By now you are aware, in a general way, of the dangers of the Internet, and you have explored a few basic rules for protection on the Internet. In Chapter 3, “Cyber Stalking, Fraud, and Abuse,” you were introduced to some fraud, stalking, and related crimes. It is now time to become more specific about how attacks on systems are conducted. In this chapter, we will examine one category of attack that might be used to cause harm to a target computer system. This chapter will describe for you, in depth, the workings of the denial of service (DoS) attack. This threat is one of the most common attacks on the Internet, so it is prudent for you to understand how it works and how to defend yourself against it. Further, in the exercises at the end of the book, you will practice stopping a DoS attack. In information security, the old adage that “knowledge is power” is not only good advice but also an axiom upon which to build your entire security outlook.

DoS Attacks

DoS attacks are actually much simpler than many other attacks, and thus they are quite prevalent. This type of attack does not even attempt to intrude on your system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. This type of attack is fairly easy to execute and requires a minimum of technical skill. It is based on the fact that any device has operational limits. For example, a truck can only carry a finite load or travel a finite distance. Computers, like other machines, have limits. Any computer system, web server, or network can only handle a finite load. A workload for a computer system may be defined by the number of simultaneous users, the size of files, the speed of data transmission, or the amount of data stored. If you exceed any of those limits, the excess load will stop the system from responding. For example, if you can flood a web server with more requests than it can process, it will be overloaded and will no longer be able to respond to further requests. Every technology has limits; if you can exceed those limits, then you can take the system offline. This reality underlies the DoS attack: Simply overload the system with requests, and it will no longer be able to respond to legitimate users attempting to access the web server.

Illustrating an Attack

One simple way to illustrate a DoS attack, especially in a classroom setting, involves the use of the ping command discussed in Chapter 2, “Networks and the Internet”:

  1. Start a web server service running on one machine. (You can use Apache, IIS, or any web server.)

  2. Ask several people to open their browsers and key the IP address of that machine into the address bar. They should then be viewing the default website for that web server.

    Now you can do a rather primitive DoS attack on the system. Recall from Chapter 2 that typing in ping /? will show you all the options for the ping command. The -l option changes the size of the packet you can send. Remember that a TCP packet can be only of a finite size. Thus, you are going to set these packets to be almost as large as you can send. The -w option determines how many milliseconds the ping utility will wait for a response from the target. You are going to use -0 so that the ping utility does not wait at all. Then the -t instructs the ping utility to keep sending packets until explicitly told to stop.

  3. Open the command prompt in Windows 7/8/8.1/10/11 (or the shell in UNIX/Linux).

  4. Type in ping <address of target machine > -l 65000 -w 0 -t. You will then see something very much like what is shown in Figure 4.1. Note that, in the figure, I am pinging the loopback address for my own machine. You will want to substitute the address of the machine on which you are running the web server.

A command prompt window displays the usage of the ping from the command prompt. The command hyphen 1 65000 hyphen w 0 hyphen t is used. The ping results with 65000 bytes of data are displayed.

Figure 4.1 ping from the command prompt.

What is happening at this point is that this single machine is continually pinging away at the target machine. Of course, just one machine in your classroom or lab that is simply pinging on your web server is not going to adversely affect the web server. However, you can now, one by one, get other machines in the classroom pinging the server in the same way. After adding each batch of three or four machines to the attack, try to go to the web server’s default web page. After a certain threshold (that is, a certain number of machines pinging the server), the web server will stop responding to requests, and you will no longer be able to see the web page.

How many machines it takes to deny service depends on the web server you are using. In order to see this denial happen with as few machines involved as possible, you could use a very low-capacity PC as your web server (that is, the least RAM and CPU possible). For example, running an Apache web server on a simple laptop running Windows 7 Home Edition, it can take about 15 machines each running about 10 different command windows simultaneously pinging to cause a web server to stop responding to legitimate requests. This strategy is, of course, counter to what you would normally select for a web server; no real web server would be running on a simple laptop with Windows 7 Home Edition (or even Windows 10). Likewise, actual DoS attacks use much more sophisticated methods. This simple exercise, however, demonstrates the basic principle behind the DoS attack: Simply flood the target machine with so many packets that it can no longer respond to legitimate requests. It is important to be aware that this is just an illustration. With modern servers, and many servers actually being hosted in clusters or server farms, this exact illustration would not work against a modern target.

