DDoS Eng

From EIK wiki


Written by Andris Männik

DDoS (Distributed Denial-of-Service) is an attack in which the goal is to flood a system with requests from a network of computers so that the system buckles under the weight of the bandwith, so that the system cannot process legitimate requests and if the attack is coming from a wide area it is incredibly difficult to filter legitimate and illegitimate traffic. DDoS'ing is most commonly done in botnets, zombie computers infected with malicious software to accept commands from the attacker's own computer, to start and stop flooding a service with requests whenever the attacker chooses.

As technology advances discovering and remedying DDoS attacks will be much more difficult.

DDoS is a more sophisticated version of DoS.

The difference comes from that in DDoS'ing, the requests are coming from a plethora of computers from many different networks, where as DoS'ing is when the requests are coming from a single computer from a single network.


Attack vectors

Generally, DDoS attacks can be divided into these categories:

Volumetric attacks, for example SYN flooding. This sort of attack is meant to utilize the 3 way TCP handshake in which computers are sending SYN packets and the receiving computer has to reply with an ACK packet. The most basic attack type. Devices which are capable of keeping up with millions of device requests are even brought low by this type of attack.

Application Layer Attack - This attack relies on the disruption of information between computers. This vector of attack is good for an attacker who doesn't have a big botnet, because the attacked server has to use a lot more resources to respond to the HTTP request, and there's little bandwith cost to the attacker, or at least, significantly lower to the attacker than it is to the attacked server or system.

Fragmentation Attacks - Fragmentation normally is done for data transmission, since each network has a unique limit for the size of datagrams that it can process. This pre-configured limit is known as the MTU (maximum transmission unit). In this example, sending a datagram the size of which is larger than the receiving server's MTU, the datagram has to be fragmented so that it can be transmitted wholly. The IP header in the datagram contains the flag detailing whether fragmentation is turned on or not to see if fragmentation is allowed to take place. In cases where the flag is set to no fragmentation in the IP header, then the packet is dropped. If the flag is turned on, then the offset would explain to the recipient device the exact order the fragments should be placed in for reassembly.

Attack amplification

DNS Reflection - By forging the victims IP address, the attacker can make small requests to the DNS server and allow the victim to be sent the replies. This allows the attacker to amplify the power of his or her botnet by up to 70 times,which makes it much easier to overflow the victim with requests. Chargen Reflection - A vast majority of computers and printers which are connected to the internet support a service called Chargen. This allows random people to ask for a question from the device and the device replies with a random string containing letters. Chargen can be used to amplify the aforementioned DNS type attack.

Symptopms of DDoS

NOTE: All interruptions in a service can not be attributed to a DoS type attack, there are a plethora of reasons and possibilities why a service might be reacting similarily as it would if it were DDoS'ed, like the administrator doing maintenance and because of that, the services are temporarily slowed down or offline. Nevertheless, there are signs which should be paid attention to,which might indicate that the network or service is suffering a DDoS attack.

One sign of an attack is that the computer and internet are performing slower than usual. This would be noticeable when you try to open a file or go to a website and it takes longer than usual. In addition to a system responding slowly, you might suffer issues with going to a website at all. The increase in mail in your spambox can also be an indication that your computer has just recently suffered a DDoS attack. Internet traffic may be slowed down in a geographic region, like a country experiencing a DDoS attack, the citizen's of the country will suffer from poor connection speed.

Prevention of DDoS

The easiest and also most expensive solution would be to buy more bandwith. For example : If you have 10000 systems all of which are capable of sending traffic 1Mbps then that means accumulatively you can send 10 gbps data. A systems administrator might also want to expand out to more servers in different data centers so that the load would be better distributed between servers. If the traffic is spread out well between the servers,then the load on that 1 server can handle the traffic better. Nowadays though, upping the bandwith isn't a cost effective solution but nevertheless it is a solution. One of the most critical parts of a system is a DNS server. Generally it's a bad idea to leave it open for others to access. Restricting access to the DNS servers might be an option so that it couldn't be attacked so easily.

