Denial of Service Attacks


Some Background.  DoS - Denial of Service is really a fairly general concept.  It can be quite easy to forget that there are a huge number of different approaches to deny services on any given system. 

In general DoS attacks are attacks that work to diminish the abilities of a system or network to deliver services.  It is almost always the case that the attackers are trying to shut down at least certain services completely.  But any significant degradation in services needs to be examined for whatever causes them.

These attacks can be motivated for a number of reasons.  For example,

  • hurting the flow (stopping) of customer access to an ecommerce site
  • causing the system and its administrators to become overly occupied with particular threats to make other intrusions much easier
  • cut off user access to a particular system or service

DoS attacks do not generally require the attacker to penetrate the system under attack.  Though, DoS attacks can be made more deleterious if they do.  If DoS attacks come from within a system they are generally much easier to trace to their sources.

From [Crayton, Dubrawsky, et al]

Most DoS attacks take place across a network, with the perpetrator seeking to take advantage of the lack of integrated security within the current iteration of IP (IPv4 - IP version 4).  Hackers are fully aware that security considerations have been passed on to higher level protocols and applications.  IPv6 - IP version 6, which may help rectify some of these problems, includes a means to of validating the source packets and their integrity by using an authentication header.  Although the continuing improvement of IP is critical, it does not solve today's problems, because IPv6 is not yet in widespread use.

I should add, that the last I knew, making use of IPv6 required huge capital outlays and annual payments in excess of millions of dollars.  Hopefully, this is no longer true.  But since IPv6 is not spreading based on its advantages it is very likely due to cost considerations.

In the next two sections I will discuss two main types of DoS attacks.

  • Resource Consumption Attacks
  • Malformed Packet Attacks

In subsequent webpages I will get into more specific details about particular attacks such as SYN attacks or SQL Slammer attacks.

Resource Consumption Attacks.  Now I want to say some more about certain types of DoS attacks.  It seems almost every system administrator and user is constantly complaining they do not have enough of the following

  • network bandwidth
  • central processing unit - CPU cycles
  • RAM - random access memory
  • secondary storage

Some of the most common DoS attacks go after network bandwidth.  This is likely due to a combination of limited capacity and accessibility to outsiders.  Attacks are generally from outside the system/network for a number of reasons.

When an attacker directs a large number of packets at a particular system it is called flooding.  If the attacker has more available bandwidth than the targeted network then flooding is more easily accomplished.  These sorts of attacks are more easily accomplished as more and more home users make use of DSL or Cable access with increased bandwidth.

Some fairly well known types of DoS attacks are listed below.

  • UBE - Unsolicited Bulk E-Mail can overwhelm email servers.  Spammers can easily generate emails and send them to particular email addresses.
  • Decrease the number of connections available to users of a network.
  • SQL Slammer Worm and its variants take advantage of known vulnerabilities in Microsoft SQL Server to generate excessive network traffic.
  • Amplification attacks take advantage of ICMP - Internet Control Message Protocol to send ICMP messages to a broadcast address that broadcasts the ICMP to everything in the network which then floods the original broadcast address with ICMP replies
  • SYN attacks make use of the three way handshake that underlies most TCP/IP network transactions.  We will go into much more detail about this in the next webpage.
  • UDP - User Datagram Protocol attacks work similarly to SYN floods.  They make use of a protocol that is usually used for system level interactions in TCP/IP networks.

Malformed Packet Attacks.  Malformed packet attacks can develop in quite a number of different ways.

DDoS - Distributed Denial of Service.  DDoS stands for Distributed Denial of Service attacks.  There are many different ways these can be used.  But they generally rely on an attacker or group of attackers being able to put together a group of zombies to attack some resource simultaneously.

We are going to try and present this in general terms in this webpage and get into more specifics for specific types of attacks in subsequent webpages.

Organizing a DDoS requires some expertise. 

The attacker is likely to need at least to generic types of software.

  • client - the client software is used by the attacker or hacker to launch the attacks
  • daemon - this software runs on each zombie and responds to the commands from the client software
    • in general, based on UNIX/Linux language a daemon is any program that runs on a continuous basis and handles requests for service that come in from other computers
    • there are many legitimate daemons that run on systems that have nothing to do with launching attacks

There are four main classifications for the types of computers used in a DDoS.

  • attacker - this may be more than one person originating the overall DDoS
  • master - a computer that runs the client software that obscures the attacker and sends commands onto the next tier
  • zombie - this is a computer that runs the daemon in total obedience to the master
    • both the zombies and the masters behind them hide the originating attacker
  • target - the recipient or focus of the attacks

All of this relies on the attacker finding computers whose security can be breached in order to put this whole DDoS together.

The following diagram represents the tiers of a fairly small DDoS.



A DDoS requires much more expertise from the attacker.  But a DDoS also allows an attacker to do things such as the following
  • accumulate resources that can be coordinated to increase the intensity of an attack
  • hide the original attacker behind tiers of other computers

So this is a fairly general discussion.  We will get into more specifics and ways that the generic DDoS can be used in later webpages.