Generally, the methods used for DoS attacks are significantly more sophisticated than the example provided here. For instance, a hacker might develop a small virus whose sole purpose is to infect as many computers as possible and then get each of the infected computers to initiate a DoS attack on the target. Once the virus has spread, the various machines that are infected with that virus begin their flood of the target system. This sort of DoS attack is easy to do, and it can be hard to stop. A DoS attack that is launched from several different machines is called a distributed denial of service (DDoS) attack.

Regardless of the methods or the tools (many of which we will describe in this chapter), DoS and DDoS attacks are becoming even more prevalent. According to Calyptix Security, the first quarter of 2018 set records for DoS and DDoS attacks.1 One of the most massive DDoS attacks in history hit the GitHub site on February 28, 2018, peaking at 1.3Tbps. That record was broken just 5 days later.


There are other disturbing trends in DoS attacks. According to one report, in January of 2022 over 17% of victims of DoS attacks were first targeted by a threat demanding ransom.2 Another 2022 report details an increase in application layer DDoS attacks. These are attacks on the application layer of the OSI model.3



Distributed Reflection Denial of Service Attacks

As previously stated, DDoS attacks are becoming more common. Most such attacks rely on getting various machines (servers or workstations) to attack the target. A distributed reflection denial of service attack is a special type of DoS attack. As with all such attacks, it is accomplished by the hacker getting a number of machines to attack the selected target. However, this attack works a bit differently than other DoS attacks. Rather than getting computers to attack the target, this method tricks Internet routers into attacking a target.

Many of the routers on the Internet backbone communicate on port 179. A distributed reflection DoS attack exploits that communication line and gets routers to attack a target system. What makes this attack particularly wicked is that it does not require the routers in question to be compromised in any way. The attacker does not need to get any sort of software on the router to get it to participate in the attack. Instead, the hacker sends a stream of packets to the various routers requesting a connection. The packets have been altered so that they appear to come from the target system’s IP address. The routers respond by initiating connections with the target system. A flood of connections from multiple routers all hit the same target system, rendering the target system unreachable.

Common Tools Used for DoS Attacks

As with any of the security issues discussed in this book, you will find that hackers have at their disposal a vast array of tools. The DoS arena is no different. While it is certainly well beyond the scope of this book to begin to categorize or discuss all of these tools, a brief introduction to just a few of them will prove useful.

Low Orbit Ion Cannon

Low Orbit Ion Cannon (LOIC) is one of the most widely known DoS tools available. It has a very easy-to-use graphical user interface, shown in Figure 4.2.

A screenshot displays Low Orbit Ion Cannon (LOIC), a DoS tool. The options available are select your target, selected target, attack options, and attack status. The selected target option displays:

Figure 4.2 LOIC.

This tool is very easy to use. As you can see in Figure 4.2, it simply requires the user to put in the target URL or IP address and then begin the attack. Fortunately, this tool does nothing to hide the attacker’s address and thus makes it relatively easy to trace an attack back to its source. It is an older tool but still widely used today. There is a tool similar to this named High Orbit Ion Cannon (HOIC).


XOIC is similar to LOIC. It has three modes, as shown in Figure 4.3: You can send a message, execute a brief test, or start a DoS attack.

A screenshot displays XOIC. There are three text box options to be entered for IP, port, and protobolt. Three other modes at the bottom of the windows show send a message, test mode, and make a DoS.

Figure 4.3 XOIC.

Like LOIC, XOIC is very easy to use. It is just a point-and-click graphical user interface. Even attackers with minimal skill can use it to launch DoS attacks.


Tribal Flood Network (TFN) and TFN2K are two of the oldest DoS tools and are not widely used today. They are included here for historical purposes. TFN2K is a newer version of TFN that supports both Windows Server and UNIX platforms (and can easily be ported to additional platforms). It has some features that make detection more difficult than with its predecessor, including sending decoy information to avoid being traced. Experts at using TFN2K can use the resources of a number of agents to coordinate an attack against one or more targets. In addition, TFN and TFN2K can perform various attacks, such as UDP flood attacks, ICMP flood attacks, and TCP SYN flood attacks (all discussed later in this chapter).

