DoS and DDoS — The Big Picture
A Denial of Service (DoS) attack tries to make a service unavailable to legitimate users. Examples: a website becomes unreachable, a server is overloaded, a router or link is saturated, or an application crashes.
A Distributed Denial of Service (DDoS) attack is the same idea, but launched from many machines at once — usually a botnet (a group of compromised devices under attacker control).
Which security property is under attack? Availability. The service may still have correct data and keep secrets confidential, but users cannot access it.
Key Terms
| Term | Meaning |
|---|---|
| IP spoofing | Faking the source IP address |
| Bot | A compromised machine controlled by the attacker |
| Botnet | Many compromised machines acting together |
| Amplification | A small request causes a much larger response or effect |
| Reflection | Trick a third party into sending traffic to the victim |
| TCP | Connection-based transport protocol |
| UDP | Connectionless protocol; no handshake |
DoS Attack Taxonomy
DoS attacks are classified along three dimensions: target discovery (scanning), source hiding (spoofing), and what system component is attacked.
Scanning Strategies
| Type | Mechanism | Coordination | Tag |
|---|---|---|---|
| Random Scanning | Each compromised computer probes random IP addresses independently | None — fully independent | Independent |
| Permutation Scanning | All bots share a common pseudo-random permutation of the IP address space | Shared permutation key | Coordinated |
| Signpost Scanning | Uses communication patterns of the compromised machine to find new targets | Organic — leverages existing traffic | Organic |
| Hitlist Scanning | A pre-built target list is supplied to each compromised machine | Central list distribution | Targeted |
IP Source Spoofing Types
Address-Space Spoof
Generates random addresses within a given address space. Fake IP belongs to a real subnet prefix.
32-bit Random Spoof
Generates fully random 32-bit numbers stamped as the source. Widest possible address randomness.
Target IP Spoof
The spoofed source is the victim's own IP. Used in reflection attacks to redirect server responses to the target.
Attack Target Classification
App-Layer Target
Attack aimed at a specific application on a server — e.g., HTTP, DNS, or SSL service.
Link-Layer Target
Overloads or crashes the communication mechanism of a network, making access unavailable.
Core-Internet Target
Attacks crucial global services — for example, Tier-1 backbone routers or Internet Exchange switches.
Network DoS & Amplification
Goal: Take out a large site with minimal attacker resources. Method: Amplification — a small number of attacker packets produces a massive effect on the victim. DDoS thrives on asymmetry: small attacker effort → huge victim pain. Examples: send a tiny request and force a huge response; send cheap requests and make the server do expensive work; send fake packets and fill server memory; abuse third-party servers to attack someone else.
Two Types of Amplification Attacks
Exploits implementation error
- Exploits a design flaw or implementation error in server code
- A single machine can crash the service
- Few specially-crafted packets → server crashes due to the bug
- Example: malformed input triggering an unhandled exception
Volume overwhelm
- Commands a large botnet to generate massive traffic volumes
- Requires many compromised bot machines working together
- Volume alone overwhelms bandwidth, memory, or CPU
- Example: UDP flood, SYN flood, HTTP flood
DoS Can Happen at Any Network Layer
- Application: Request large files, flood HTTP, RSA handshake exhaustion (10× decrypt cost)
- Transport: TCP SYN flood exhausts server connection backlog queue memory
- Network: IP spoofing, BGP route hijacking redirects global traffic to attacker
- Data Link: Flood traffic to saturate the physical link bandwidth entirely
The current Internet was not designed to handle DDoS attacks. Security was an afterthought — the original architecture assumes cooperative, well-behaved participants.
NTP/DNS Amplification Attack
NTP synchronizes clocks. Its asymmetric request/response size makes it ideal for amplification. The attacker spoofs the victim's IP as the source — the NTP/DNS server sends its large response straight to the victim.
DNS Amplification — March 2013 (309 Gbps Attack):
Attacker (spoofs victim IP) → Small Query (60 bytes) → DNS Server → Big Response (3000 bytes) → VICTIM (flooded)
50× DNS amplification factor — EDNS = Extended DNS flags enable larger responses.
