Distributed Denial Of Service Education Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Distributed denial-of-service attacks pose an immense threat to the Internet, and consequently many defense mechanisms have been proposed to combat them. Attackers constantly modify their tools to bypass these security systems.

The DDoS field is evolving quickly, and it is becoming increasingly hard to grasp a global view of the problem.

A DDoS (distributed denial of service) attack quickly overwhelms a company's server, router, and firewall or network link with traffic. DDoS traffic also creates a heavy congestion in the Internet core which disrupts communication between all Internet users whose packets cross congested routers.

This paper strives to introduce some structure to the DDoS ATTACK outlining how it is established, possible way of tracing the attacker and DDoS defense systems.

The goal of the paper is to highlight the important features of both attack and security mechanisms and stimulate discussions that might lead to a better understanding of the DDoS problem.


A distributed denial-of-service attack deploys multiple machines to attain this goal. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.

This section will answer the following questions:

  1. What makes DDoS attacks possible?
  2. How do these attacks occur?
  3. Why do they occur?

What is a Denial of Service (DoS) Attack?

An attacker inundates its victim with otherwise legitimate service requests or traffic such that victim's resources are overloaded and overwhelmed to the point that the victim can perform no useful work.

What is a Distributed Denial of Service (DDoS) attack?

A newly emerging, particularly virulent strain of DoS attack enabled by the wide deployment of the Internet.

A. DDoS Example

February 7th and 8th, 2000: several large web sites such as Yahoo!, Amazon, Buy.com, eBay, CNN.com, etc. were taken offline for several hours, costing the victims several millions of dollars.

The design opens several security issues that provide opportunities for DDoS attacks:

  1. Internet security is highly interdependent. DDoS attacks are commonly launched from systems that are subverted through security related compromises.
  2. Internet resources are limited. Each Internet host has limited resources that can be consumed by a sufficient number of users.
  3. Power of many is greater than power of few. Coordinated and simultaneous malicious actions by some participants can always be detrimental to others.


A. Methods of attack:

DoS or worm attacks can be categorized into two main classes:

Spoofing attacks—The attacker pretends to provide a legitimate service but provides false information (if any) to the requester.

Flooding attacks—The attacker exponentially generates and propagates traffic until service resources (servers or network infrastructure) are overwhelmed.

Spoofing attacks best are addressed by authentication and encryption technologies; flooding attacks, on the other hand, can be mitigated using QoS technologies.

Computer systems can also suffer DoS and DDoS attacks. For example, sending an extraordinary amount of electronic mail to someone could fill the computer disk where mail resides. While this is an older style of DoS attack, it is still popular today.

The MyDoom virus is an example of building such a DDoS attack network. In this case, the attack network was built not through technological vulnerabilities but rather through operational vulnerabilities.

B. Explanation of DDoS attacks

DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.

Today there's no possibility of performing more than a few back-traces at most, in as little as a few hours. Even that would require some luck to favor your efforts. So as long as the attacker turns their attack off after at most a few hours, you are unlikely to find more than a few of the thousands of machines used to launch the attack; the remainder will remain available for further attacks. And the compromised machines that are found will contain no evidence that can be used to locate the original attacker; your trace will stop with them.

Imagine that an intruder wanted to attack the telephone system and make the system unusable by telephone customers. How would they do this? One way would be to make call after call in an attempt to make all circuits busy. This type of attack is called a denial of service, or Dos attack.

C. Five top tips to mitigating DDoS:

  1. Tracing the Attackers.
  2. Rate limiting.
  3. Return visitors only.
  4. Text only site versions.
  5. Black hole filtering Text only site Versions.


A. Classification of DoS and DDoS Attacks:

1) General attack classification:

A possible classification of IT attacks according to the intention of the cracker could be:

2) Denial of Service (DoS):

The main goal of the attack is the disruption of service. This can be reached by a variety of ways as we will see later.

3) Intrusion:

Here the intention is simply to get access to a system and to circumvent certain barriers. People with such an intention meet the classic image of the old style hackers.

4) Information Theft:

Main goal of this kind of attacks is access to otherwise restricted, sensitive information.

5) Modification:

Here the attacker actively tries to alter information. This kind of motivation is increasing lately as you can see from the enormous number of hacked and altered websites.

B. DoS attack classification:

DoS and DDoS attacks usually use a limited number of well known attacks with names like smurf, teardrop or SYN-Flood.

1) System attacked:

Our first category is the system under attack. First of all we could attack the clients themselves, which is kind of useless as a general DoS attack, because there are just too many of them. As an example: during our experiments some mis configured SYN-flood attack overloaded our university's firewall and blocked most in- and outgoing traffic.

2) Part of the system attacked:

Attack forms can be further divided by the part of the system that is attacked. Attacks targeting the

Operating system or the TCP/IP stack of a host or router is more likely. Many attacks of this type are

Known, some are bugs that can be fixed; some are fundamental limitations of a protocol specification etc.

3) Bug or Overload:

A DoS is a cause of a specific bug or just an overload of components that function according to their specification. Although bugs are often more severe in their effects, most of the time the vendors quickly provide fixes. All the administrators have to do is to apply them to their system in order to avoid further attacks.

