Distributed Denial of Service (DDoS) Attacks

distributed denial of serviceIn the previous article, we discussed denial of service (DoS) attacks. These attacks involve the use of a single client to launch an attack on a system or service. Distributed denial of service (DDoS) attacks use the same basic attack methodologies as outlined in the previous article, with the exception that the attacks are initiated from multiple client systems.

The way this typically works is that malicious parties will use viruses to subtly gain control over large numbers of computers (typically poorly-defended home computers connected to broadband Internet connections). Unbeknownst to the owner of the computer (which generally continues to function as normal) the system is essentially a zombie waiting to be given instructions. Once the malicious party has gathered an army of zombie computers they are instructed to participate in massive distributed denial of service attacks on unsuspecting victims. A large enough volume of zombie systems can, and indeed have been known to bring down even the largest and most scalable enterprise infrastructure, and even bring parts of the Internet itself to a grinding halt. Merely purchasing more incoming bandwidth than the current volume of attack might not help, because the attacker might be able to simply add more attack machines.

Distributed Denial of Service Attacks: Advantages and Types

There are several advantages to launching a distributed denial of service attack:

  1. Multiple machines can generate more attack traffic than one machine.
  2. Multiple machines are harder to turn off than one attack machine.
  3. The behavior of each attack machine can be stealthier, making it harder to track and shut down.

Distributed denial of service can take several forms. Malware can carry distributed denial of service attack mechanisms. One of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. this type of distributed denial of service involved hardcoding the target IP address prior to the release of the malware. No further interaction was necessary to launch the attack.


A system may also be compromised with a trojan, allowing the attacker to download a zombie agent, or the trojan may contain one. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. A compromised system becomes known as a bot, and they are controlled by handlers run by the attacker, known as botnets. Many of these tools use classic DoS attack methods centered on IP spoofing and amplification like smurf and fraggle attacks, as well as SYN floods.

A distributed denial of service attack may involve sending forged requests to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means that all the replies will go to and flood the target.

The primary line of defense for blocking distributed denial of service attacks, as with DoS attacks, is the firewall. Firewalls can be set up to have simple rules to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers. But most complex attacks will be hard to block with simple rules. Additionally, firewalls may be too deep in the network hierarchy, although they can prevent users from launching simple flooding type attacks from machines behind the firewall.

Some stateful firewalls, like OpenBSD’s pf (and pfSense, since it’s based on pf), can act as a proxy for connections. Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. pf can proxy the handshake: pf itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. In the case of a TCP SYN flood attack, the attacker never completes the three-way handshake, so the attacker’s packets never reach the protected server, but legitimate clients will complete the handshake and get passed. this minimizes te impact of spoofed TCP SYN floods on the protected service, handling it in pf instead.

Most switched also have some automatic and system-wide rate limiting, traffic shaping, delayed binding, deep packet inspection and Bogon (bogus IP) filtering to detect and block denial of service attacks. This will work as long as the distributed denial of service attack is something that can be prevented by using them. SYN floods can be prevented using delayed binding. Content-based DoS or DDoS may be prevented using deep packet inspection. And attacks originating from dark addresses can be prevented using Bogon filtering.


External Links:

Denial of service attack on Wikipedia

PF: Packet Filtering at www.openbsd.org

Denial of Service (DoS) Attacks

denial of serviceDenial of Service (DoS) attacks are undertaken with the express purpose of preventing users from accessing and using a service they should otherwise be able to access. such attacks make malicious use of a variety of different standard protocols and tools. There is no single denial of service attack method, and the term has come to encompass a variety of different forms of attack. Some of the different types of denial of service attacks will be outlined here.

Types of Denial of Service (DoS) Attacks

  • Ping flood: This attack uses the Internet Message Protocol (ICMP) ping request to a server as a denial of service method. The strategy either involves sending ping requests in such vast quantities that the receiving system is unable to respond to valid user requests, or sending ping messages which are so large (known as the ping of death) that the system is unable to handle the request.
  • Smurfing: As with ping flood attacks, smurfing makes use of the TCP Internet Message Protocol (ICMP) ping request to mount DoS attacks. In a typical smurfing attack, the attacker sends a ping request to the broadcast address of the network containing the IP address of the victim, rather than to a specific machine. The network then acts as a smurf amplifier. The ping request is sent to all computers on the broadcast network, which in turn all reply to the IP address of the victim system, thereby overloading the victim with ping responses. The primary method for preventing smurf attacks is to block ICMP traffic through routers so that the ping responses are blocked from reaching internal servers. In addition, services like the Smurf Amplifier registry have given network service providers the ability to identify misconfigured networks and to take appropriate action.
  • TCP SYN Flood: We have already discussed SYN flood attacks as a means of achieving denial of service on this website, but I’ll mention it here again. This attack begins with a client attempting to establish a TCP connection with the victim server. The client sends a request to the server, which in turn returns an ACK package to acknowledge the connection. At this point in the communication, the client should respond with a message accepting the connection. Instead, the client sends another ACK which is respnded to by the server with yet another ACK. The client continues to send ACKs to the server with the effect of causing the server to hold sessions open in anticipation of the client sending the final packet required to complete the connection. As a result the server uses up all available sessions serving the malicious client, thereby prevneting access to other users. One possible countermeasure is to limit the number of connections from any one client (which can easily be done in pfSense), but if the SYN flood is coming from several different clients, it is hardly the ideal solution. Moreover, if the attacker may be using a spoofed IP address, so limiting the number of connections from that IP address may not help at all. Another possibility is to set up a SYN proxy, so that clients do not connect to a server until the SYN/SYN-ACK/ACK handshake is complete.


  • Fraggle: A fraggle attack is similar to a smurfing attack with the exception that the User Datagram Protocol (UDP) is used instead of using ICMP.
  • Land: Under a land attack, the attacker creates a fake SYN packet containing the same source and destination IP addresses and ports and sends it to the victim, causing the system to become confused when trying to respond to the packet.
  • Teardrop: A teardrop type of denial of service attack exploits a weakness in the TCP/IP implementation on some operating systems. The attack works by sending messages fragmented into multiple UDP packages. Ordinarily the operating system is able to reassemble the packets into a complete message by referencing data in each UDB packet. The teardrop attack works by corrupting the offset data in the UDP packets, making it impossible for the system to rebuild the original packets. On systems that are unable to handle this corruption, a crash is the most likely outcome of a teardrop attack.
  • Bonk: An effective attack on some Windows systems involving the transmission corrupted UDP packets to the DNS port (port 53) resulting in a system crash.
  • Boink: This is similar to the Bonk attack except that the corrupted UDP packets are sent to multiple ports, not just port 53.

These are the most common forms of denial of service attacks. In the next article, we will look at distributed denial of service (DDoS) attacks.


External Links:

Denial-of-service attack on Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy