Denial of Service (DOS)

Denial of Service (DOS)

• DoS is an attack on computer or network that reduces, restricts or
prevents accessibility of system resources to its legitimate users
• In a DoS attack, attackers flood victim system with non-legitimate
service requests or traffic to overload its resources
• The objective of the attacker is not to steal any information from the
target; rather to render its services useless or slow down network
performance
 Denial of Service (DOS)
• A distributed denial-of-service (DDoS) attack involves a number of
compromised systems (zombies) attacking a single target, thereby
causing denial of service for the users of the targeted system
• More disruptive attack, difficult to track down the original attacker
Denial of Service (DOS)

2002 → 400 Mbps

2010 → 100 Gbps

2013 → 300 Gbps

2016 → 1.2 Tbps

2018 → 1.7 Tbps

2020 → 2.3 Tbps

2023 → 3.5 Tbps

2024 → 5.6 Tbps (Largest recorded attack)

Denial of Service (DOS)

Average attack size: 5–20 Gbps

Largest common attacks: >100

Gbps

60% last <10 minutes

20% last 10–30 minutes

5% last multiple days

Average Attack Sizes and

Frequency
Denial of Service (DOS)

Average downtime cost: $250,000

per hour

1 in 3 companies face DDoS attacks

yearly

70% attacks are used as a distraction

for real attacks

50% small businesses close within 6

months after major DDoS damage

DDoS Costs & Impact

 Denial of Service (DOS)
• Common Symptoms of DoS attack are: -

– Slow performance

– Unavailability of a resource

– Loss of access to a website

– Denial of access to any internet services

– Sudden failure of firewall or router

– Sudden spike in requests to a single URL

– Service ports unreachable or blocked

– Sudden Increase in Error Responses

Distributed Denial-of-service (DDos) Attack
 Denial of Service (DOS) - Motives
• Ideology

• Business feuds

• Boredom

• Extortion

• Cyber warfare
 Modern Cyber Crime - Organization
• Earlier
– Hackers worked alone → small attacks → low
sophistication

• Now
– Cybercriminals create organized groups because
• It makes attacks larger
• It spreads workload
• It increases earnings
• It lowers risk
Modern Cyber Crime - Organization
 WHAT IS A BOTNET
• A bot is “an automated malware program that scans blocks
of network addresses and infects vulnerable computers”

• This malware is usually covertly delivered to a host and the

bot installed so that it can communicate with a server
typically positioned outside of the host’s network and run
by an attacker

• The code is designed to hijack small parts of the machine’s

resources in order to open communication channels to the
attacker’s machine, spread to different hosts, and
accomplish other clandestine tasks
 WHAT IS A BOTNET
• Collectively, all computers or devices that have been
infected by a bot, along with a machine or machines run by
an attacker that act as a central command center, or
command and control server that issue commands to the
bots
WHAT IS A BOTNET
Denial of Service (DOS)
 BOT INSTALLATION
• An attacker must install or trick a user into installing
malicious bot-code to run their computing devices
– sending a user compromised website links
– embedding bot malware in legitimate looking software
programs to be downloaded by unsuspecting users
– infected attachments in an email that also appears to be
from a reputable entity in a phishing attack
 BOTNET UTILIZATION
• Once the botnet is in place, it can be used in

– Distributed denial of service (DDoS) attacks

– Proxy and spam services

– Sniffing Traffic

– Keylogging

– Malware distribution

– Manipulating online polls and games

– Organized criminal activity used for covert intelligence collection

– Terrorists or state-sponsored actors could use a botnet to attack

critical infrastructure
 BUILDING A BOTNET
• A botnet consists of several key components
– Attackers and their Command and Control computers
– Malware program
– Delivery or spreading mechanism
– The hosts, also known as zombie machines on which the
bot resides
– The botnet’s purpose
– The communications mechanisms between the infected
hosts and the attacker’s C2 machines
 Attackers and Their Command and
Control (C2)
• The attacker’s C2 computer is usually far removed from the

security perimeter of a targeted individual or organization

while the infected hosts reside on the internal network

 Attackers and Their Command and
Control (C2)
• It is the central system to which all of the bots report and
respond according to whatever instructions are issued