TFN2K works on two fronts. First, there is a command-driven client on the master system. Second, there is a daemon process operating on an agent system. The attack works like this:

  1. The master instructs its agents to attack a list of designated targets.

  2. The agents respond by flooding the targets with a barrage of packets.


With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. In addition, a number of “safety” features for the attacker significantly complicate development of effective and efficient countermeasures for TFN2K:

  • A shaded box with a faded outline. Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

  • A shaded box with a faded outline. Both master-to-agent communications and the attacks themselves can be sent via randomized TCP, UDP, and ICMP packets.

  • A shaded box with a faded outline. The master can falsify (spoof) its IP address.


Stacheldraht is not as widely known as the previously mentioned DoS tools. Stacheldraht, which is German for “barbed wire,” is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht masters. It also adds an automatic updating of the agents.

Stacheldraht can perform a variety of attacks, including UDP flood, ICMP flood, TCP SYN flood, and Smurf attacks. It also detects and automatically enables source address forgery.

DoS Weaknesses

The weakness in any DoS attack, from the attacker’s point of view, is that the flood of packets must be sustained. As soon as the packets stop being sent, the target system is back up. A DoS/DDoS attack, however, is very often used in conjunction with another form of attack, such as disabling one side of a connection in TCP hijacking or preventing authentication or logging between servers.

If the hacker is using a distributed attack, as soon as the administrators or owners of the infected machine realize their machine is infected, they will take steps to remove the virus and thus stop the attack. If a hacker attempts to launch an attack from her own machine, she must be aware that each packet has the potential to be traced back to its source. This means that a single hacker conducting a DoS attack will almost certainly be caught by the authorities. For this reason, the DDoS attack is quickly becoming the most common type of DoS attack. The specifics of DDoS attacks will be discussed later in this chapter.

Specific DoS Attacks

The basic concept of a DoS attack is not complicated. The real problem for an attacker is performing an attack without being caught. The next few sections of this chapter will examine some specific types of DoS attacks and look at specific case studies. This information should help you gain a deeper understanding of this particular Internet threat.

TCP SYN Flood Attacks

This attack is no longer effective against most targets, but it is a classic in the annals of cyber threats and bears a brief discussion. This particular attack depends on the hacker’s knowledge of how connections to a server are made. When a session is initiated between the client and server in a network using TCP, a packet is sent to the server with a 1-bit flag called a SYN (or synchronize) flag set. This packet asks the target server to please synchronize communications. The server then allocates appropriate resources and sends to the client a packet with both the SYN (synchronize) and the ACK (acknowledge) flags set. The client machine is then supposed to respond with an ACK flag set. This process, called the three-way handshake, is summarized as follows:

  1. The client sends a packet with the SYN flag set.

  2. The server allocates resources for the client and then responds with the SYN and ACK flags set.

  3. The client responds with the ACK flag set.

There have been a number of well-known SYN flood attacks on web servers. The reason for the popularity of this attack type is that any machine that engages in TCP communication is vulnerable to it—and all machines connected to the Internet engage in TCP communications. Such communication is obviously the entire reason for web servers. The easiest way to block DoS attacks is via firewall rules. (We will discuss firewalls in detail in Chapter 9, “Computer Security Technology.”) A properly configured firewall can prevent a SYN flood attack. There are, however, several methods and techniques you can implement on individual servers to protect against these attacks. The basic defensive techniques are as follows:

  • A shaded box with a faded outline. Micro blocks

  • A shaded box with a faded outline. SYN cookies

  • A shaded box with a faded outline. RST cookies

  • A shaded box with a faded outline. Upstream filtering

  • A shaded box with a faded outline. SPI firewalls

Some of these methods require more technical sophistication than others. These methods will be discussed in general here. When you are entrusted with defending a system against these forms of attacks, you can select the methods most appropriate for your network environment and your level of expertise and examine the system further at that time. The specifics of how to implement any of these methods will depend on the operating system that your web server is using. You will need to consult your operating system’s documentation, or appropriate websites, in order to find explicit instruction on how to implement methods.

Micro Blocks

A micro block works by simply allocating a micro-record instead of allocating a complete connection object (an entire buffer segment) to the SYN object. In this way, an incoming SYN object can allocate as little as 16 bytes of space, making it significantly more difficult to flood a system. This method is a bit more obscure and not as widely used today as it once was. It also does not actually prevent a DoS attack; it merely mitigates the effects.


