Types of DoS (Denial of Service) Attacks
The types of methodologies used in DoS attacks are many, but they can be divided into
three essential categories: Flood attacks, Logic attacks, and Distributed Denial-of-Service
(DDoS) attacks. Each has several methods within it that attackers may use to compromise or
completely shut down an Internet-connected server.
The premise of a flood attack is simple. An attacker sends more requests to a server
than it can handle, usually in a relentless manner, until the server buckles and gives in to
the attacker. Once this type of attack ends, the server can return to normal operation. Flood
attacks are very common because they are easy to execute, and the software used to execute
them is easy to find. Methods of flooding include:
• Ping flooding - a method where the attacker or attackers flood the target server
with ICMP Echo Request (ping) packets. This method depends on the victim returning ICMP Echo
Relay packets, greatly increasing bandwidth usage and eventually slowing down or stopping the server.
• SYN flood - an attack in which the attacker sends repeated SYN requests
(a TCP connection) that the target accepts. Normally, the server replies with a SYN-ACK response,
and then the client follows up with an ACK to establish the connection. In a SYN flood, the
ACK is never sent. The server continues to wait for the response, and if enough of these unfinished
connections build up, the server can slow or even crash.
• Smurf attack - While a ping flood depends on the attacker's computer sending
each ping, a smurf attack spoofs ping messages to IP broadcast addresses. If the target machine
responds and in turn broadcasts that IMCP echo request, it passes on to even more and eventually
spreads to more machines, which can forward the packets to even more. Modern routers have mostly
fixed this issue, making smurf attacks less common.
• UDP attack - A UDP flood involves sending multiple high volume UDP packets
to occupy the target system and prevent legitimate clients for accessing the server. The process
requires the attacker to find out if a UDP port is free and has no application listening on
it. It then sends the UDP packets, and the server is forced to reply with an ICMP destination
Although the goal of a logic attack is the same as a flood attack, the method of intrusion
is much different and often more subtle. While flood attacks usually look to bombard a server
with an unusually high amount of standard traffic, logic attacks rely on non-standard traffic,
exploited through security holes in your system.
Generally, a logic attack requires your server to have a discoverable weakness that the
attacker can locate and then use against it. Because of this prerequisite, it is usually easy
to prevent by keeping your server software and hardware up-to-date with the latest security
patches and firmware respectively.
Many security firms, IT professionals, and software developers regularly test popular
proprietary and open source software for security holes. When they find one, the holes are
usually quickly fixed, but the only way to accomplish wide distribution of fixes is to publish
the exploits. Attackers can then search for unpatched servers and infiltrate them.
While many logic attacks are strategic, it is possible for an attacker to randomly choose
a server by using software to locate exploits on the Internet. For that reason, you should
keep your server secure, even if you do not think someone has a reason to attack it.
Distributed Denial of Service (DDoS)
If the aforementioned DoS attacks are akin to tornadoes, then a DDoS is like a hurricane.
The techniques for attack are usually the same. They may be flood attacks or logic attacks.
The difference is that a DDoS comes from multiple attackers in a simultaneous and coordinated
assault. Because of the severity and sheer power of a DDoS, it has become a common tool for
cyber terrorists, political dissidents, and general protests against corporations or other
One of the common features of a DDoS is the usage of spoofed IP addresses, making it
difficult to block the attackers. Futhermore, many of the computers used in a DDoS may have
completely innocent owners who are not aware that their computers are being used in an attack.
A DDoS will usually start with a single attacking computer, but rather than exposing
itself by using a direct attack, it will locate vulnerable computers and servers all over the
world and secretly install the attacking software on them. In many cases, those infected computers
will then seek out more "agents" to use in the attack. When the attacker is finish amassing
this cyber army, they could have hundreds or even thousands of agents.
Prevention, Detection, and Mitigation
Some types of DDoS attacks can be prevented by blocking unused ports, keeping software
updated, and using modern networking hardware. Others simply cannot be prevented, especially
if it is a DDoS. The best you can do in those situations is to use detection software to find
the attacks early and stop them from doing too much damage to your service.
For more information on DDOS protection & mitigation, visit DOSarrest,
a global leader in protection against distributed denial of service attacks.
More Network Security Articles:
• How Snort's Stealth TCP Port Scanning Works
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• ARP, MAC, Poisoning, and WiFi Security
• NMAP (Network Mapper) Port Scanner
• Public Key Infrastructure
• Man in the Middle Attack
• Detecting Network Sniffers
• Data Encryption
• Domain Name System (DNS) Vulnerabilities
• Firewall Internet Security - The Basics of a Firewall