Denial of Service Attack (DoS) Detection and Mitigation
By Stephen Bucaro
A Denial of Service Attack is when a hacker attempts to consume such a large amount of
a server's resources that it's services will be unavailable to its intended users. For example
a DoS attack against a web server attempts to prevent it from serving web pages to legitimate
One common method of DoS involves making thousands of requests for webpages from a targeted
server, using up it's bandwidth and resources such that it responds to legitimate requests
for webpages so slowly as to be rendered effectively unavailable to legitimate users. Frequently
the target web servers attempt to satisfy all requests causes it to crash.
SYN flood DoS attack
Another common method of DoS involves exploiting TCPs handshaking mechanism. TCP's handshaking
technique to start a session is sometimes referred to as SYN, SYN-ACK, ACK. A host starts
a session by sending a packet with the synchronize (SYN) flag set. When the server receives
it, it responds by sending a packet with both the SYN and ACK (acknowledges) flags set. The
host then completes the handshake by sending a third packet with the ACK flag set.
At this point, both computers have established a TCP session and data can be transmitted
between the two computers. However, in a SYN flood attack, the attacker never send the
third packet. The session is held half open, and the server will continue to try to complete
the session. The attack sends thousands of SYN packets, never responding to the servers SYN-ACK
packet, causing thousands of TCP sessions to be held half open, preventing the server from
responding to legitimate requests.
Distributed Denial of Service (DDoS) Attack
A DDoS attack is a DoS attack initiated from multiple, sometimes thousands, of computers.
Over a period of time thousands of computers on the Internet can be infected with viruses called
bots. The computers become zombies which a hacker forms into a botnet
which the hacker controls and can direct to launch an attack against a specific system.
The DDoS attack can be a SYN flood attack initiated by thousands of zombie clients. Or
it can be thousands of zombie clients sending ping requests to a server. The server
can be overwhelmed while trying to answer all the pings and is much slower, or unable, to respond
to legitimate requests.
Dos, DDos Detection and Mitigation
Since a DDoS attack comes from thousands of zombie computers around the world, the companies
best able to detect and mitigate them are owners of global communications networks, like Verizon
and AT&T. These companies scan their networks for malicious traffic patterns and, if an
attack is discovered, they can filter out the attack traffic while still delivering legitimate
traffic to the user. Of course the cost this service is steep at over $5,000 a month to the customer.
McAfee has a Dos detection system called IntruShield which uses a patented stateful
signature, anomaly, and DoS statistical analysis technique. However, for the most part, local
administrators are on their own to use network scanners to reconfigure their firewalls when
they suspect a Dos attack.