Why UDP-based NTP is especially vulnerable:
Small request → large response. Attacker spends little, victim receives a lot.
UDP has no handshake — source IP can be freely spoofed to redirect responses to victim.
Difficult to ensure machines only communicate with legitimate NTP servers.
Key stats: 309 Gbps peak (March 2013), 28 min duration, 28M open DNS resolvers (2014), 3 networks used for 309 Gbps.
Why UDP is Often Abused
UDP is a favorite for attackers because it is connectionless, requires no handshake, allows source IP spoofing, and servers may respond immediately. That makes UDP-based services like DNS and NTP especially useful for amplification attacks.
UDP Floods
A UDP flood sends many UDP packets to overwhelm the target. Attackers can spoof UDP source IPs. Firewalls do not magically solve this — a firewall must still inspect huge amounts of traffic, and during a large enough flood, the firewall itself can become part of the problem.
IP & TCP — Why They're Vulnerable
IP Header
- Connectionless · Unreliable · Best-Effort
- Critical weakness: Source Address — NOT AUTHENTICATED
IP has no authentication of source address. Any machine can claim any source IP — root cause of amplification and spoofing attacks.
TCP Header
- Session-Based · Congestion Control · In-Order Delivery
- SYN flag: initiates connection
- Server must store connection state (seq numbers, port info) while waiting for ACK
TCP requires the server to store connection state (seq numbers, port info) while waiting for ACK. This is exactly what SYN flood attacks exploit.
Normal TCP 3-Way Handshake
CLIENT SERVER
| |
| SYN: seq=rand_C, ack=0 ──────────────> | (Listening)
| |
| <──────────────── SYN/ACK: seq=rand_S, ack=seq_C+1
| | (Store seq_C, seq_S)
| |
| ACK: seq=seq_C+1, ack=seq_S+1 ───────> | ✓ Established
TCP SYN Flood
After receiving a SYN, the server stores connection state and waits for ACK. The attacker sends thousands of SYNs with spoofed random source IPs — the SYN/ACKs go to random machines that never ACK back, filling the server's backlog queue until it can accept no new connections.
SYN Flood flow: Attacker (spoofed IPs) → SYN C1, SYN C2, SYN C3... → Server (QUEUE FULL)
Increasing the server's backlog queue is a non-solution. The attacker can always send more SYNs, send faster, or scale with more bots. Larger queues only delay the problem. The real fix is to remove or reduce state storage — SYN cookies.
windowsupdate.com Taken Down
Infected machines launched a synchronized SYN flood at noon on August 16th,
targeting windowsupdate.com on port 80. 50/sec SYN packets, 40B
per packet. Microsoft's Response: Changed the target domain to
windowsupdate.microsoft.com — the worm had the old domain
hardcoded.
Defense: SYN Cookies
Remove state from the server entirely. Encode connection info into the SYN/ACK's sequence number using a keyed hash. No memory allocated until valid ACK arrives.
SNS = ( T · mss · L )
L = MACkey(SAddr, SPort,
DAddr, DPort, SNC, T) [24 bits]
No Overhead
SYN cookies are only activated when flooding is detected. During normal operation, standard stateful TCP is used with no performance penalty.
Stateless Mode
Server encodes state in SN_S and discards the SYN queue entry. When legitimate client ACKs, server recomputes cookie to verify. Only valid ACKs get a socket.
Server must reject all TCP options during cookie mode (the SYN queue entry that held them was discarded). Small correctness cost, massive availability gain.
Proxy-Based Defense (CloudFlare / Prolexic)
For very large DDoS attacks, the issue is not only the server's memory — uplinks, routers, and surrounding infrastructure can also be overloaded. Proxies and CDNs (e.g., CloudFlare, Prolexic) sit in front of the real site, handle large traffic volumes, and only forward established or validated traffic. They absorb or filter attack traffic before it reaches the origin.
Defeated by connection floods (see next section), but then bot IPs are revealed — defenders can block or rate-limit them.
