Summary Of DDOS Distributed Denial Of Service Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Distributed Denial of Services (DDoS) is today one of the most powerful vulnerabilities of the internet. The different types of DDoS attacks, the potential means of limiting them and the methods to trace and locate the attacker are discussed below in this paper.

Summary of DDOS (Distributed Denial of Service):

This is a coordinated attack done in large scale on the availability of services at a network resource or a victim system. It is performed by sending a huge number of packets to a destination machine by concurrent cooperation of a vast number of hosts which are scattered all over the internet. As this attack uses the bandwidth resources of the computing resource or network at the destination host, the valid requests will not be processed. The effect of these attacks can be as minor as a temporary inconvenience to the website users or it may result in serious loss of finance to the organisations that depend on their online availability to conduct business. Since there are several attack tools available in the market to coordinate and implement a large scale attack, distributed denial of service (DDOS) attacks have high probability of becoming an increasing threat to the internet. These tools being very user friendly and simple to operate, even an unskilled person can launch a damaging attack. TFN, Shaft, Trinoo, Stacheldraht and TFN2K are some of the tools available in the market and have been used to attack popular commercial sites like Amazon, Yahoo and EBay. In order to eliminate the threat of a DDoS attack we would have to secure all the machines that are there on the internet against being misused. Since this option is by and large not practical, a large number of websites equip their crucial systems with copious resources to deal with these threats. However this does not guaranty the exhaustion of the additional resources because an enough strong attack can consume all this additional resources. The only feasible option is to design and implement defence mechanisms which can sense and respond to the attack by letting of the surplus traffic. Normally the DDOS attack is detected at the victim resource because it is easy to notice odd behaviour of the attack. But detecting it at this stage is generally very late. So, ideally it should be restrained as closed as possible to the source machines as this would result in minimizing congestion and it would also save network resources. But detecting these attacks is not very straight forward because these streams do not display any common features. DDOS attacks are a great threat to the internet. 13 DNS root servers were victims of a DDOS on 20 October 2002. A mean internet user hardly noticed the effects of this attack because it lasted for just an hour. However 7 out of the 13 root servers were shut down and this exemplifies the susceptibility of the internet to DDoS

attacks. DDoS attacks happen when a number of subverted systems generate by huge amount of synchronized traffic directed towards a destination machine thereby over loading the resources on this machine. These attacks are some the advanced ways of making a network machine unavailable for rightful network users. Since there are several free-to-use attack tools that are user friendly and simple to operate, the probable threat of these attacks to the internet is very high. Moreover the attackers may not be punishable because it is very hard to trace and locate the agent system or the offender who launched the attack.

Characteristics of DDoS:

The characteristic feature of a denial of service attack is that it is an explicit try made by an attacker to prevent rightful user of a service from utilizing the intended resources of the destination system. Below are a few of the examples of the DOS attacks:

Attempts to congest a network by flooding it with a huge volume of illegitimate requests. There by preventing rightful network traffic.

Restricting a specific individual from accessing a network service.

Interrupt service to a particular person or system.

Interrupt the connections between two or more network machines or systems resulting in denial of access to those machines or systems.

In addition to these characteristics, a DDoS attack being in a distributed layout is characterised by the "many-to-one" dimension is further difficult to prevent. Distributed Denial of Service attack comprises of the following elements:

Real Attacker - this is the actual person who conducts the DDoS attack.

Victim - this is the destination host that receives the burden of the attack.

Daemons - these are the agent programs which launch the attack on the victim systems. Though these agents are generally deployed in the host machines, they tend to affect both the host as well as the destination machines. In order to deploy the daemons on to the host machines the attacker needs to get access and infiltrate into it.

Master - usually referred to as the control master program. This is a program using which the actual attacker can hide behind the scene of an attack.

The steps performed in DDoS attack are as mentioned below:

The Real Attacker transmits an 'execute' request to the Master.

On the receiving the 'execute' request Master program sends a 'attack' message to the daemon agents which it controls.

On receiving a attack message the daemons initiate an attack on the Victim.

Methods of Distributed Denial of Service Attacks:

Attackers managed and implemented these attacks with the help of these techniques. In February 2000, these attacks inundated the internet all over the world. Even though the techniques are still depending on the attack types explained previously to carry out distributed attacks. These all different types of techniques are scheduled in sequential order. As time has passed by, the distributed techniques have become more complicated to detect and have enhanced to a large scale on the technical aspects. The distributed techniques are







It uses the Transmission Control Protocol to exchange commands between the Real Attacker and the Master program.

The Master program uses the User Datagram Protocol (UDP) packets to communicate with the deamon agents.

The daemons launch the attack by flooding the Victim with UDP packets.

Tribe Flood Network (TFN):

Communication between the Attackers and the Control Master program is done through a command line interface.

The control Master program communicates with the daemons using ICMP echo reply packets.

Daemons launch the attack on Victims using Smurf, UDP flood, SYN flood and ICMP flood attacks.


In German it is termed as the "barbed wire". This is similar to Tribe Flood Network (TFN). However, there are a couple of differences between these two techniques.

This uses encrypted TCP to communicate between the attackers and the master control program.

Communication between the master control program and daemons is all conducted by using the ICMP and the TCP protocols.

The last step in the attack still remains the same as in TFN i.e., the daemons launch the attack on victims using SYN Flood, Smurf, ICMP Flood and UDP Flood.


