Denial of Service (DoS) is one type of computer attack that violates the “availability” security objective. By definition: “A Denial of Service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users”.  Traditionally, DoS attacks were done by exploiting a system bug like buffer overflows or by exhausting system resources. Inevitable human errors during software development, configuration, and installation open several unseen doors for these types of attacks. In 1999, a new generation of attack called (DDoS) Distributed Denial of Service attack was started. A Distributed Denial of Service attack uses multiple machines operating in concert to attack a network or site. There is very little that can be done if you are the target of a DDoS attack. The nature of these attacks cause so much extra network traffic that it is difficult for legitimate traffic to reach your site while blocking the forged attacking packets.
Tools used to perform a DDoS attack:
The first tools developed to originate the DDoS attack were Trin00 and Tribe Flood Network (TFN). These founded the next era of tools like the Tribe Flood Network 2000 (TFN2K) and Stacheldraht. These DDoS attack tools remotely control the flood of the target sites with huge amounts of network traffic from different locations to bring them down, exhaust their resources and prevent legitimate users from accessing the site.
Exploited resources in a DDoS attack:
- Available memory.
- Available CPU cycles.
- Available disk space to the application.
- The number of processes and/or threads that the application is permitted to use.
- The maximum number of concurrent connections the application is permitted.
How do DDoS attacks work?
In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval which makes DDoS extremely difficult to trace because of their stealth capabilities. Encryption can also be utilized by DDoS attackers to hide their communications and location. “The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.”
Potential targets of DDoS attacks:
The compromising of as many systems as possible, and then performing the actual Denial of Service attack are the two phases that make a DDoS assault. The client performing the attack needs a big amount of vulnerable systems to generate the big flow of packets needed to shut down a targeted system. “All of these attack tools run on both Linux and Solaris while TFN2K runs on Windows as well as Linux and Solaris!!” Good prays for the attacker are computers with weak security making it easy to infiltrate and install the DDoS tools, as well as a rootkit, to hide the DDoS's presence. In the second phase, these vulnerable infiltrated systems will generate the network traffic to bring down a targeted site. This is why one could consider these compromised systems as secondary victims of the Denial of Service attack.
How can the attacker stealth (hide) his identity?
“In computer network security, backscatter is a side-effect of a spoofed (faked) denial of service (DoS) attack. In this kind of attack, the attacker spoofs the source address in IP packets sent to the victim. In general, the victim machine can not distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter. If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. The volume of packets is so great that the attacked becomes crowded with artificial traffic. This excessive traffic prevents legitimate traffic to reach its destination”. 
Group work of DDoS:
The Agent-Handler model of a DDoS attack consists of clients, handlers, and agents (Figure 1). The client is where the attacker communicates with the rest of the DDoS attack system. The handlers are software packages located throughout the Internet that the attacker's client uses to communicate with the agents. The agent software exists in compromised systems that will eventually carry out the attack. The attacker communicates with any number of handlers to identify which agents are up and running, when to schedule attacks, or when to upgrade agents. The owners like the users of the agent systems typically have no knowledge that their system is being used to perform DDoS attacks. The attacker, or client, controls one or more handlers and each agent can respond to more than one handler. TFN2K and Stacheldraht, are recent DDoS tools that encrypt most of the communication between the handler and agents using either the Blowfish or CAST encryption algorithms.
Detection & Prevention:
“The most important aspect of these distributed attacks is that the attacker needs vulnerable computer systems to carry out the attack. In general filtering and monitoring are two common methods used to fight DDoS attacks they can provide better safety compared to the trackback method which can only identify an attacker after the attack has occurred.
To enhance computer security the following is advised:
- Enforce the use of strong password rules by all users since hackers use weak passwords to gain unauthorized access.
- Installing patches, anti virus software, using a firewall and monitoring for intruders could be a good idea.
- Use switches on your network because most network switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, deep packet inspection and bogus IP filtering to detect and remediate denial of service attacks.
- Use software like Remote Intrusion Detector (RID) that searches an entire subnet from a single node as well as searches hosts from a list. RID also uses a configuration file to change the ports and strings it looks for and the hosts it scans. This file can be modified easily in the event an attack tool is discovered by other means. The ports and passwords can be entered into the configuration file, adding to the search list.
- Firewalls should be installed on the outer edge of networks. These firewalls can be configured to filter and log incoming and outgoing traffic. They will also allow you to prevent certain protocols from entering or leaving a network.
- Turn off all unneeded services.
- Check with vendors on a regular basis for updates and patches for your software.
Hackers are constantly developing new tools and discovering new vulnerabilities. As new technology is introduced, new vulnerabilities are created, so audit system security on a regular basis. Make sure all servers and routers are logging everything reasonable. This would not stop Denial of Service attacks from happening, but it would aid in back-tracking packets to their source and stopping an attack. In the event that your network is taking part in a DDoS against another site, disconnect the systems acting as agents from the network. If the agents cannot be discovered quickly, then it might be necessary to disconnect the router to the outside net. Remember that the hacker has nearly full control of the system with the agent.