Denial Of Service Attack Analysis Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The internet was not designed having in mind that it will satisfy confidentiality, integrity and ,because it was originally designed to be used by groups of people that "trust" each other (schools,Miltary etc)but presently its a different case, the Internet is deployed worldwide. Most internet security mechanisms are mostly patches.Internet users should be able to gain access to its resources every time they wanted(availability),but the main factor that hinders this effective usage of resources on the internet is called denial of service,which is called distributed denial of service when done in a coordinated manner.

Denial of service has posed to become a huge treat on availability on the internet,it is been carried out by flooding the network resources,this result in a lot of bandwidth waste.When the attacker intend to increase the effect of the DOS and wants to remain in proper anonymity, He carries it out in a coordinated fashion from different sources at the same time. When a DOS is carried out in this way,it is called a Distributed denial of service attack(DDOS).

The attacker usually scans thousands of computers on the internet checking for possible vulnerabilities on them and turning them into zombies(agents) by gaining root access into them, install attack and communication tools(bots) which is used to scan for more vulnerable computers and also turning them into zombies(agents) forming a distributed network. At a specified period,the attacker command them to launch a coordinated attack on victim.

Note:i will i will no refer the distributed denial of service a s DDOS and denial of service as DOS.

DDOS can be launched using different methods, the most common methods use are:

Smurf attack: This is when the attacker send an ICMP Echo request to the victims address, with the victims address as the source address. This will make all the computers on the network to reply with ICMP Echo to the intended Victim, thereby overwhelming it.

TCP SYN attack: This is method takes advantage of the TCP three way handshake. This is usually done with a spoofed IP address, where by an half open connection is sent to the intended victim ie,The attacker sends a SYN,the victim sends a SYN ACK and continuously wait for the ACK which will never come. This keeps the connection half way. This result in the overwhelming the victim.

S=clients D=server A=attacker D=victim

TEAR DROP attack:This kind of attack is usually targeted towards windows 3.1,9.5 and NT machines.It also affects some older versions of linux.It takes advantage of the exploits an overlapping IP fragment bug present in Windows.

UDP, TCP and ICMP Attack:This is form of attack involves flooding the victim packets at very high rate contiously.The victim replies with continuosly and become overwhelmed.

All theses attacks makes use of IP spoofing so as to make sure that there identinties are conceald,which has made them almost inpposible to trace back,but there was the can be limited.First lets take a look at how DDOS affects the network using the OSI reference model.

The ISO is a division of communication into seven layers.every layer is specialized to perform a specific function as data move across.From the user point of view,it moves form the application layer down to the physical layer.

If the lower layer is affected by a DDOS,the larger the resources affected because the layer above strongly depend on the lower part of the layers.But attacks directed at the upper layer are more complex to deploy and also more difficult to detect


Application:The application database is corrupted so that data processing is imposible.

Presentation:Inputing formatting tokens so that information presentation becomes unreadable.

Session:loging out a session that is meant for another user.

Transport:Making use of SYN flood to overwhelm a server taking advantage of the TCP three way handshake.

Network:Making use fake IP address to appear legitimate to the server.This process is known as IP spoofing.

Data link.Using a process known as ARP spoofing or poisioning.In this process the MAC addressed is usually spoofed or even matched with a different IP address by tampering with the ARP table and connecting to the server there by denying legititimate users from using the servers resources.

Physical:This cant be done in a distributed way,its simply physically upluging the network cable form the server.


DDOS are launched using a different kind of tools and the ways the attackers connect to there zombies relies on the kind of tool they are using.These tools follow a particular sequence which are:

Mass intrusion phase:This is the stage where the tool automatically identify weakness in different machine,gain root access to it and install the DDOS software on it.This can be done with the help Trojans which might contain the DDOS software too.

DDOS attack phase:Now the compromised system are now used to launch the attack towards the victim.

All of the DDOS tools follow this sequence.

Mass-intrusion Phase - automated tools identify potential systems with weaknesses; then root compromise them and install the DDOS software on them. These are the primary victims.

DDOS Attack Phase - The compromised systems are used to run massive DOS against a victim site.

Types of attack tools.

1 Trinoo:This was the first tool used to laucnch DDOS.It usually scan s for buffer overflow found on solaris,the roots shell on the host that has been compromised.It can be used launch smurf,ICMP,SYN,UDP.The attacker controls the master through a root backdoor and communicates with zombies with ICMP echo reply.

2.TFN(Tribal network flood):This is an advance version for Trinoo where the IP address of the Daemon is encrypted.

3.Stacheldraht.This combines the best features of the TFN and the Trinoo.Here the communication between the master and handlers are encrypted.


Ways of limiting DDOS can proactive(preventing the attack before it happens)or reactive(dealing with the attack as it is happening ) .

PROVING HUMAN IDENTITIES:This is a proactive measure to DDOS where sometimes legimate clients are askedt to solve some certain puzzle to prove their identity as human.This can be done using randomly selected words of phrase,the "human" is asked to type in the words in a text box.

The example in the fig below was cropped from a sign up of form from yahoo mail.

COOKIES:This method effective to limit TCP SYN attack. This make sure that server staelsss until the client produces at least two messages. The sever state is stored in a cookie and sent to the client. The cookie is contains the servers ip address and port. After the client responds cookie is generated and compared with the one sent by the client.its a proactive method


This method is use is securing communication network where the client and the server is already known ie the client that has authorisation to communicate the particular server.

The method combines the use of routing through regular hashing, and filtering.

Its is done in five stages:

-The client machines forwards its packet to a specialised overlay node known as the SOAP.The SOAP receives and verifies that the client is legitimate for the intended server.

-The packets is routed by the SOAP to specialized node in the SOS architecture.The specialized node is called beacon.

-The packe5t is forwarded to a "secret" node known as the secret servlet.The identity of the secret servlet is only known to only small subset of computers that is participating in the SOS architecture.

-The packet is forwarded to the target by the sercret servlet.

-With the help of the filters around the target denies all traffic from getting to the target apart from traffic sent from a from a location that has its Ip address in the secret servlet.


For this framework to be successful ,the legitimate client needs to be aware of where the active server is located and how they will move from one point to another when a connection is ongoing as represented in the figure below.

For the client to be able to know where the active server is,the client should be have at least two set information-The servers address and the time the server will be active.These information can be obtained be using a couple of communication between the client and server.To limit DDOS attacks on the internet,a secure communication must be established between the client and server that provides privacy and integrity to protect the information.

The main purpose is to provide an architecture for tranfering end point of an ongoing connection from location and repackaging it in another location with an entirely ne IP address or even a new port number.but there are four issues that has to be dealt with:

-How the on going connection is going to continue in the new end point.

-The effect on the application layer and network stack of both the client and client sides.

-How to get back both application states and connection.

-When to invoke the migration