Similarily, what will happen if those servers are under attack? Even if there's access to the website, there's no connection to the DNS server and the domain name cannot be converted into an ip address which is also bad. A majority of providers use two DNS servers when registering a domain but often enough two DNS servers aren't enough.A systems administrator has to make sure that the DNS is as well protected as the web services and other affiliated resources.

When assessing your network there's quite a bit of measures to undertake in order to protect the network layer. You have ascertain that the router doesn't forward bad packets and the ICMP would have to be denied and to use proper firewall software. Another idea would be to close all unused ports. A lot of ISP's offer a service to not allow access to specified ports which would be better than restricting access to them yourself. Should the company be the recepient of an attack the ISP will help the company manage it.

Something to keep in mind would be how to mitigate an attack. It would be very wise to have a plan to quickly swap dynamic resources for static resources. If doing this, it would be highly advisable to have systems which would pick up attacks. There's not a worse situation for a company than have their systems offline, which is why it's necessary to be ready to go on the counter offensive as soon as tehe attack begins. Stopping a DDoS attack is very complicated because it's incredibly difficult to find the attacks point of origin. Which is why you have to set up an infrastructure from the get go which is hard to break into and would be up to the security standards of today.

Defending Against DDoS Attacks

Preparation for a DDoS attack should be something every company should think of in advance so if the attack should happen there's a general idea on what to do. DDoS attacks cannot be prevented but some steps can be taken to make it harder for an attacker to render a network unresponsive.

One of the things that can be done is in regard to the Architecture. It is Imperative to make the architecture as resistant as possible.

The following steps will help spread out organizational assets as to avoid making things easy for the attacker:

   To place servers in different data centers.
   To make sure that data centers are located on different networks.
   To make sure that the data centers have no bottlenecks.

For a company that depends on the internet and servers it is important to make sure that resources are geographically dispersed.

Overall, priorities for architecture should be geographic diversity, provider diversity, and elimination of bottlenecks. While these are best practices for general business continuity and disaster recovery, they will help ensure organizational resiliency in response to a DDoS attack.


To deploy the hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Whilst adding greater hardware or special hardware won't prevent the attacks from happening, BUT taking thse steps will lessen the impact of an attack.

Hardware upgrading is effective against SYN flood attacks. Most modern hardware, network firewalls, web application firewallswill generally have a setting that allows a network operator to start closing out TCP connections if the requests are frequent enough.


There are services available that are made for responding to the attacks. This service is called a scrubbing service, or rather cloud scrubbing service as the traffic gets rerouted through the scrubbing service before it ever hits a victim's network. Like all of the aforementioned ideas, it would be best to implement these before any actual DDoS attack takes place.

Mitigating damage

It's nigh on impossible to stop a DDoS attack. Which is why instead of trying to stop it, it might be better to mitigate damage instead what the attackers might do. In order for there to be any damage mitigation there has to be a plan at the earliest stages of the attack commencing and for that to happen you must know the early signs of a DDoS attack and to do that you have to monitor the network traffic so you can discover any unusual activity taking place.

Another good approach is to frequently scan the network and web applications to discover vulnerabilities to the system early. Protecting your infrastructure means protecting the laptops,servers and other devices which can be used in making a botnet. There are some applications like IBM Security which protects devices from application layer attacks and have been shown to deter minor DDoS attacks.


Nowadays, DDoS attacks are one of the most common attacks being done in cyberspace, which take place every day. It's an attack, where the attacker takes advantage of other computers, the owners of which are unaware that their computers are being used to make these attacks. These computers are put into a network and they're used to attack one or several targets by sending the victims miljons of data packets. Even though a DDoS attack is nigh impossible to stop, the systems administrator has to do everything in his or her power to insure the safety of hte network. All system administrators should get acquainted with this type of attack because that's the best way to mitigate damage.