Networking – Distributed Denial of Service

You may have heard the term DDoS-ing from some kid playing in the same lobby as you trying to threaten you. But with the technology today, it isn’t too hard to get your hands on your own DDoS software/services. There are already thousands of DDoS-ing tools and services out there, most don’t really work well. The time and effort required for launching a proper DDoS attack is pretty high. nowadays, there are many anti-DDoS services, some even for free such as CloudFlare and it does work pretty well against attacks. For this post, we will just cover the types of DDoS attacks.

 A DDoS is a cyberattack on a server, service, website, or network floods it with Internet traffic. If the traffic overwhelms the target, its server, service, website, or network is rendered inoperable. 


Before reading this post please make sure you are well aware of the OSI model. There are 3 different types of attacks if you ever used a DDoS service.

  • Volume Based Attacks – These types of attack includes attacks such UDP floods, ICMP floods, or other attacks which try to overload the target’s bandwidth. These are often measured in bits per second
  • Application Layer Attacks – These types of attacks target Layer 7, these include trying to take down the target’s services such as Apache or targetting their Operating System. Often, this is harder to detect than the other attacks, as most of the request does seem legitimate.
  • Protocol Attacks – This type of attack includes attacks such as Ping of Death, Smurf DDoS, or SYN flood. Where it tries to overload the server by flooding it with packets

Common Layers Attacks

Application – Layer 7

These attacks the application layer, trying to cause resource starvation. This can be done by trying to abuse POST GET or HTTP requests. Things such as spamming and uploading large files, or spamming their feedback form.

Presentation – Layer 6

As the presentation is in charge of decrypting and encrypting, attackers are able to perform attacks to this layer by sending malformed SSL requests. As it takes quite a bit of time to ensure that the SSL packets are valid,

Transport – Layer 4

Most attacks tries to attack this layer, as it uses the protocol TCP/UDP, attacks such as SYN flood and so on occurs in this layer. The point of attacking this layer usually is the try to reach bandwidth limit or try to max our connections logging out legitimate users.

Network – Layer 3

This layer is mainly used to routing data to different networks and LAN. The protocol used in these layers are IP, ICMP, ARP, and most routers work on this layer. The usual types of attacks for this layer are the ping of death, ping flooding, and so on

Common DDoS/DoS Attacks

SYN Flood

Due to how the TCP protocol uses a three way handshake to verify it’s packets. Attackers can often abuse this by sending TCP/SYN packers, usually with a spoofed IP. Which results in the target opening a connection request by sending back an TCP/SYN-ACK packet, which is basically an acknowledgement. However, since the packets which were sent were not from a real address there is no response, leaving the connection open till it times out. Attacks can send thousands of packets like these, forcing the target to create many half-open connections, which in result does not allow the server to respond to legitimate requests.

Ping Flood

This attack is a pretty simple attack, where all it does is overwhelm the target with ICMP echo request packets. Spamming the target with a ping request, often with a spoofed IP, and not waiting for a reply. Which forces the target to reply to the ping request. Do this as fast as possible, and you can overwhelm the target, as the server does require some resources to be able to process the ping request, and in order to form a response.

Slow Loris

Simple yet deathly, this attack tries to open as many connections as possible, and tries to keep them alive. Doing this many times would eventually reach the server’s open connections limit, resulting in blocking legitimate requests. It keeps the connection alive by sending a partial request every few seconds, but never completing the request. The web server, thinking it’s just a user with slow connection, would leave the connection open which overtime builds up. It was really effectively mainly towards both Apache 1 and Apache 2, however it is a pretty easy attack to mitigate

HTTP Flood

This attack usually requires an already made botnet to work this attacks simply sends a large amount of GET, POST or other HTTP requests towards the web server. Therefore, the more bots you have, the more request you send, the more resources is required for the server, eventually crashing it. Since, attacks usually do not spoof their IP for these attacks, it’s difficult to understand which is an attack and which is a legitimate request.

UDP Flood

The name sums up the attack, the attack involves the attacker flooding a server with any many UDP packets as possible. Unlike TCP, UDP does not require a three way handshake, it doesn’t ensure if its a legitimate connection, which allows attackers to use UDP channels to send large volumes of traffic to the target. Attacks often can use a huge number of spoofed UDP packets to send towards the target which can often exhaust their bandwidth. Since this attacks bombards random ports the server will try to find an application which is related to the packets received, which takes up more resources.

DNS Amplification

This is one of the more common types of amplification attacks. We had to deal with this attack personally and it really was not pleasant. Anyways, the attack involves sending massive amount of fake DNS lookup requests and directing it to the target’s website instead. The response will usually end up being much bigger than the request. For an example, the attacker can send a DNS request, lets say 30 bytes, and the DNS resolver can send back a DNS response of 150 bytes, which is a difference of 5 times.

NTP Amplification

NTP also known as Network Time Protocol, is actually one of the older network protocols. It’s used by computers and machines to synchronize their clocks. You are able to query from NTP servers for a list of the last 600 hosts that connected to their server. Attackers can then send a query to the NTP server using a spoofed IP, which redirects the reply of the 600 last hosts to the target. Do this a thousand times to many different NTP servers, and you can take down any unprotected server.

Leave a Reply