Advanced Attack Techniques
TCP Connection Flood
Bypasses SYN-flood proxies by completing the full TCP handshake, then repeatedly sending HTTP HEAD requests.
- Complete TCP handshake — full SYN/SYN-ACK/ACK. Proxy cannot block it.
- Send HTTP HEAD request — causes expensive server work (disk/DB) for minimal attacker cost.
- Repeat at scale — 20,000 bots overwhelm even protected servers.
Full TCP requires a real source IP. Bot locations are exposed, allowing the proxy to block or rate-limit them post-attack.
JavaScript-Based DDoS
Real case: GitHub DDoS (March 2015). Attacker compromises a popular server and injects malicious JS into innocent users' browsers:
function imgflood() {
var TARGET = "victim-website.com/index.php?";
var rand = Math.floor(Math.random() * 1000);
var pic = new Image();
pic.src = "http://" + TARGET + rand + "=val";
}
setInterval(imgflood, 10); // fire every 10ms
Flow: User visits compromised site → imageFlood.js injected → Script hammers target every 10ms → Millions of honest users = massive involuntary botnet.
DoS via BGP Route Hijacking
The BGP routing protocol can be exploited to redirect all traffic destined for a victim. If an AS announces a more-specific IP prefix, every router on the Internet updates — traffic flows to the attacker instead. BGP prefers more-specific routes: e.g., /24 is more specific than /22, so the more specific route wins.
Global YouTube Outage — 15 Minutes
- 10:30 AM: YouTube at 100%. IP 208.65.103.238, prefix 208.65.153.0/22. - ~10:33 AM: Pakistan Telecom (AS 17557) announces 208.65.153.0/24 — more specific. BGP prefers more-specific routes. - 10:45 AM: YouTube traffic drops to 0%. Global outage. - ~12:00 PM: Route corrected. Later: China Telecom similarly hijacked .mil and .gov traffic.
SSL/TLS Handshake Exploitation
In an SSL/TLS handshake, the client encrypts a shared secret using the server's public key (cheap). The server must RSA-decrypt it (10× more expensive). Attacker floods the server with handshake requests — overwhelming it with decryption while spending almost nothing.
Same principle at the application layer: a simple HTTP GET for a 1GB file costs the attacker almost nothing but exhausts server I/O.
DoS Mitigation Strategies
Client Puzzles
Force connecting clients to solve a moderately hard computational problem before the server does expensive work. Slows down bots while remaining tolerable for humans.
Find X such that: LSBn( SHA-1( C ‖ X ) ) = 0n
Checking the solution takes O(1) — server hashes once. Solving requires 2^n attempts. Difficulty n scales dynamically with attack volume.
Memory-Bound Puzzles — Better: CPU ratio (server vs phone): 8000×. Memory access time ratio: only 2×. Memory-bound functions are fairer across all device classes.
CAPTCHAs
Completely Automated Public Turing test to tell Computers and Humans Apart. Server verifies that requests come from humans, not bots. One CAPTCHA per source IP.
Flow: Attack detected → New IP → CAPTCHA presented → Only valid solution unlocks processing → Bots cannot solve → rate-limited.
Limitation: CAPTCHAs are not a universal DDoS solution. They are more useful for browser/app traffic and human-facing actions. Less useful for raw protocol floods, reflection attacks, and non-human traffic that does not involve a UI.
Ideal client puzzle properties: Stateless, scalable difficulty, easy to construct / hard to solve.
Ingress Filtering
ISPs configure routers to drop any packet whose source IP does not belong to the ISP's own address space. Example: Drop all packets with src outside 204.69.207.0/24.
Requires Global Cooperation
- If 10% of ISPs don't implement it — effectively no defense
- No financial incentive for individual ISPs to deploy it
This is not just a technical problem — it is a deployment and incentive problem
2014: 25% of ASes fully spoofable; 13% of announced IP space remains spoofable
- The 309 Gbps 2013 attack used only 3 non-filtering networks
Traceback
Given a stream of attack packets, reconstruct where they came from. Traceback [Savage et al. '00] has routers probabilistically mark packets with routing information — the victim collects many packets and statistically rebuilds the attack path.