C. Preventing DoS Attacks with Lower Layer Authentication:

SSL/TLS has been designed to protect authenticity, integrity, and confidentiality. However, considering the possibility of TCP data injection becomes obvious that this protocol is vulnerable to DoS attacks just because it is layered upon TCP.

The effect of Access-Layer polices on traffic caused by DoS or worm attacks is quite different.

As hosts become infected and traffic volumes

Multiply, congestion might be experienced even within the campus. WAN links also would be protected: VoIP, critical data, and even best-effort flows would continue to receive priority over any traffic marked down to Scavenger/CS1The bottom line is that Access-Layer policies

1) How a "denial of service" attacks works

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.

In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval.

The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely

2) How to block a "denial of service" attack

One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network before a stream of information reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.

D. Types of DoS attack

SYN Flood: the SYN flood happiness when hundreds of spoofed SYN (Synchronization) requests are sent to the target system. These requests are normally used for synchronization when initiating connection. Then the system reserves a very small buffer space to handle the particular connections and to send the ACK-SYN reply.

LAND attack: The Land Attack is a variation of the

SYN Flood attack is performed by launching TCP/IP packets with the same source and destination IP address and port. Most OS and devises are protected and so the attack is ineffective

Smurf (Fraggle): The Smurf attack is similar to the Ping of Death attack, but the Smurf attack is more malicious. The perpetrator sends a large amount of ICMP echo (ping) traffic at broadcast addresses, all of it having a spoofed source IP address of the target computer (usually in the same network).


Many Windows and MacOS-based systems contain operating systems and browsers that have security vulnerabilities that can be exploited by hackers. The hacker planning a DDoS attack identifies and infiltrates numerous computers and networks with these vulnerabilities, planting and hiding DDoS attack tools in them - turning them into "zombies," as mentioned earlier, because they lie asleep until wakened - until it is time to trigger a coordinated flood attack, all of which is controlled remotely.

A DDoS attack system requires coordination of different systems: handlers, zombies, and the victim. To generate a flood of network traffic to the victim's site, the attacker issues commands to "handler" computers, which in turn each send commands to a troop of zombie computers? One hacker can get 10,000 zombie machines together and aim them at one or more Web sites.

There is no end in sight to this threat, because at present there is no deployed and fully automated solution to combat the DDoS problem.

Some tools, manual procedures and administrative processes, while helpful, do not provide a complete reliable solution. For example, ISPs are advised to implement "ingress filtering," which is supposed to filter existing packets that do not have source addresses within their purview in an effort to reduce packet source forgery (though few ISPs do this because there's no direct subscriber benefit). Intrusion detection tools try to identify if hackers have infiltrated computers; however, these tools that fight "zombie infestation" rely on known intrusion and attack signatures and therefore share the same weakness as virus detection tools: they're always playing catch up with sophisticated attackers who are a technology step or two ahead of them.

Some products try to address the problem at the site or ISP level through the use of "smart filtering," whereby they seek to analyze packet traffic and stop those coming from an attacker. This approach is, again, much like virus scanning software: defences are always trying to keep up with, and are always a little behind, the attackers.

To help blunt these attacks, security vendors are embedding stronger intelligence into networking filters and other network devices, but these efforts are proving to be limited in their success, as DDoS attack tools become more sophisticated and their schemes more complex.

A. Prevention and response:

Surviving attacks: The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, callbacks, emails, pages and faxes between the victim organization, one's provider, and others involved. This can be a very time consuming process. It has taken some very large networks with plenty of resources several hours to halt a DoS attack.

Firewalls: Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy.

IPS based prevention: Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior based DoS attacks.

B. Prevention via Proactive Testing:

Test platforms such as Mu Dynamics Service Analyzer are available to perform simulated denial-of-service attacks that can be used to evaluate defensive mechanisms such IPS, RBIPS, as well as the popular denial-of-service mitigation products from Arbor Networks.

Master machine brings attack to zombie machines on the same network.

C. DDOS Goal:

The goal of a DDoS attack is to inflict damage on the victim, either for personal reasons, for material gain or for popularity.


Although DDoS attacks have been recognized as a serious problem, we are not aware of any other attempt to introduce formal classification into the DDoS attack mechanisms. Most manufacturers have realized the importance of defense measures against DoS attacks. Almost all firewalls are able to hold half-open states for several thousand connections. Firewalls are even capable of stateful processing of packets: This allows dropping of packets which make no sense in the current state of a TCP connection.


Distributed denials of service attacks are a complex and serious problem, and consequently, numerous approaches have been proposed to counter them. This paper is a first attempt to cut through the obscurity and achieve a clear view of the problem and its solutions. We think that automatic traffic monitoring and automatic traffic shaping are promising ways of dealing with high bandwidth DoS attacks and should be implemented in future commercial products.


1.CERT Advisory CA-98.01 "smurf" IPDenial-of-Service-Attacks, www.cert.org/advisories

2.L.Stein,TheWorldWideWeb security.

http://www.w3.org/Security/Faq/-visited 04.10.2000.


4.CERT Coordination Center, "Denial of Service Attacks,"



6.J. D. Howard, "An analysis of security incidents on the Internet,"

PhD thesis, Carnegie Mellon University, August 1998.

7.F. Kargl, J. Maier and M. Weber, "Protecting web servers from

distributed denial of service attacks," In Proceedings of 10th

International World Wide Web Conference, May 2001.