Denial Of Service Attacks
COEN 150 Project
Denial-of-service (DOS) attacks are huge problems for users, computers, and
networks alike. By examining the many methods of attacks such as attacking network
connectivity, using your own resources against you, bandwidth consumption, and the
consumption of other resources, users can identify what kind of DOS attacks they are
dealing with. Furthermore, there are three different degrees that users have to face in
regular DOS, distributed DOS, and distributed reflection DOS with each degree
increasing in size, strength, and speed of damage inflicted. With all these methods and
degrees of DOS attacks, users must have some way of protecting their computers and
networks. Fortunately, CERT provides users with countermeasures to some if not most
DOS attacks. Nevertheless, as systems become more complicated and the Internet
continues growing, DOS attacks will increase in frequency and in strength. Meanwhile,
as others continue to battle these attacks, a lot of people do not take these attacks
seriously. However, that might change since some DOS attacks have the potential to
endanger lives in addition to damaging computers and networks. Therefore, DOS attacks
are not to be taken lightly because they are dangerous and attack our computers,
networks, and trust.
Imagine having a job that requires an access card to use the computers, but one
day, your access card does not work for some reason. Did someone or something
deactivate your account or even worse, steal it? Well, after wasting a whole day of work
trying to solve the problem, you realize someone has tampered with the access codes
since your coworkers are also denied access to the computers. As a result, the company
loses a great deal of time, money, and production trying to solve the problem in addition
to finding other ways to gain access to the computers. This form of attack is called a
denial-of-service (DOS) attack, which is an intruder’s attempt to prevent legitimate users
of a service from using that service . In this case, the employees are denied work,
while the company is denied of production, which means, both sides cannot survive
without each other.
In general, DOS attacks are usually created intentionally and are often malicious.
First, they can flood the network, which prevents legitimate network traffic. Second, they
can disrupt services to a specific system or person and also prevent legitimate users from
accessing a service. Last, DOS attacks can disrupt connections between two machines.
Consequently, these attacks can disable your computer or your network, and if launched
on a larger scale, the damage is increased tremendously . Hence, as the Internet grows,
the problem of DOS attacks grows larger because they affect more people.
A lot of people including myself have not realize how damaging DOS attacks can
be until we experience them directly or indirectly. In my case, I am currently dealing with
a DOS attack, where I cannot use the services of Yahoo, MSN, or Google. Therefore, this
serves as a motivation to research, learn, and protect against DOS attacks, in addition to
letting others know these attacks are not to be taken lightly. However, this project is not a
solution to DOS attacks as time and resources are limited, but rather, a guide to the major
issues of classifying, preventing, and responding to them. But before going into detail
about DOS attacks, one must know how Transmission Control Protocol (TCP)
connections work since they are essential for two computers to connect to each other over
Without going into much detail, for two computers to establish a connection with
each other, typically three Internet packets must be sent between the TCP client (web
browser, ftp client, etc.) and TCP server, which is also known as the TCP Three-Way
Handshake. In the diagram below, the TCP client starts the connection by sending a SYN
packet to the TCP server. The SYN packet contains the IP address of the machine that
originated the packet and the IP address of the machine that will receive the packet.
After receiving the SYN packet, the server sends an acknowledgement (ACK) that it has
received the packet and also sends its own SYN packet to establish a connection going
the other way. If the client receives the SYN/ACK packet, it will reply with an ACK of
its own. Accordingly, the server receives the ACK from the client, granting both sides a
two-way TCP connection where data can flow freely back and forth between the client
and the server. However, during a DOS attack and in particular, a SYN attack, this
connection is never established and can also cause the server to crash . This specific
attack will be explained in further detail in the next section.
Methods of DOS attacks
According to CERT (Computer Emergency Response Team), there are three basic
types of attacks. The first type of attack is the consumption of scarce, limited, or non-
renewable resources, while the second type is the destruction or alteration of
configuration information. The third type is the physical destruction or alteration of
network components .
Consumption of Scarce Resources
Out of the three types of DOS attacks, this one is the most common and
frustrating attack against computers and networks. This is because they rely heavily on
network bandwidth, memory, disk space, CPU time, data structures, and access to other
computers and networks. Environmental factors also include power, cool air, and even
water. If any of these things operate in the wrong way or do not operate at all, computers
and networks cannot function correctly, making life difficult for everyone .
One form of this attack is an attack on network connectivity. Basically, an
intruder attempts to prevent hosts or networks from communicating on the network. A
SYN attack is an example of this, which directly attacks TCP connections. In a SYN
attack, an intruder can spoof the source IP return address (where the packet originated
from) when sending the SYN packet to the server. Automatically, the server will receive
the spoofed SYN packet and respond with an SYN/ACK packet to a random IP address,
which is shown in the diagram below .