Assumptions: Most routers uncompromised; attackers send many packets; route relatively stable; works for single or multiple attackers.
Why many packets? One packet rarely contains enough path information; many packets together allow the victim to reconstruct the full path.
Why not record full path? Path can be 30+ hops — no header space. Changing IP format requires global upgrades. Better: fixed-size field + probabilistic sampling.
Edge Sampling Algorithm
Each packet carries: start IP, end IP, distance. Each router flips a coin to overwrite or increment.
Walkthrough (R1 → R2 → R3):
- R1 tosses heads → Writes start=R1, end=—, d=0
- R2 tosses tails, d=0 → Writes end=R2, d=1
- R3 tosses tails, d>0 → Only increments d=2
Victim reads: edge R1→R2 at distance 2. Collecting many packets builds the full path graph.
Path reconstruction:
E(X) < ln(d) / p(1−p)d−1
Edge sampling identifies splits in the reverse path — multiple simultaneous attackers can all be traced.
Reflector Attack
A reflector attack uses legitimate, innocent servers as unwitting middlemen to flood the victim. The attacker spoofs the victim's IP as source — legitimate servers send their responses to the victim, flooding it without the attacker directly touching the victim.
Architecture: Master → Bots → (request with src=victim) → Reflectors (DNS, Web, Gnutella) → reply (dst=victim) → VICTIM flooded
Traceback traces attack packets only back to the reflectors. The reflectors don't mark packets or keep state, so the trail goes cold — bots and master remain hidden.
Reflector attack defenses: Filtering DNS close to the victim is too late — the flood has already arrived. Better approaches: server redundancy across networks and geographies; rate-limiting responses from name servers; distributing load so one location being hit does not take down the service.
Capability-Based Defense
Basic idea: Sender includes a receiver-granted "capability" token. Routers only forward (1) initial requests, and (2) packets with valid capability. Revoke capability → routers drop packets close to source.
Key papers: Anderson et al. "Preventing Internet DoS with Capabilities" SIGCOMM '04; Yaar et al. "SIFF" IEEE S&P '04; Yang et al. "A DoS-Limiting Network Architecture" SIGCOMM '05.
Summary & Key Takeaways
Attack Landscape
- Scanning: Random · Permutation · Signpost · Hitlist
- Amplification: NTP/DNS exploited for 50×+; 28M open resolvers
- Protocol Exploits: IP no source auth; TCP leaks state; BGP no prefix verification
- Higher-Level: SSL RSA imbalance; HTTP asymmetry; JS injection → browser botnet
Defense Toolbox
- SYN Cookies: Stateless TCP defense, minimal overhead
- Proxy Filtering: Forward only established TCP; bot IPs revealed by connection floods
- Client Puzzles & CAPTCHAs: Rate-limit with computational cost
- Traceback & Capabilities: Edge sampling; future: receiver-granted capabilities
The Internet was designed without security in mind. IP has no source authentication. BGP has no prefix ownership. TCP exposes stateful memory. The current Internet is fundamentally ill-equipped to handle DDoS. Commercial services provide partial relief, but real defense requires rethinking core protocols from first principles.
Quick Reference
| Concept | One-line meaning |
|---|---|
| DoS | Make a service unavailable |
| DDoS | DoS from many machines (botnet) |
| Spoofing | Fake source IP address |
| Amplification | Small request causes large effect |
| Reflection | Third party sends traffic to victim |
| SYN flood | Fill TCP half-open connection state |
| SYN cookies | Avoid storing state until client proves legitimacy |
| Ingress filtering | Drop packets with invalid source addresses |
| Traceback | Reconstruct path of attack packets |
Further Reading
- Savage et al. '00 — Probabilistic packet marking for IP traceback
- Paxson '01 — An Analysis of Using Reflectors for DDoS Attacks
- CloudFlare Blog — "The DDoS that Almost Broke the Internet" (March 2013, 309 Gbps)