Basics concepts of Denial of service (Dos) and Distributed Denial of

Service (DDOs)
A DoS attack is a denial of service attack where a computer is used to flood a server with
TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a
DoS attack. The targeted network is then bombarded with packets from multiple locations.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are two of the most
intimidating threats that modern enterprises face. Few forms of attack can have the financial
consequences as that of a successful DoS attack. Security surveys indicate that the cost of a
DDoS attack averages between 20,000-40,000 dollars per hour. This is an astronomical figure
and can put even the largest organizations under pressure.

What is a DoS Attack?

A DoS attack is a denial of service attack where a computer is used to flood a server with
TCP and UDP packets.
During this type of attack, the service is put out of action as the packets sent over the network to
overload the server’s capabilities and make the server unavailable to other devices and users
throughout the network. DoS attacks are used to shut down individual machines and networks so
that they can’t be used by other users.
There are a number of different ways that DoS attacks can be used.
These include the following: -
Buffer overflow attacks – This type of attack is the most common DOS attack experienced.
Under this attack, the attacker overloads a network address with traffic so that it is put out of use.
Ping of Death or ICMP flood – An ICMP flood attack is used to take unconfigured or
misconfigured network devices and uses them to send spoof packets to ping every computer
within the target network. This is also known as a ping of death (POD) attack.
SYN flood – SYN flood attacks send requests to connect to a server but don’t complete the
handshake. The end result is that the network becomes inundated with connection requests that
prevent anyone from connecting to the network.
Teardrop Attack – During a teardrop DoS attack, an attacker sends IP data packet fragments to
a network. The network then attempts to recompile these fragments into their original packets.
The process of compiling these fragments exhausts the system and it ends up crashing. It crashes
because the fields are designed to confuse the system so that it can not put them back together.
The ease with which DoS attacks can be coordinated has meant that they have become one of the
most pervasive cybersecurity threats that modern organizations have to face. DoS attacks are
simple but effective and can bring about devastating damage to the companies or individuals
they are aimed at. With one attack, an organization can be put out of action for days or even
weeks.
The time an organization spends offline adds up. Being unable to access the network costs
organizations thousands every year. Data may not be lost but the disruption to service and
downtime can be massive. Preventing DoS attacks is one of the basic requirements of staying
protected in the modern age.

What is a DDoS Attack?

A DDoS attack is one of the most common types of DoS attack in use today. During a
DDoS attack, multiple systems target a single system with malicious traffic. By using multiple
locations to attack the system the attacker can put the system offline more easily.
The reason for this is that there is a larger number of machines at the attackers’ disposal and it
becomes difficult for the victim to pinpoint the origin of the attack.
In addition, using a DDoS attack makes it more complicated for the victim to recover. Nine times
out of ten the systems used to execute DDoS attacks have been compromised so that the attacker
can launch attacks remotely through the use of slave computers. These slave computers are
referred to as zombies or bots.
These bots form a network of connected devices called a botnet that is managed by the attacker
through a command and control server. The command and control server allows the attacker or
botmaster to coordinate attacks. Botnets can be made up of anywhere between a handful of bots
to hundreds of different bots.