• This machine may or may not be the originator of the bot

and its associated malware
 The Bot Spreads

• One method of delivery involves pairing the bot with other

software, which looks legitimate, a type of malicious code
in order to trick the user into installing the code

• The software may be sent to the user via a phishing email

and attachment, or may be posted on a compromised
website and the user once clicks on it, the bot is
downloaded
 The Bot Spreads

• Attackers may design the bot as a virus or a worm, both

types of malware propagates from machine to machine
either automatically or via human intervention

• Once the bot is installed on a host, users may inadvertently

spread the bots, by forwarding infected e-mails and
attachments or the bots may spread by their built in
propagation mechanisms, usually a worm which may scan
for additional machines to infect on its own
 The Bot Spreads

Central Source Propagation

 The Bot Spreads

Back Chaining Propagation

 The Bot Spreads

Autonomous Propagation
 Hosts/Zombie Machines on Which the Bot
Resides
• All malicious softwares associated with the bot will quietly run on the
host system until called upon by the command machine, or until
discovered and cleaned from the system

• Over 5.44 billion people—around two-thirds of the world’s

population—are Internet users (2025). This massive connectivity
increases the risk of bot infections

• Industry reports estimate over 21 billion IoT devices in 2025, projected

to exceed 30 billion by 2030

• Poorly secured IoT devices significantly accelerate the spread and scale
of botnets
 Denial of Service (DOS)
• Resources that could be attacked
– Network bandwidth

– Resources
 Denial of Service (DOS)
• Network bandwidth

– Network bandwidth relates to the capacity of the

network links connecting a server to the wider Internet

– Connection to the Internet service provider (ISP)

 Denial of Service (DOS)
• Network bandwidth
 Denial of Service (DOS)
• System Resources
– Aims to overload or crash network handling softwares

– Involves a number of requests, each of which consumes

significant resources at server end
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)

• Floods a network with a large volume of traffic in order to

consume network bandwidth of the targeted network to such an

extent that it starts dropping packets

 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• UDP FLOOD

– Attack in which a large number of User Datagram Protocol

(UDP) packets are sent to a targeted server with the aim of

overwhelming that device’s ability to process and respond

– A UDP flood works primarily by exploiting the steps that a

server takes when it responds to a UDP packet sent to one of

its ports
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• UDP FLOOD

– The server first checks to see if any programs are running

which are presently listening for requests at the specified port

– If no programs are receiving packets at that port, the server

responds with a packet to inform the sender that the

destination was unreachable

 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• UDP FLOOD
– As each new UDP packet is received by the server, it goes
through steps in order to process the request, utilizing
server resources in the process

– As a result of the targeted server utilizing resources to

check and then respond to each received UDP packet,
the available bandwidth can become quickly exhausted
when a large flood of UDP packets are received,
resulting in denial-of-service to normal traffic
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• UDP FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• UDP FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• ICMP (PING) FLOOD
– An attack in which an attacker takes down a victim's
computer by overwhelming it with ICMP echo
requests, causing the target to become inaccessible to
normal traffic

– Sending packets as fast as possible without waiting for

replies
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• ICMP (PING) FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• ICMP (PING) FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• ICMP (PING) FLOOD

Tool Payload Size Total Size (approx)

Ping (Windows) 32 bytes 60–74 bytes

Ping (Linux) 56 bytes 84 bytes

Traceroute (Windows) 32 bytes 60–74 bytes

Traceroute (Linux) 60 bytes 70–90 bytes

 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• ICMP (PING) FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• SMURF FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• SMURF FLOOD
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• Pulse Wave DDOS Attack

– Latest type of DDoS attacks employed by threat actors to

disrupt the standard operations of targets

– DDoS attack patterns are continuous incoming traffic flows

– In pulse wave DDoS attacks, the attack pattern is periodic, and

the attack is huge, consuming the entire bandwidth of target

networks
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• Pulse Wave DDOS Attack
– A Pulse Wave DDoS attack sends very fast, extremely powerful

bursts of traffic that hit and disappear repeatedly

– The bursts are timed so that defenses cannot react in time

– As a result, the victim keeps going up and down like a heartbeat

signal
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• Pulse Wave DDOS Attack
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• NTP Amplification Attack
– An NTP Amplification Attack is a type of DDoS reflection +

amplification attack where attackers abuse vulnerable NTP

(Network Time Protocol) servers to send extremely large

responses to a victim
 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• NTP Amplification Attack
– The attacker sets:

