Department of Industrial Engineering

Chapter 7
Denial-of-Service Attacks
Information Security
2025 Spring Semester
Younho Lee
Learning Objective
❖Explain denial-of-service attack
❖Understanding flooding attack
❖Describe distributed denial-of-service attacks
❖Explain an application-based bandwidth attack with examples
❖Present an overview of reflector and amplifier attacks
❖Summarize some of the common defences against denial-of-service
attacks
❖Summarize common responses to denial-of-service attacks
Denial of Service (Dos) Attack
❖ The NIST Computer Security Incident Handling Guide defines a DoS
attack as:

“An action that prevents or impairs the authorized use of

networks, systems, or applications by exhausting resources such as
central processing unit (CPU), memory, bandwidth, and disk space”
Denial of Service (DoS) Attack (Cont’d)

❖ A form of attack on the availability of some service

❖ Categories of resources that could be attacked are:

Network bandwidth System resources Application resources

Relates to the capacity Typically involves a

of the network links number of valid
connecting a server to requests, each of
the Internet Aims to overload or which consumes
crash the network significant resources,
For most organizations handling software thus limiting the ability
this is their connection of the server to
to their Internet Service respond to requests
Provider (ISP) from other users
Denial of Service (DoS) – Example Network
 Classic DoS Attacks
❖ Flooding attack
▪ Aim of this attack is to overwhelm the capacity of the network connection
to the target organization

▪ Traffic can be handled by higher capacity links on the path, but packets
are discarded as capacity decreases

▪ Source of the attack is clearly identified unless a spoofed address is used

▪ Network performance is noticeably affected *Flooding ping

command

Ping: a software used to test the

reachability of a host on an IP network ping
by sending packets to the host and Target
receiving replies network

Request
Will be full
Reply of ping
packets
A B
Classic DoS Attacks (Cont’d)

Flooding Attacks (Cont’d)

❖ Flooding packets to the target server and the routers on the path to
the target server
❖ Classified based on network protocol used
❖ Intent is to overload the network capacity on some link to a server
❖ Virtually any type of network packet can be used

• Ping flood using ICMP echo request packets

ICMP flood • Traditionally network administrators allow such packets into

their networks because ping is a useful network diagnostic
tool

UDP flood • Uses UDP packets directed to some port number on the target
system

TCP SYN • Sends TCP packets to the target system

• Total volume of packets is the aim of the attack rather than
flood the system code
Flooding Attacks – Figures
* ICMP/UDP Flooding

* TCP SYN Flooding

Source Address Spoofing in DoS
❖ Use forged source address
▪ Usually via the raw socket interface on ICMP error
operating systems response
packet
▪ Makes attacking systems harder to
identify

❖ Attacker generates large volumes Attacker Target

of packets that have the target server
ping with
system as the destination address spoofed
source
address
❖ May affect other honest hosts’
routers

❖ To identify source, the flow of

packets through the routers should Router’s filtering is
better approach
be identified rather than inspecting
just packets
Source Address Spoofing in DoS (Cont’d)
❖ Backscatter traffic
▪ The traffic to the hosts with unused IP No legitimate users
addresses send packets

▪ All backscatter traffic is suspicious

• As normal users do not access the
hosts of unused IP address
Send Server with
spoofed unused IP
▪ Can be used to identify attack packets packets address

Attacker Advertise
Denial of Service

SYN Spoofing
❖ Attacks the ability of a server to respond to future connection
requests by overflowing the tables used to manage them
→ Legitimate users are denied access to the server
→ An attack on system resources, specifically the network handling
code in the operating system

TCP Three-way connection Handshake TCP SYN Spoofing Attack

Distributed Denial of Service Attacks
❖ Use of multiple systems to generate attacks
❖ Attacker uses a flaw in operating system or in a common application
to gain access and installs their program on it (zombie)
❖ Large collections of such systems under one attacker’s control can
be created, forming a botnet
Application-based Bandwidth Attacks (1/2)
❖ Attempt to take advantage of the disproportionally large resource
consumption
❖ SIP (Session Initiation Protocol) Flood
▪ Flooding SIP INVITE messages
▪ Making servers overwhelmed in processing messages
▪ SIP Invite Scenario
Application-based Bandwidth Attacks (2/2)
❖ HTTP Flood
▪ Attack that bombards Web servers with HTTP requests
▪ Consumes considerable resources to send big files
▪ Spidering
• Bots starting from a given HTTP link and following all links on the provided Web
site in a recursive way