Many network administrators depend on their firewall to block DoS attacks and don’t take any remediation steps on individual servers. I suggest that you consider combining these two approaches. Yes, you should have a well-configured firewall to block many DoS attacks, but you should also consider taking mitigating steps on individual servers.

SYN Cookies

As the name SYN cookies suggests, this method uses cookies, not unlike the standard cookies used on many websites. With this method, the system does not immediately create a buffer space in memory for the handshake process. Rather, it first sends a SYN+ACK (the acknowledgment signal that begins the handshaking process). The SYN+ACK contains a carefully constructed cookie that is generated as a hash containing the IP address, port number, and other information from the client machine requesting the connection. When the client responds with a normal ACK (acknowledgment), the information from that cookie will be included, and the server then verifies it. Thus, the system does not fully allocate any memory until the third stage of the handshake process. This enables the system to continue to operate normally; typically, the only effect seen is the disabling of large windows. However, the cryptographic hashing used in SYN cookies is fairly resource intensive, so system administrators who expect a large number of incoming connections may choose not to use this defensive technique.

Fyi: Hashing

A hash value is a number generated from a string of text. The hash is significantly smaller than the text itself and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashing plays a role in security when it is used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, there is a very high probability that the message was transmitted intact. We will discuss hashing in more detail in Chapter 8, “Encryption.”

RST Cookies

Another cookie method that is easier to implement than SYN cookies is the RST cookie. In this method, the server sends an incorrect SYN+ACK back to the client. The client then generates an RST packet, telling the server that something is wrong. Because the client sends back a packet notifying the server of the error, the server now knows the client request is legitimate and can now accept incoming connections from that client in the normal fashion. This method has the disadvantage of potentially causing problems with older Windows machines and with machines that are communicating from behind firewalls.

Upstream Filtering

ISPs often use a process called upstream filtering that essentially involves examining traffic to determine if it is part of a DoS attack and then blocking suspected traffic. This can also be done by using a “scrubbing” center before allowing traffic to the target.

SPI Firewalls

Today, most firewalls use stateful packet inspection. These types of firewalls apply rules to each packet, and they also maintain the state of communication between the client and the server. They therefore realize that multiple SYN packets are coming from the same IP address, and they block them. This is one major reason SYN floods are not seen much today. In addition, next-generation firewalls (NGFWs) combine traditional firewall and other functions, such as those of an application firewall or an intrusion detection system/prevention system (IDS/IPS).

Smurf IP Attacks

The Smurf attack is a very popular version of the DoS attack. An ICMP (Internet Control Message Protocol) packet is sent out to the broadcast address of the network. Since it is broadcast, it responds by echoing the packet out to the network hosts, which then send it to the spoofed source address. Also, the spoofed source address can be anywhere on the Internet, not just on the local subnet. If the hacker can continually send such packets, she will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is clever and rather simple. The only problem for the hacker is getting the packets started on the target network. This task can be accomplished via some software, such as a virus or Trojan horse, that will begin sending the packets.

In a Smurf attack, there are three people/systems involved: the attacker, the victim, and the intermediary (who can also be a victim). The attacker first sends an ICMP echo request packet to the intermediary’s IP broadcast addresses. Since this is sent to the IP broadcast address, many of the machines on the intermediary’s network will receive this request packet and will send back an ICMP echo reply packet. If all the machines on a network are responding to this request, the network becomes congested, and there may be outages.

The attacker impacts the third party—the intended victim—by creating forged packets that contain the spoofed source address of the victim. Therefore, when all the machines on the intermediary’s network start replying to the echo request, those replies will flood the victim’s network. Thus, another network becomes congested and could become unusable. Figure 4.4 illustrates this attack.

The Smurf attack is an example of the creativity that some malicious parties can employ. It is sometimes viewed as the digital equivalent of the biological process in an auto-immune disorder. With such a disorder, the immune system attacks the patient’s own body. In a Smurf attack, the network performs a DoS attack on one of its own systems. This method’s cleverness illustrates why it is important to attempt to work creatively and in a forward-thinking manner if you are responsible for system security in a network. The perpetrators of computer attacks are inventive and always coming up with new techniques. If your defense is less creative and clever than the attackers’ offense, then it is simply a matter of time before your system is compromised.

A diagram depicts a smurf attack.

Figure 4.4 Smurf attack.