Most Common Forms of DDoS Attacks

DDoS attacks are the more complex of the two threats because they use a range of
devices that increase the severity of attacks. Being attacked by one computer is not the same as
being attacked by a botnet of one hundred devices.
Part of being prepared for DDoS attacks is being familiar with as many different attack forms as
you can. In this section, we’re going to look at these in further detail so you can see how these
attacks are used to damage enterprise networks.
DDoS attacks can come in various forms including:
Ping of Death – During a Ping of Death (POD) attack the attacker sends multiple pings to one
computer. POD attacks use manipulated packets to send packets to the network which have IP
packets that are larger than the maximum packet length. These illegitimate packets are sent as
fragments. Once the victim’s network attempts to reassemble these packets network resources
are used up, they are unavailable to legitimate packets. This grinds the target network to a halt
and takes it out of action completely.
UDP Floods – A UDP flood is a DDoS attack that floods the victim network with User Datagram
Protocol (UDP) packets. The attack works by flooding ports on a remote host so that the host
keeps looking for an application listening at the port. When the host discovers that there is no
application it replies with a packet that says the destination wasn’t reachable. This consumes
network resources and means that other devices can’t connect properly.
Ping Flood – Much like a UDP flood attack, a ping flood attack uses ICMP Echo Request or
ping packets to derail a network’s service. The attacker sends these packets rapidly without
waiting for a reply in an attempt to make the target network unreachable through brute force.
These attacks are particularly concerning because bandwidth is consumed both ways with
attacked servers trying to reply with their own ICMP Echo Reply packets. The end result is a
decline in speed across the entire network.
SYN Flood – SYN Flood attacks are another type of DoS attack where the attacker uses the TCP
connection sequence to make the victim’s network unavailable. The attacker sends SYN requests
to the victim’s network which then responds with a SYN-ACK response. The sender is then
supposed to respond with an ACK response but instead, the attacker doesn’t respond (or uses a
spoofed source IP address to send SYN requests instead). Every request that goes unanswered
takes up network resources until no devices can make a connection.
Slowloris – Slowloris is a type of DDoS attack software that was originally developed by Robert
Hansen or RSnake to take down web servers. A Slowloris attack occurs when the attacker sends
partial HTTP requests with no intention of completing them. To keep the attack going, Slowloris
periodically sends HTTP headers for each request to keep the computer network’s resources tied
up. This continues until the server can’t make any more connections. This form of attack is used
by attackers because it doesn’t require any bandwidth.
HTTP Flood – In a HTTP Flood attack the attacker users HTTP GET or POST requests to
launch an assault on an individual web server or application. HTTP floods are a Layer 7 attack
and don’t use malformed or spoofed packets. Attackers use this type of attack because they
require less bandwidth than other attacks to take the victim’s network out of operation.
Zero-Day Attacks – Zero-Day attacks are attacks that exploit vulnerabilities that have yet to be
discovered. This is a blanket term for attacks that could be faced in the future. These types of
attacks can be particularly devastating because the victim has no specific way to prepare for
them before experiencing a live attack.
2. UDP Attacks
UDP flood attacks it to target and flood random ports on the remote host. The host continuously
checks for the application ports and when no port is found, it leaves a reply with ICMP that is
destination unreachable packet message. This affects the host resources and leads to
inaccessibility of services. As the name implies, it affects and attacks the host with User
Datagram Protocol packets (UDP).

3. ICMP Attacks
ICMP attacks consume both incoming and outgoing bandwidth because all the affected servers
will frequently attempt to react with ICMP echo reply packets which result in shutdown or slow
down of the entire system. It is similar to the UDP attacks but if approaches and affects the target
with ICMP echo request packet and sends with a high transmission rate instead of waiting for
any reply.

In the SYN flood attack, the requestor transmits the many SYN requests but never react to the
response of host SYN-ACK or it transmits the SYN request from a spoofed or masked IP
address. Now the host server, wait for the acknowledgement for every request from the receiver
and the persistent binding of resources until the establishment of new connections which
ultimately results in denial of services. It happens to exploit the defined weakness in the
connection sequence of TCP. It is similar to a three-way handshake. When any SYN request
needs to be initiated with TCP connection with any host servers, then it should be acknowledged
by SYN-ACK responses and verified again by ACK messages from the requestor. Hence this
type of attacks affects the responses from the requestor making denial of services.

4. Ping of Death
This type of attack includes transmitting continuous malfunctioned or malicious pings to the
server. The maximum packet length of the IP packet including the header is 65535 bytes. The
data link layer has the limits of maximum frame size as 1500 bytes over an Ethernet. In this
scenario, a maximum IP packet is segmented across multiple IP fragments and receiving host
possess the IP packets or fragments to complete the entire IP.

