Lecture 11: Denial of Service Attacks

Denial of Service (DoS) is

an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting CPU resources, memory, bandwidth, and disk space

Attacks

overload or invalid request services that consume significant resources

Internet Control Message Protocol (ICMP)

one of the main IP protocols used by network devices like routers to send error messages indicating requested service is not available

flood ping command attack

classic DoS attack that aims to overwhelm the capacity of the network connection to the target organization. Packets are discarded as capacity decreases

source address spoofing

makes it harder to detect attacking systems

backscatter traffic

scatters the ip addresses across the internet so inspecting packet’s header is not sufficient to identify its source

syn spoofing

another common dos attack which attacks the ability of a server to respond to future TCP connection requests by overflowing the tables used to manage them. Legitimate users are denied access to the server. This attacks system resources focusing on network handling code in the OS

tcp connection handshake

send client syn, receive syn client seq, send syn-ack of server seq, and receive syn ack on client and then send ack back to server

SYN spoofing attack uses

addresses that will not respond to the SYN-ACK with a RST

Types of flooding attacks

ICMP Flood, UDP flood, and TCP SYN flood

DDoS control hierarchy

Attacker sends a single command to the handler zombies; each handler automatically forwards it to all the agents under its control

Application-based bandwidth attacks

Force the victim system to execute resourceconsuming operations

VoIP Session Initiation Protocol (SIP) flood

attacker sends many INVITE requests; major burden on the proxies

HTTP-based attacks

Attempts to monopolize a Web server by sending HTTP requests that never complete

Spidering

Bots starting from a given HTTP link and following all links on the provided Web site in a recursive way

Reflection attacks

Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system. Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary

Reflection attacks variation

Further variation creates a self-contained loop between intermediary and target • Usually, UDP echo service is used for this – Attacker sends a large UDP packet to the echo service on the intermediary using a spoofed source address for the echo service on the target system

DNS reflection attacks

Use packets directed at a legitimate DNS server as the intermediary system. Attacker creates a series of DNS requests containing the spoofed source address of the target system. Exploit DNS behavior to convert a small request to a much larger response (amplification) • Target is flooded with responses

Four lines of defense against DDoS attacks

Attack prevention and preemption (before attack) • Attack detection and filtering (during the attack) • Attack source traceback and identification (during and after the attack) • Attack reaction (after the attack)

You notice attack traffic coming from legitimate DNS servers directed at your network. What type of attack is this most likely?

DNS Reflection attack, which uses legitimate DNS servers as intermediaries to amplify attack traffic.

You notice your database server CPU is maxed out processing seemingly legitimate but complex queries. What type of attack is this?

Application-based attack

What's the key difference in target between UDP Flood and TCP SYN Flood attacks?

UDP Flood targets network bandwidth by sending packets to random ports, while TCP SYN Flood targets server TCP resources by exhausting connection tables.

How does a DNS Reflection attack achieve amplification?

It sends small DNS requests with spoofed source addresses, causing DNS servers to send larger responses to the victim, multiplying the attack traffic.

Which attack type is most likely to evade basic IP blocking defenses and why?

DDoS attacks, because they come from multiple legitimate-looking sources

Why are Reflection Attacks particularly dangerous compared to direct flooding attacks?

• Hide the attacker's identity by using legitimate servers

• Amplify the attack (small requests generate larger responses)

• Are harder to block since traffic comes from legitimate services

Traffic analysis shows ping requests from thousands of different IP addresses. What type of attack is this?

Distributed ICMP Flood (DDoS)

Why can UDP Flood attacks work even when targeting non-existent services?

Because the goal is to consume bandwidth - whether the service exists or not, the network still has to handle the incoming packets.

If you're seeing attack traffic from thousands of different sources simultaneously, what type of attack is this?

This is a DDoS (Distributed Denial of Service) attack, which uses multiple compromised systems (botnet) to generate attack traffic.