❖ Slowloris
▪ Attempts to monopolize all handling threads by sending HTTP requests that
never complete
• Do not send ‘terminating new line’ sequence
Server
▪ Eventually consumes Web server’s connection capacity
▪ Utilizes legitimate HTTP traffic
▪ Most of existing signature-based Intrusion Detection and Prevention
cannot recognize Slowloris
Send a chunk of Attacker
request periodically
HTTP Request Packet Format
 Refletor and Amplifier Attacks

Reflection Attacks
❖ Purpose
▪ To generate enough volumes of packets to flood the link to the target
system without alerting intermediary
❖ Method
▪ Send packets to a known service on the intermediary with a spoofed source
address of the actual target system
▪ When intermediary responds,
the response is sent to the
target
❖ Defense
▪ Blocking spoofed-source
packets

DNS Reflection Attack

 Reflector and Amplifier Attacks

Amplification Attacks
❖ Similar to reflecting but generates multiple response packets per
each original packet sent
❖ Can be achieved by directing the original request to the broadcast
address
❖ Example
▪ Ping flooding using ICMP each request to broadcast address
 Defenses Against Denial of Service Attacks (1/3)

❖ DoS attacks cannot Four lines of defense against DDoS attacks

be prevented entirely
Attack prevention and
preemption
❖ High traffic volumes • Before attack
may be legitimate
▪ High publicity about
a specific site Attack detection and filtering
• During the attack
▪ Activity on a very
popular site
→ Described as Attack source traceback and
slashdotted, flash identification
crowd, or flash event • During and after the attack

Attack reaction
• After the attack
 Defenses Against Denial of Service Attacks (2/3) Block the spoofed
packets going to
the Internet
DoS Attack Prevention ISP

Internet
❖ Block spoofed source addresses
▪ On routers as close to source as possible
▪ Filters may be used to ensure path back to the claimed source address is
the one being used by the current packet
• Filters must be applied to traffic before it leaves the ISP’s network or at the point
of entry to their network

❖ Use modified TCP connection handling code

▪ Cryptographically encode critical information in a cookie that is sent as the
server’s initial sequence number at SYN-ACK packet
• Legitimate client responds with an ACK packet containing the incremented
sequence number cookie
▪ Drop an entry for an incomplete connection from the TCP connections table
when it overflows
 Defenses Against Denial of Service Attacks (3/3)

DoS Attack Prevention (Cont’d)

❖ Block IP directed broadcasts

❖ Manage application attacks

with a form of graphical puzzle
(capcha) to distinguish
legitimate human requests

❖ Use mirrored and replicated

servers when high-performance
and reliability is required
 Responding to DoS Attacks

Good Incident Response Plan

• Details of how to contact technical personal for ISP
• Need to impose traffic filtering upstream
• Details of how to respond to the attack

❖ Anti-spoofing, blocking directed broadcast, and rate limiting filters

should have been implemented

❖ Ideally have network monitors and IDS (Intrusion Detection System)

to detect and notify abnormal traffic patterns
 Responding to DoS Attacks (Cont’d)

❖ Conventional process of response

Identify type of attack Have ISP trace packet flow back to

•Capture and analyze packets source
•Design filters to block attack traffic upstream •May be difficult and time consuming
•Or identify and correct system/application bug •Necessary if planning legal action

Implement contingency plan Update incident response plan

•Switch to alternate backup servers •Analyze the attack and the response for future
•Commission new servers at a new site with handling
new addresses
 Summary

❖Denial-of-service attacks ❖Distributed denial-of-service

▪ The nature of denial-of-service attacks
attacks
❖Application-based bandwidth
▪ Classic denial-of-service attacks attacks
▪ Source address spoofing ▪ SIP flood
▪ SYN spoofing ▪ HTTP-based attacks
❖Flooding attacks ❖Reflector and amplifier attacks
▪ ICMP flood ▪ Reflection attacks
▪ UDP flood ▪ Amplification attacks
▪ TCP SYN flood
❖Defenses against denial-of-
service attacks
❖Responding to a denial-of-
service attack