Table of Contents Cyber Attacks Explained: DoS and DDoS
Scope of Article
With this article we are starting a new series to cover important cyber attacks which weaken the IT security infrastructure in organizations. With a rapid spread of internet technologies and applications, there is an unfortunate rise in preying eyes to hack into systems. These attacks are usually done to gain fame or money, or cause reputational losses to a firm. The first in series is Denial of Service attack (DoS) and the Distributed Denial of Service attack (DDoS). We are going to learn how these attacks work technically, and also discuss ways to stop those at the network doorsteps.
How DoS Works?
The fundamental technique behind a denial of service attack is to make the target system busy. In a computer server when a network packet is being received, all components right from the network interface card to the application running under the operating system are in the scope. Each of these involved components can exhibit some form of vulnerability and the DoS attack is devised to exploit one or more of those, to penetrate into the system.
TCP/IP protocol works using a handshake between the sender and receiver. When sender wants to communicate, it sends a SYN packet with its own IP address as source and the receiver’s IP address as the destination. Receiver responds by sending the SYN-ACK packet. The sender then confirms by sending an ACK packet. At this time, both parties are ready to communicate. Data is then exchanged with ACK confirmations, and connections are gracefully closed with FIN and FIN-ACK signals.
DoS attack is performed by exploiting this situation, by tweaking the TCP packets in such a way that the server is fooled to respond to each and every malformed request. This ultimately results in exhausting all the resources on a server which then overwhelms and finally gives up on responding.
Types of DoS Attacks
MAC Flood
A Layer 1 attack where the attacker sends multiple dummy Ethernet frames with different MAC addresses, exhausting switch memory or disrupting router routing tables.
SYN Flood
The attacker sends multiple SYN packets but does not complete the handshake. This leaves the server holding partially-open connections, exhausting memory and connection tables.
Ping of Death
A malformed ping packet flood that exploits TCP stack vulnerabilities, causing system resources to be consumed.
TCP Established Connection Attack
The attacker completes the handshake but never sends data. Multiple idle connections overwhelm the server as they remain open until timeout.
Smurf Attack
A Layer 3 attack where ping requests are sent to a broadcast address with the victim’s IP spoofed as the source, causing a flood of replies.
TCP RST Attack
A spoofed TCP reset (RST) packet fools firewalls into tracking fake connections, overwhelming their resources and bypassing anomaly detection.
Application Layer DoS Attacks
- Buffer Overflow: Exploits memory handling, leading to crashes or sluggish system performance.
- Web and DNS DoS: Flooding web servers (HTTP requests) or DNS servers with valid but excessive requests, leading to server overload.
Distributed DoS (DDoS) Attack
A DDoS attack is a well-orchestrated combination of DoS techniques, executed from multiple systems simultaneously. Modern attackers use botnets of compromised systems (zombies) to launch floods of requests at a specified time, making detection and tracing difficult.
Variants also include monetization, where infected systems are used to generate fake ad clicks for the attacker’s benefit.
Protecting FOSS Systems
There is no foolproof way to prevent DoS attacks, as distinguishing legitimate traffic from malicious traffic is inherently difficult. However, Linux FOSS systems offer many built-in protections such as firewalls, monitoring tools, and kernel hardening.
Typical symptoms include sluggish servers, high CPU/memory usage, unusual TCP packet resets, or broken SYN packets. First affected devices are often routers and firewalls. While firewalls can mitigate network-level attacks, they may fail against application-level DoS, which requires application firewalls.
For corporate networks, Intrusion Prevention Systems (IPS) are highly recommended. IPS devices work across Layer 2–7 and can detect anomalies, providing proactive defenses. A layered security approach with IPS, UTM firewalls, and application layer security is the best strategy.
Summary
Denial of Service attack is one of the oldest yet most impactful types of cyber attacks, capable of shutting down entire systems or networks. Web servers are common targets, causing reputational and financial loss. Firewalls and IPS devices should be combined to build strong defenses and secure IT infrastructure.
About the Author
The author has over 18 years of experience in IT hardware, networking, web technologies, and IT security. Prashant is MCSE, MCDBA certified and an F5 load balancer expert. He is also an ethical hacker and net-forensic specialist, running his firm Valency Networks in India (www.valencynetworks.com), specializing in IT security consultancy, audits, and business process management. Contact: prashant@valencynetworks.com.
