distributed Denial of Service attacks are a threat.
They definitely are very dangerous to every type of online service, be it a website, a game
server or an email server or anything else that’s connected to the internet. Even your home
connection can become the target of a (D)DoS attack.
Denial of Service Attack Protection
After reading through all this scary stuff you might ask yourself how you can protect your online
service from Denial of Service attacks.
The first rule of Denial of Service attack prevention is: Don’t be a cunt. Seriously, we see a lot of
“revenge” attacks on forums and other websites because people badmouth other people or