There are several ways to protect your system against this problem. One is to guard against Trojan horses. More will be said about the Trojan horse attacks in later chapters; for now, you just need to know that having policies prohibiting employees from downloading applications will help. Also, having adequate virus scanners can go a long way in protecting your system from a Trojan horse and, thus, a Smurf attack. It is also imperative that you use a proxy server, as discussed in Chapter 2. If the internal IP addresses of your network are not known, then it is more difficult to target one in a Smurf attack. And, of course, the most obvious mitigation step you can take is to block all inbound broadcast packets at the firewall. Probably the best way to protect your system is to combine these defenses and also prohibit directed broadcasts and patch the hosts to refuse to reply to any directed broadcasts.

There is a variation of a Smurf attack called a Fraggle. A Fraggle operates very much like a Smurf attack except that it specifically uses ports 7 (echo) and 19 (chargen) to a broadcast address and spoofs the intended victim’s source IP address.

UDP Flood Attacks

UDP, as you will recall from Chapter 2, is a connectionless protocol that does not require a connection setup procedure prior to data transfer. In a UDP flood attack, the attacker sends a UDP packet to a random port on a target system. When the target system receives a UDP packet, it automatically determines what application is waiting on the destination port. In this case, since there is no application waiting on the port, the target system will generate an ICMP “destination unreachable” packet and attempt to send it back to the forged source address. If enough UDP packets are delivered to ports on the target, the system will become overloaded trying to determine awaiting applications (which do not exist) and then generating and sending back packets.

ICMP Flood Attacks

There are two basic types of ICMP flood attacks: floods and nukes. An ICMP flood is usually accomplished by broadcasting a large number of either pings or UDP packets. As with other flood attacks, the idea is to send so much data to the target system that it slows down. If it can be forced to slow down enough, the target will time out (that is, not send replies fast enough) and be disconnected from the Internet. ICMP nukes exploit known bugs in specific operating systems. The attacker sends a packet of information that he knows the operating system on the target system cannot handle. In many cases, this will cause the target system to lock up completely.

This type of attack is far less effective against modern computers than it was against older machines. Even a low-end desktop PC now will have 4GB (or more) of RAM and a dual-core processor. That makes it difficult to generate enough pings to knock the machine offline. However, at one time this was a very common form of DoS attack.

The Ping of Death

Recall from Chapter 2 that TCP packets are of limited size. In some cases, simply sending a packet that is too large can shut down a target machine. This action is referred to as the ping of death (PoD). It works simply by overloading the target system. The hacker sends a single ping, but he does so with a very large packet and thus can shut down some machines.

This attack is quite similar to the classroom example discussed earlier in this chapter. The aim in both cases is to overload the target system and cause it to quit responding. PoD works to compromise systems that cannot deal with extremely large packet sizes. If such an attack is successful, the server will actually shut down completely. It can, of course, be rebooted.

The only real safeguard against PoD is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities in the way a particular operating system (or application) handles abnormally large TCP packets. When such vulnerabilities are discovered, it is customary for the vendor to release a patch. The possibility of PoD is one reason, among many, you must keep patches updated on all of your systems.

Most denial of service attacks are properly mitigated with an appropriate firewall combined with an IDS/IPS or with a next-generation firewall. Chapter 9 discusses security devices and software in more detail.

Teardrop Attacks

In a teardrop attack, the attacker sends a fragmented message. The two fragments overlap in a way that makes it impossible to reassemble them properly without destroying the individual packet headers. Therefore, when the victim attempts to reconstruct the message, the message is destroyed. This causes the target system to halt or crash. A number of variations on the basic teardrop attack are available, such as TearDrop2, Boink, targa, Nestea Boink, NewTear, and SYNdrop.

DHCP Starvation

If enough requests flood a network, an attacker can completely exhaust the address space allocated by the DHCP servers for an indefinite period of time. This DoS attack is called DHCP starvation. An attacker can use a tool such as The Gobbler to easily commit this type of attack.


An HTTP POST DoS attack involves sending a legitimate HTTP POST message. Part of the POST message is the content length, which indicates the size of the message to follow. In this attack, the attacker sends the actual message body at an extremely slow rate. The web server is hung while waiting for that message to complete. For more robust servers, the attacker needs to send multiple HTTP POST messages simultaneously.

PDoS Attacks

A permanent denial of service (PDoS) attack damages the system so badly that the victim machine needs an operating system reinstall or even new hardware. This type of attack, sometimes called phlashing, usually involves a DoS attack on the device’s firmware.