Since the packet is being sent to a random IP address, the server will never receive an
ACK from the client. After awhile, it will resend an SYN/ACK packet believing its first
packet was just lost. While that continues, the intruder can keep sending spoofed packets
flooding the server’s buffer with “half-open” connections. Consequently, valid
connections might eventually fail since the server is busy accommodating the spoofed
connection requests .
Another form of this attack is an intruder using your own resources against you.
An intruder can use forged UDP packets a host’s chargen service to an echo service on
another machine. This will congest the network and eventually deny service to all hosts
who run on the same network since these two machines consume all available network
bandwidth with the forged UDP packets. A third form of this attack is on bandwidth
consumption, where an intruder can consume all of the network’s bandwidth by
generating a large number of packets directed to your network .
The last form of this attack is the consumption of other resources that are needed
for computers to operate. Intruders can focus on data structures that hold process
information and corrupt them by implementing programs or scripts that simply create
copies of themselves and do nothing. Other ways for intruders to consume disk space are
placing files in anonymous ftp areas or network shares, generating intentional errors that
must be logged, and generating excessive numbers of mail messages. Also, if there is no
limit on the amount of data that can be written, anything that allows data to be written to
disk can be used for future DOS attacks. Last, unexpected data sent over the network can
also cause the system to crash or become unstable .
Destruction or Alteration of Configuration Information
The second type of DOS attack is just as damaging as the first type because it
cripples the computer and/or network. This can happen if an intruder changes or destroys
configuration information that prevents a user from using the computer or network. One
way they can do this is by modifying the registry on a Windows machine. Another way
an intruder can prevent a user from using the network is by changing the routing
information in the routers. Fortunately, a user can reconfigure their computer, but it is
still a time-consuming task. In the end, if the computer is improperly configured because
of an intruder or by user mistakes, it might not work well or work at all .
Physical Destruction or Alteration of Network Components
The last type of DOS attack is a bit easier to protect and monitor since it deals
with physical security rather than virtual security for the most part. In essence, this
corresponds with the protection of critical network components such as computers,
routers, wiring, power, and cooling stations. However, since attacks are on physical
components, they can be replaced; yet can get expensive . For instance, if someone cut
a wire, network traffic can be rerouted while technicians replace or fix the cut wire .
All in all, the third type of DOS attack can be prevented with the right physical security
measures and can be alleviated by repair or replacement.
Three Stages of DOS
For the most part, the previous five pages describe a typical DOS attack where
one machine attacks another. Unfortunately, DOS attacks have transformed into
sophisticated ones that inflict great damage on computers and networks at a much quicker
rate. One such method of attack is called a distributed DOS (DDOS) where the combined
bandwidth of multiple machines is focused onto a single target machine or network as the
diagram illustrates. In the second stage of DOS, the intruder at this point attacks the
target machine or network indirectly as it uses zombies to do its dirty work as the
diagram shows .
In that regard, the attacker supervises the attacks and covers his tracks after the attacks
are completed to avoid being traced. For that reason, DDOS is a much more dangerous
attack than a regular DOS attack because it increases the severity and quickness of the
attack while minimizing the risk of being traced .
The final stage of DOS, which is called distributed DOS with reflectors
(DRDOS), is the most dangerous one because reflectors are used to be more effective and
secure in increasing the damages while decreasing the risk of being traced . An
intruder would use legitimate TCP servers as reflectors by sending spoofed SYN packets
to these servers. As a result, these TCP servers would respond back with SYN/ACK
packets flooding the network chosen for the attack as shown in the diagram .
With the addition of reflectors, DRDOS is a more secure attack than DDOS because it
would be hard to trace back the source of the spoofed SYN packet since attacks from
many different legitimate TCP servers all over the Internet can be confusing to work
with. Although these three stages of DOS differ in size, strength, and speed, they all have
one common goal of denying legitimate users of a service from using that service.
Famous DOS Occurrences
Before moving on to preventing and responding to DOS attacks, it is important to
remember a few famous occurrences of DOS attacks because these attacks still serve a
purpose of being an inspiration for intruders to create newer DOS attacks in the present
time as well as for the future. It is equally important that computer users study and learn
these older DOS attacks for future reference against more advanced DOS attacks.
Moreover, these past occurrences should make people take notice and action against
future DOS attacks by monitoring and securing their computers and networks. In this
section, three famous DOS attacks are described.