Shaft is designed on the lines of Trinoo.

The Real Attacker communicates with the control Master using a simple TCP telnet connection.

Control Master communicates with the Attack Daemons using UDP packets.

The daemons launch the attack by flooding the Victim with UDP packets.

A key characteristic difference between Shaft and Trinoo is that Shaft is able to switch the servers and the ports of the control master in real time. Consequently infiltration detection tools find it difficult to trace such attacks.


The real attacker communicates with Control Master Program using an encrypted key-based CAST-256 algorithm.

The control Master program communicates with the attack daemon agents using UDP, TCP, ICMP or all of the three protocols.

The Daemons launch the attack on the victims using UDP flood, SYN Flood, ICMP Flood and Smurf attacks.

The distinctive characteristic of TFN2K is that it performs covert exercises to conceal itself from infiltration detection systems and tools.

Ways of Limiting the DDoS Attack

SYN Proxy:

During the process of SYN flood some of the machines will start spoofing the IP addresses and will send the SYN packets. When a request received by the server, it responds for that request and gives as the TCP SYN/ACK packet. When that process is going on the server will store the IP address of that machine in the table of connections. When the Daemons make sends the SYN packets and waiting for the SYN/ACK, so the server will check the IP address of that machine in the connection table and gives the responds. If the IP address of that machine is not exit in the table, so it waits for the long duration of time. Therefore this gives the result as the connection request will be done when the rightful IP address is exist in table of connection at the server. Since it done then it gives SYN/ACK.

Connection Limiting

On continues request to the server makes burden to it. So by limiting the new connection number of request we can make small break to the server temporarily. For doing this we need to give first choice to the old or existing connections and declining the some of the new connections coming to the server.

Destructive Aging:

Some users will make a request to the server machine from some IP address, for a rightful connection and not being active for long time means doing nothing with that. That IP addresses will fills the table of connection in the servers and firewall which makes idle. By destructive aging that inactive connections can provide some support to the server/firewall. This Destructive aging will remove or destroy the connection from the tables and involves in TCP RST packet sending to the firewall/server.

Source Rate Limiting:

The limited sources are available for the bot net master then he/she can use send 'n' number of packets to the victim. Due to the 'n' number of packets it gives the burden to the server. When in the continuous sending of packets causes such type pattern of attacks. By finding the outlier IP address user can break the norms where they deny the excessive bandwidth. Where in the IP address such attacks are not expected so, it is important to keep track n number of IP addresses and their behaviour to isolate outliers. Where this type isolations can be done in silicon and it is very difficult to achieve by any other software's, there is one technique to excessive memory bandwidth requirements. So, we can reduce the rate of limiting.

Dynamic Filtering:

Generally in the firewalls there is static filtering technique. Where routers and switches and regularly achieved by using the technique ACL (Access Control List). When the attack and the attackers changes our systems constantly the Dynamic filtering can identify and undisciplined behaviour and punishing that behaviour for the short time. To remove time span in this process, is done by creating a short span filtering rule.

Active Verification through Active IP Address Matching:

For anti spoofing a great technique is used that is termed as SYN Proxy, so for every duration of time there SYN flood, with in the short time, if the appliance is sending the packets of SYN/ACK back that would add heavy traffic in the out bound. So, to overcome such kind of reverse flood user has to identify the rightful IP address in the connection table for short span of time and let them go without any SYN proxy check. So, it is possible for the attackers to misuse holes, therefore it is important to have check on the rightful IP addresses by completing the 3 way hand shacking.

The 3 way hand shacking is




Figure: 3-Way- Handshaking

DDOS attackers tracing:

One of the frequent reactions of attempt would be "trace" the attacker.  Instead of traditional DoS, DDoS comes with multiple sources. Easy way to determine which of the routers having many hops up from network is managing many packets is DDoS but in this method it requires support from many sources as we are unable to examine packets with upstream router. ISPs in this process will carry same steps. These are recognized by the offending traffic type by DDoS as it will try to match with the existing list


IP Trackback Technology:

One of the most powerful techniques to overcome the DDoS attacks and this will also distribute its attacks. As we cannot directly gain any path information from the packets so stateless protocol is IP. The drawback of this is the minuet occupies the source address and allows the attackers to manipulate the source address in his case it very tough for the victim to catch the attacker when it is attacked. Victim gives the only information of the received packets by IP trace back technology we can get the location of the attacker by the inputs given by the victim. two main ideas of IP trace back technology is to locate the IP address and to also to rebuild the path of attack but in the second case as it will manipulate the source address we use the DDoS attacker. IP trace back technology includes packet marking technology, the log technique, ICMP tracing technology, import filter technology and link testing technology. In DDoS attacker tracing algorithm link signature is based on packet marking. The main intension of this method is to rebuild and enable the path. When forwarding them each router marks the attack packets and victim rebuilds the path according to the marks on received attack packets. This process is called as packet making algorithm and use to rebuild the path is called reconstruction algorithm.


In this project discussed about the overview, characteristics and the methods of the distributed denial of service. Explained about the connections between the various types, the connections are with the real attacker, master program and the victims via different protocols. And discussed about the limiting ways of the DDoS attack. Tracing out the attacker when the attack is occurred. Even though there is many different ways has discovered, but still there is no permanent solution for this attack.