Acropolis Institute of Technology and Research, Indore

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

 Acropolis Institute of Technology and Research, Indore

DoS and DDoS Attack

CS503-(C): Cyber Security

Date: 22-23 Oct 2020 Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DoS and DDoS
Course Objectives
● DoS and DDoS

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

DoS (Denial of Service) Attack
● A Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its
intended users.
● DoS attacks accomplish this by flooding the target with
traffic, or sending it information that triggers a crash.
● DoS attack deprives legitimate users (i.e. employees,
members, or account holders) of the service or resource
they expected.
● Victims of DoS attacks often target web servers of high-
profile organizations such as banking, commerce, and
media companies, or government and trade organizations.
Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DoS (Denial of Service) Attack
There are two general methods of DoS attacks: flooding services or
crashing services.
Flooding Services: Flood attacks occur when the server receives
too much traffic to buffer, causing them to slow down and eventually
stop. Popular flood attacks include: Buffer overflow attacks where
the concept is to send more traffic to a network address than the
programmers have built the system to handle.
Crashing Services: This DoS attacks simply exploit vulnerabilities
that cause the target system or service to crash. In these attacks,
input is sent that takes advantage of bugs in the target that
subsequently crash or severely destabilize the system, so that it
can’t be accessed or used.

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

DDoS (Distributed Denial of Service) Attack
A DDoS attack occurs when multiple systems organise a synchronized DoS attack
to a single target. The essential difference is that instead of being attacked from
one location, the target is attacked from many locations at once. The
distribution of hosts that defines a DDoS provide the attacker multiple
advantages:
● He can leverage the greater volume of machine to execute a seriously
disruptive attack
● The location of the attack is difficult to detect due to the random distribution of
attacking systems (often worldwide)
● It is more difficult to shut down multiple machines than one
● The true attacking party is very difficult to identify, as they are disguised behind
many (mostly compromised) systems
Modern security technologies have developed mechanisms to defend against most
forms of DoS attacks, but due to the unique characteristics of DDoS, it is still
regarded as an elevated threat and is of higher concern to organizations that
fear being targeted by such an attack.
Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DDoS (Distributed Denial of Service) Attack
Attacker source:

Server
Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DoS Attack Classification
Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The
attack’s goal is to saturate the bandwidth of the attacked site, and
magnitude is measured in bits per second (Bps).
Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf
DDoS and more. This type of attack consumes actual server resources, or
those of intermediate communication equipment, such as firewalls and
load balancers, and is measured in packets per second (Pps).
Application Layer Attacks
Includes low-and-slow attacks, GET/POST floods, attacks that target
Apache, Windows or OpenBSD vulnerabilities and more. Comprised of
seemingly legitimate and innocent requests, the goal of these attacks is to
crash the web server, and the magnitude is measured in Requests per
second (Rps).
Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DoS Attack Types
UDP flood
It is any DDoS attack that floods a target with User Datagram Protocol
(UDP) packets. The goal of the attack is to flood random ports on a remote
host. This causes the host to repeatedly check for the application listening
at that port, and (when no application is found) reply with an ICMP
‘Destination Unreachable’ packet. This process consumes host resources,
which can ultimately lead to inaccessibility.
ICMP Flood (Ping Flood)
An ICMP flood overwhelms the target resource with ICMP Echo Request
(ping) packets, generally sending packets as fast as possible without
waiting for replies. This type of attack can consume both outgoing and
incoming bandwidth, since the victim’s servers will often attempt to
respond with ICMP Echo Reply packets, resulting a significant overall
system slowdown.

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

DoS Attack Types
SYN flood
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence
(the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a
host must be answered by a SYN-ACK response from that host, and then confirmed by
an ACK response from the requester. In a SYN flood scenario, the requester sends
multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or
sends the SYN requests from a spoofed IP address. Either way, the host system
continues to wait for acknowledgement for each of the requests, binding resources until
no new connections can be made.
Ping of Death (“POD”) attack
The maximum packet length of an IP packet (including header) is 65,535 bytes.
However, the Data Link Layer usually poses limits to the maximum frame size – for
example 1500 bytes over an Ethernet network. In this case, a large IP packet is split
across multiple IP packets (known as fragments), and the recipient host reassembles
the IP fragments into the complete packet. In a Ping of Death scenario, following
malicious manipulation of fragment content, the recipient ends up with an IP packet
which is larger than 65,535 bytes when reassembled. This can overflow memory buffers
allocated for the packet, causing denial of service for legitimate packets.
Department of Computer Science Engineering Faculty Name: Rashid Sheikh
DoS Attack Types
Slowloris
Slowloris is a highly-targeted attack, enabling one web server to take down another server,
without affecting other services or ports on the target network. Slowloris does this by holding
as many connections to the target web server open for as long as possible. It accomplishes
this by creating connections to the target server, but sending only a partial request. Slowloris
constantly sends more HTTP headers, but never completes a request. The targeted server
keeps each of these false connections open. This eventually overflows the maximum
concurrent connection pool, and leads to denial of additional connections from legitimate
clients.
Teardrop Attack
A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets
to a target machine. Since the machine receiving such packets cannot reassemble them due
to a bug in TCP/IP fragmentation reassembly, the packets overlap one another, crashing the
target network device. This generally happens on older operating systems such as Windows
3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.One of the
fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of
the data contained in a fragmented packet relative to the data in the original packet. If the
sum of the offset and size of one fragmented packet differs from that of the next fragmented
packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is
unable to reassemble the packets - resulting in a denial-of-service
Department of Computer Science Engineering
condition.
Faculty Name: Rashid Sheikh
DoS Attack Types
Smurf attack
A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker
attempts to flood a targeted server with Internet Control Message Protocol
(ICMP) packets. By making requests with the spoofed IP address of the targeted
device to one or more computer networks, the computer networks then respond to
the targeted server, amplifying the initial attack traffic and potentially overwhelming
the target, rendering it inaccessible. This attack vector is generally considered a
solved vulnerability and is no longer prevalent.

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

Test Your Understanding
1. Which DoS attack uses fragmentation weakness:
A. Smurf
B. Ping
C. Tear Drop
D. SYN

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

DoS and DDoS Attacks
Sources:
● Cyber Law Simplified – Vivek Sood, McGraw Hill Education Pvt. Ltd.
● https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos

Disclaimer- Parts of the content of this course is based on the materials available from the Web sites and books listed above. The
materials that can be accessed from linked sites are not maintained by Acropolis Institute of Technology and we are not responsible
for the contents thereof. All trademarks, service marks, and trade names in this course are the marks of the respective owner(s).

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

Summary
● DoS and DDoS
● Working on Wireshark

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

Any Doubts/Questions

Department of Computer Science Engineering Faculty Name: Rashid Sheikh

Acropolis Institute of Technology and Research, Indore

Thank You

Department of Computer Science Engineering 17