• Source IP = Victim's IP

• Destination IP = NTP server

– The server replies with a massive list of the last 600 IPs seen

– This response goes directly to the victim, not to the attacker

 Denial of Service (DOS) - Techniques
Volume based attacks (Bandwidth Attacks)
• NTP Amplification Attack
 Denial of Service (DOS) - Techniques
Protocol based attacks (Service Request Floods)

• Attacker or group of zombies attempt to exhaust server resources

or those of intermediate communication equipment, such as

firewalls and load balancers

• The servers are flooded with a high rate of connections from

attacker
 Denial of Service (DOS) - Techniques
Protocol based attacks (Service Request Floods)

• Syn Flood
– Attacker exploits ability of a network to keep the partially
opened connection in listened state for at least 75 seconds

– Attacker sends a series of SYN requests to target machine

(victim) and never sends back the reply to its SYN ACK

– SYN Flooding quickly fills up the victim’s queue hence making

DOS attack easier
 Denial of Service (DOS) - Techniques
Protocol based attacks (Service Request Floods)

• Syn Flood
 Denial of Service (DOS) - Techniques
Protocol based attacks (Service Request Floods)

• Ping of Death
– A Ping of Death attack is a denial-of-service (DoS) attack, in
which the attacker aims to disrupt a targeted machine by
sending a packet larger than the maximum allowable size,
causing the target machine to freeze or crash
 Denial of Service (DOS) - Techniques
Application based attacks

• Focus on web applications and are considered the most

sophisticated and serious type of attacks
• Application layer attacks (L7) DDoS attacks refer to a type of
malicious behavior designed to target the “top” layer in the
OSI model
 Denial of Service (DOS) - Techniques
Application based attacks

• SIP Flood
 Denial of Service (DOS) - Techniques
Application based attacks

• HTTP Flood
– HTTP attacks are layer-7 attacks

– HTTP clients, such as web browsers, connect to a web

server through HTTP

– Bombards Web servers with HTTP requests

– Requests can be designed to consume considerable

resources
 Denial of Service (DOS) - Techniques
Application based attacks

• HTTP Flood
 Denial of Service (DOS) - Techniques
Application based attacks

• HTTP Flood
 Denial of Service (DOS) - Techniques
Multivector Attacks
• Multi-Vector Attack In multi-vector DDoS attacks, the
attacker uses combinations of volumetric, protocol, and
application layer attacks to take down the target system or
service
 Denial of Service (DOS) - Techniques
Permanent Denial-of-Service Attack Permanent DoS (PDoS)

• PDoS attacks purely target hardware and cause irreversible damage

to the hardware

• Unlike other types of DoS attacks, it sabotages the system hardware,

requiring the victim to replace or reinstall the hardware

DOS/ DDOS Countermeasures
 Countermeasures
DoS/DDoS Countermeasure Strategy
 Countermeasures
DoS/DDoS Countermeasure Strategy
 Countermeasures
DoS/DDoS Countermeasure Strategy
 Countermeasures
DoS/DDoS Countermeasure Strategy
CONTENT DELIVERY NETWORK (CDN)
• Network of servers, distributed all over the globe
that is responsible for delivering the requested
content from the particular webpage
CONTENT DELIVERY NETWORK (CDN)

CDN Server
Client
Origin Server

CDN Server CDN Server

CDN Server
CONTENT DELIVERY NETWORK (CDN)

Decrease server load Security

High Availability &

Reliability

Reduce bandwidth
Faster content delivery
consumption
CONTENT DELIVERY NETWORK (CDN)
CONTENT DELIVERY NETWORK (CDN)
CONTENT DELIVERY NETWORK (CDN)
 DOS & DDOS

• git clone [Link]

• cd XERXES

• gcc xerxes.c –o XERXES

• ./XERXES (website name) (port #)

DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS
DOS & DDOS