Registration DoS Attacks

An attacker can create a program that submits registration forms repeatedly, adding a large number of spurious users to an application. This is one reason many registration websites use CAPTCHA.

Login DoS Attacks

An attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond. Many websites use CAPTCHA to prevent automated login attempts.

Land Attacks

A land attack is probably the simplest attack in concept. The attacker sends a forged packet with the same source IP address and destination IP address (the target’s IP address). The idea is to drive the target system “crazy” by having it attempt to send messages to and from itself. The victim system will often be confused and will crash or reboot. More modern computers are not susceptible to this attack, but it is presented here for historical purposes.

DDoS Attacks

Perhaps the most common form of DoS attack today is the DDoS attack. This is accomplished by getting various machines to attack the target. A typical way this is done is by sending out a Trojan horse that will cause infected computers to attack a specified target at a particular date and time. This is a very effective way to execute a DDoS attack on any target. In this form of attack, the attacker does not have direct control of the various machines involved. These machines are simply infected by some malware that causes them to participate in the attack on a particular date and time.

Another method is to use a botnet to orchestrate the attack. Botnets are networks of computers that have been compromised by the attacker, giving said attacker control of the infected system. This is often accomplished via delivery of a Trojan horse. However, unlike with the form of DDoS attack just mentioned, the attacker has direct control of the attacking machines in the botnet.

Yo-Yo Attack

A yo-yo attack is a type of DoS attack that targets cloud-hosted applications that use autoscaling. The attacker essentially floods the target, causing the cloud hosting service to scale up to handle the increased traffic. The attacker then stops the attack, waits until the cloud host scales back, and then resumes the attack. Cloud services typically charge for scaling up to handle more bandwidth, so a yo-yo attack increases costs for the target.

Login Attacks

An attacker may enumerate usernames through another vulnerability in an application and then attempt to authenticate the site using valid usernames and incorrect passwords, which will lock out the accounts after a specified number of failed attempts. At that point, legitimate users will not be able to use the site.

Another login attack involves the attacker overloading the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond.

Many websites use CAPTCHA in order to thwart DoS attempts. If each login attempt requires the user to answer the CAPTCHA, automated tools cannot perform DoS attacks.

CLDAP Reflection

Connectionless Lightweight Directory Access Protocol (CLDAP) is an industry standard codified in RFC 3352.4 This protocol uses UDP rather than TCP and assigns IP addresses to new hosts connecting to the network. In a CLDAP reflection attack, attackers essentially overwhelm the network with a flood of CLDAP requests.


Degradation of Service Attacks

While the acronym is still DoS, a degradation of service attack is a bit different from a denial of service attack. The attacker targets websites with short-lived bursts of traffic. This causes the target site to respond more slowly rather than crash. This is often done on an ongoing basis to cause continual degradation of service for the target.

Challenge Collapsar Attack

In a challenge collapsar (CC) attack, the attacker sends frequent HTTP requests to the target web server. The requests include uniform resource indicators that require the target site to use time-consuming database operations. The goal is to exhaust the resources of the targeted website.


A 2022 report is predicting that a new attack type called an economic denial of sustainability (EDoS) attack is going to become a more prominent issue in the near future.5 The idea of this type of attack is to disrupt or discontinue the availability of cloud resources. Such an attack may involve bots that send fake requests. These attacks are often used against infrastructure as a service (IaaS) solutions.


Real-World Examples of DoS Attacks

A good deal of time has been spent discussing the basics of how various DoS attacks are conducted. By now, you should have a firm grasp of what a DoS attack is and have a basic understanding of how it works. It is now time to begin discussing specific, real-world examples of such attacks. This section will take the theoretical knowledge you have gained and give you real-world examples of its application.

Google Attack

In October 2020, a record-breaking UDP amplification attack against Google occurred. This attack, which was traced back to three Chinese Internet service providers, used several networks to spoof 167 million packets per second (mps).

AWS Attack

Also in 2020, there was a massive CLDAP reflection attack against Amazon Web Services. The attack, which used a global Mirai botnet, sent 17.2 million requests per second.

Boston Globe Attack

On November 8, 2017, the Boston Globe was hit with a large-scale DDoS attack against and other websites owned by the company. The attack also interrupted the company’s telephones. The attack was only stopped by the company’s Internet service provider implementing anti-DDoS measures, such as throttling bandwidth.