One famous DOS attack is the Ping of Death. In this attack, an intruder creates a
packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification,
causing the computer that receives the packet to crash, hang, or reboot. Luckily, most
operating systems have fixed the problem of dealing with oversized packets.
Nevertheless, not all operating systems have and this is a concern because if they are not
willing to fix this problem, they probably have not protected themselves against other
DOS attacks very well .
Another famous DOS attack is the Teardrop attack, which exploits a requirement
made by the Internet Protocol (IP). This requirement entails any packet that is too large
must be divided into IP fragments for the router to handle it . The Teardrop attack in
turn, creates a series of IP fragments with overloading offset fields, causing some systems
to crash, hang, or reboot when the fragments reassemble at their destination .
One more famous DOS attack is the Smurf attack, which is sometimes labeled as
a brute force attack. In this attack, an intruder sends an IP ping (echo) request to a server.
Within this local network however, the packet is broadcasted to each host connected on
the network since the destination IP address of each packet is the broadcast address of the
network, causing more congestion . To complicate this problem, an intruder can also
spoof the return address, and lots of ping replies will be directed to an innocent host.
Eventually, if the pings flood the spoofed host, it will no longer receive legit traffic or
distinguish it from false traffic .
Two other famous DOS attacks that were described earlier are the SYN attack and
UDP flood attack that dealt with the chargen and echo service. In short, intruders created
these DOS attacks by exploiting weaknesses in the system such as the TCP connection
and echo service. Accordingly, CERT has come up with ways to minimize these
weaknesses, prevent DOS attacks, and respond to them.
Depending on the user’s needs, there are several ways to protect their computer
and network from DOS attacks. The first way of detecting a possible DOS attack is to
check for any abnormal system routines or a change in system performance. Furthermore,
the user is suggested to routinely examine the physical security of their workstation such
as servers, routers, wiring, etc. Another countermeasure a user can make is to make and
keep backups of configuration information. Last, a user should disable any unneeded and
unused network services because intruders can exploit weakness in these services to
launch their DOS attacks on the user’s system . The next countermeasures can also be
implemented if they are available.
To lessen exposure to certain DOS attacks and to help prevent users on the same
network from launching certain DOS attacks, a user can implement router filters. To
guard against a SYN attack, a user can install patches to reduce exposure to these attacks.
Another countermeasure a user can implement is to enable quota systems on their
operating system because it can separate critical functions from other functions since the
file system is partitioned. Other countermeasures a user can use are tripwire, a tool to
track any changes in configuration information, and redundant and fault-tolerant network
configurations . With all these ways to protect computers and networks, it is surprising
a lot of people and companies do not take the initiative to actually invest and implement
these countermeasures since DOS attacks are frequent.
Although much has been written about DOS attacks and their varying degrees,
types, and damages, there are still lingering issues on fighting and preventing these
attacks from happening. What can be done if users, companies, and even the government
take DOS attacks lightly compared to other computer and physical threats? People will
only take notice once something cripples their computers, networks, or even lives. The
latter is a major concern if a future DOS attack halts emergency calls, causes a massive
power outage, or disrupts telecommunications. As a consequence, lives are in danger,
which makes a powerful case that DOS attacks are just as dangerous as other forms of
attacks. It is up to the users, companies, and governments to research, understand, and
prevent future DOS attacks. As for my situation, I still have not found the root cause of
my search engines’ failures to search or even connect. Hopefully, someone or something
will detect my problem in the near future and publish it for others who deal with the same
My contribution to the subject of DOS attacks is nothing new compared with
other related work, but I wanted to present it clear enough for anyone to pick up and
understand the major issues tied with these attacks. I have focused on the types, stages,
and characteristics of these attacks, and several ways to circumvent them. Also, I wanted
to convey the message that DOS attacks are serious and that even the smallest attack can
be a nuisance just like my case. Without a doubt, there are many unresolved issues with
DOS attacks because as the Internet grows and systems progress with more technological
advancements, more sophisticated attacks are likely to follow. This has been
demonstrated throughout computer history, but it is our job to minimize the damage DOS
attacks inflict so that it does not progress to the point of harming human lives. As for
future work, I will try to solve my problem, and if I do, I might publish how I detect,
solve, and protect against it.
1 CERT Coordination Center Denial of Service Attacks. Carnegie Mellon
University, 1997, 1999
2 Gibson, Steve. Distributed Reflection Denial of Service. Gibson Research
Corporation. February 22, 2002
3 Manzano, Yanet. Tracing the Development of Denial of Service Attacks: A
Corporate Analogy. The Association for Computing Machinery, Inc., 2003
4 Whatis denial of service. May 16, 2001