The malware manipulation of fragment data and ends up with recipient packets which are higher
than 65535 bytes when it is reassembled. It can be overwhelmed from the memory space
allocated for the packet which results in denial of service for even legitimate and real packets.

5. Slowloris
This type of attacks gives a huge impact such as enabling one web server by bringing down the
other web server without impacting other ports or services of the host network. It does this by
holding multiple connections to the host web server as long as possible and achieves this by
establishing a connection to the host server but it transmits only partial requests.

It persistently transmits more headers of HTTP but never satisfies the request. The host system
maintains the open port or services for this false connection which affects the space for
legitimate requests. As the name insists, this causes a slowdown of the entire system by
overwhelming of concurrent connection range.
6. Amplification of NTP
In this type of attack, the hacker attacks the public accessing Network Time Protocols to
overflow a host server by generating UDP traffic. It is described as amplification stabbing since
the ratio of a query to response in such cases lies in the range of 1:20 or 1:200 or much more
than that. It signifies that the hacker gets a list of open NTP servers and produce the maximum
volume of DoS attacks and distressing maximum bandwidth. This type of attack only focuses on
NTP protocols.

7. HTTP Flood
Here the hacker attacks the legitimate and generic HTTP GET or POST response to exploits a
web application or web server. It doesn’t use any spoofing techniques or reflection methods or
any malfunctioned packets. It consumes only minimum bandwidth than other types of attacks to
slow down the application or a host server. It is more effective when it pushes the system or
application to allot maximum possible resources in response to every unit request

DoS vs DDoS: What’s the Difference?

The key difference between DoS and DDoS attacks is that the latter uses multiple internet
connections to put the victim’s computer network offline whereas the former uses a single
connection. DDoS attacks are more difficult to detect because they are launched from multiple
locations so that the victim can’t tell the origin of the attack. Another key difference is the
volume of attack leveraged, as DDoS attacks allow the attacker to send massive volumes of
traffic to the target network.
It is important to note that DDoS attacks are executed differently to DoS attacks as well. DDoS
attacks are executed through the use of botnets or networks of devices under the control of an
attacker. In contrast, DoS attacks are generally launched through the use of a script or a DoS tool
like Low Orbit Ion Cannon.
Why do DoS and DDoS Attacks Occur?
Whether it is a DoS or DDoS attack, there are many nefarious reasons why an attacker
would want to put a business offline. In this section, we’ll look at some of the most common
reasons why DoS attacks are used to attack enterprises. Common reasons include:
Ransom – Perhaps the most common reason for DDoS attacks is to extort a ransom. Once an
attack has been completed successfully the attackers will then demand a ransom to halt the attack
and get the network back online. It isn’t advised to pay these ransoms because there is no
guarantee that the business will be restored to full operation.
Malicious Competitors – Malicious competitors looking to take a business out of operation are
another possible reason for DDoS attacks to take place. By taking an enterprise’s network down
a competitor can attempt to steal your customers away from you. This is thought to be
particularly common within the online gambling community where competitors will try to put
each other offline to gain a competitive advantage.
Hacktivism – In many cases, the motivation for an attack won’t be financial but personal and
political. It is not uncommon for hacktivist groups to put government and enterprise sites offline
to mark their opposition. This can be for any reason that the attacker deems to be important but
often occurs due to political motivations.
Causing Trouble – Many attackers simply like causing trouble for personal users and networks.
It is no secret that cyber attackers find it amusing to put organizations offline. For many
attackers, DDoS attacks offer a way to prank people. Many see these attacks as ‘victimless’
which is unfortunate given the amount of money that a successful attack can cost an
organization.
Disgruntled Employees – Another common reason for cyber-attacks is disgruntled employees or
ex-employees. If the person has a grievance against your organization, then a DDoS attack can
be an effective way to get back at you. While the majority of employees handle grievances
maturely there are still a minority who use these attacks to damage an organization, they have
personal issues with.