Chapter 4 Denial of Service Attacks

Flashcards covering the goals, types, attacks, defenses, tools, and real-world examples of denial of service (DoS) and distributed denial of service (DDoS) attacks.

What is the primary goal of a denial of service (DoS) attack?

To prevent legitimate users from accessing the target by overwhelming it with requests or data.

How does a DDoS attack differ from a traditional DoS attack?

A DDoS uses multiple compromised machines (a botnet) to flood the target, whereas a DoS typically comes from a single machine.

What is a TCP SYN flood attack?

An attack that exploits the TCP three-way handshake to exhaust server resources by sending many SYN requests, often with spoofed sources.

What are SYN cookies and what do they do?

A defense that delays memory allocation for incomplete handshakes by encoding state in the SYN-ACK cookie, allocating memory only after the final ACK.

What is a micro block in DoS defense?

Allocates a tiny 16-byte record for each SYN, reducing the ability to flood resources, though it mitigates rather than prevents the attack.

What is an RST cookie?

A defense where the server's handling of an incorrect SYN-ACK leads the client to send an RST, helping verify legitimate requests.

What is a Smurf attack?

An ICMP echo request sent to a network broadcast address with a spoofed source IP, causing many hosts to reply to the victim and flood it.

What is a Fraggle attack?

A Smurf-like attack using UDP echo or chargen to a broadcast address to flood the target, with spoofed source IP.

What is DHCP starvation?

Flooding the DHCP server with requests to exhaust its pool of IP addresses and deny new leases.

What is PDoS (phlashing)?

Permanent damage to a device’s firmware or hardware, often requiring reinstall or replacement.

What is a Teardrop attack?

Sending fragmented packets that overlap in a way that prevents proper reassembly, causing the target to crash.

What is a Land attack?

A forged packet with the same source and destination IP, causing confusion and potential crash or reboot.

What is a Challenge Collapsar (CC) attack?

Frequent HTTP requests that require time-consuming database operations, exhausting server resources.

What is a CLDAP reflection attack?

A UDP-based reflection attack that overwhelms the target by sending CLDAP requests that elicit large responses.

What is a memcached amplification attack?

Exploiting memcached to amplify traffic volume, enabling large-scale DDoS attacks.

What is a Yo-Yo attack?

Flooding a cloud-hosted application to trigger autoscaling, then stopping to cause cost increases and repeated scaling.

What is a degradation of service (EDoS) attack?

Short-lived bursts of traffic that slow responses rather than crash the system, degrading service over time.

What is a real-world CC (Challenge Collapsar) attack example?

Frequent HTTP requests that force time-consuming database operations to exhaust server resources.

What is an HTTP POST DoS attack?

Sending HTTP POST requests with extremely slow body transmission, tying up server resources; often used in parallel with others.

What are blackholing and sinkholing in DoS defense?

Blackholing drops malicious traffic by routing it to a nonexistent destination; sinkholing analyzes and drops bad traffic.

Name some common DoS tools mentioned in the chapter.

LOIC, HOIC, XOIC, TFN, TFN2K, Stacheldraht—tools with varying capabilities to launch or coordinate DoS/DDoS attacks.

What is the Ping of Death (PoD)?

Sending a ping with an oversized packet to crash vulnerable systems that cannot handle large TCP/IP packets.

What are key firewall-based defenses against DoS attacks?

Block or heavily restrict ICMP from outside, upstream filtering/scrubbing centers, SPI/NGFW protections, patching, and using proxies.

What was a notable real-world DoS attack against GitHub in 2018?

A massive UDP amplification attack peaking at about 1.3 Tbps against GitHub.

What was a notable DoS incident involving the Boston Globe in 2017?

A large-scale DDoS attack that interrupted bostonglobe.com; mitigated by the ISP using anti-DDoS measures.

What is a UDP flood attack?

Overwhelming a target's ports with User Datagram Protocol packets, causing it to expend resources responding to spoofed requests or queries, leading to service disruption or slowdown.

What is an ICMP flood attack?

Flooding a target with a high volume of ICMP (Internet Control Message Protocol) echo request (ping) packets, overwhelming the network bandwidth or system resources, and preventing legitimate traffic.