Memcache Attacks

In February 2017 a new DDoS attack vector emerged. Attackers used memcache, a database caching system, to amplify traffic volume. A request could be amplified by a factor of several thousand by using this method. The aforementioned GitHub attack involved memcaching.

DDoS Blackmail

In November 2015, the Australian company FastMail was the victim of a DDoS attack. First the system was attacked and knocked offline. After the second attack, the victim received a ransom demand. The attackers demanded 20 bitcoins to call off the attack. A similar attack had been previously launched against Protonmail, also demanding ransom to stop the attacks.


Mirai was malware that turned Linux-based machines into a botnet to be used in DDoS attacks. This was first seen in August 2016. This malware targets Internet of Things (IoT) devices as the basis for DDoS attacks.

How to Defend Against DoS Attacks

There is no guaranteed way to prevent all DoS attacks, just as there is no sure way to prevent a hacking attack. However, there are steps you can take to minimize the danger. Some methodologies, such as SYN cookies and RST cookies, have already been mentioned. In this section, a few of the steps you can take to make your system less susceptible to a DoS attack will be examined.

One of the first things to consider is how these attacks are perpetrated. They may be executed via ICMP packets that are used to send error messages on the Internet or that are sent using the ping and traceroute utilities. If you have a firewall (and you absolutely should have one), then simply configuring it to refuse ICMP packets from outside your network will be a major step in protecting your network from DoS attacks. Since DoS/DDoS attacks can be executed via a wide variety of protocols, you can also configure your firewall to disallow any incoming traffic at all, regardless of what protocol or port it occurs on. This step may seem radical, but it is certainly a secure one.

In Practice

Blocking ICMP Packets

There are very few legitimate reasons (and, some would argue, no good reasons) for an ICMP packet from outside your network to enter your network. Thus, blocking such packets is very often one part of a strategy to defend against DoS attacks. Incidentally, blocking these packets will also make it more difficult for an attacker to scan your network (as we will see in Chapter 12, “Cyber Terrorism and Information Warfare”).

It is also possible to detect some threats from certain DoS tools, such as TFN2K, by using information tools like netstat. Many of these tools can be configured to look for the SYN_RECEIVED state, which could indicate a SYN flood attack.

If your network is large enough to have internal routers, then you can configure those routers to disallow any traffic that does not originate with your network. In that way, should packets make it past your firewall, they will not be propagated throughout the network. You should also consider disabling directed IP broadcasts on all routers. This strategy will prevent a router from sending broadcast packets to all machines on the network, thus stopping many DoS attacks. In addition, you can install a filter on a router to verify that external packets actually have external IP addresses and that internal IP addresses have internal IP addresses.

Because many distributed DoS attacks depend on “unwitting” computers being used as launch points, one way to reduce such attacks is to protect your computer against virus attacks and Trojan horses. This problem will be discussed in more detail in a later chapter, but for now, it is important that you remember three things:

  • A shaded box with a faded outline. Always use virus-scanning software and keep it updated.

  • A shaded box with a faded outline. Always keep operating system and software patches updated.

  • A shaded box with a faded outline. Have an organizational policy stating that employees cannot download anything onto their machines unless the download has been cleared by the IT staff.

Blackholing and sinkholing are techniques that are often used to mitigate DoS and DDoS attacks. If traffic is determined to be a DoS attack, that traffic is sent to a black hole—that is, a nonexistent server/interface. Internet service providers also use this tactic. Sinkholes are IP addresses that are used to analyze traffic and reject bad packets. Traffic is sent to a sinkhole so that it can be analyzed.

In addition, intrusion prevention systems (IPSs) are commonly used to examine traffic and block denial of service attacks.

As previously stated, none of these steps will make your network totally secure from either being the victim of a DoS attack or being the launch point for one, but they will help reduce the chances of either occurring. A combination of blackholing and sinkholing at the ISP with IPSs on the network can provide reasonable protection. A good resource for this topic is the SANS Institute website, at This site has some good tips on how to prevent DoS attacks.


DoS attacks are among the most common attacks on the Internet. They are easy to perform, do not require a great deal of sophistication on the part of the perpetrator, and can have devastating effects on the target system. Only virus attacks are more common. (And, in some cases, a virus can be the source of a DoS attack.) In the exercises, you will practice stopping a DoS attack.

