DoS, DDoS, DRDoS - Types of Denial of Service (DoS) Attacks

💡 Short-answer practice problems for the Information Processing Engineer exam are at the end of this post. It is recommended to solve the problems multiple times.

Types of Denial of Service (DoS) Attacks

🚫 What is a DoS (Denial of Service) Attack?

A Denial of Service (DoS) attack is an attack that prevents legitimate users from accessing a service by overwhelming the system's resources. It is carried out by a single attacker sending a large volume of requests to a target server or exploiting a system's vulnerabilities to exhaust its resources.

For example, if an attacker sends numerous connection requests to a specific website, exceeding the server's processing capacity, other users will be unable to access the site. This is like one person blocking the entrance to a store 🚪, preventing other customers from entering.

🆚 Differences Between DoS and DDoS

While a DoS attack is conducted from a single system, a Distributed Denial of Service (DDoS) attack uses multiple, distributed systems to launch the assault.

The attacker controls numerous computers infected with malware (zombie PCs 🧟) and directs them to attack a specific target system simultaneously. This results in a much larger attack scale and makes it extremely difficult to trace the origin of the attack.

🔄 What is DRDoS (Distributed Reflection DoS)?

A Distributed Reflection Denial of Service (DRDoS) attack is a variation of DDoS that features attack amplification. Instead of directly attacking the target, the attacker uses third-party systems (reflectors) that provide legitimate services.

The attack process is as follows:

1. 1️⃣ IP Spoofing: The attacker sends requests to multiple reflector servers (e.g., DNS, NTP servers) with the source IP address forged to be the target's IP address.
2. 2️⃣ Request and Response: The reflector servers send their responses to the forged source IP, which is the actual target.
3. 3️⃣ Amplification: The attacker leverages services where the response size is significantly larger than the request size. For instance, a small DNS query can trigger a very large DNS record response, causing the target to receive traffic amplified by tens or hundreds of times. 💥

DRDoS is a highly threatening attack method because it allows the attacker to hide their own IP and achieve a large attack effect with minimal resources.

💥 Types of Major DoS Attacks

There are various DoS attack techniques, each disrupting a system in different ways.

DoS Attack Mnemonics 💡

🔄 LAND Attack

A LAND attack involves sending a packet where both the source and destination IP addresses are set to the target's IP. The system gets stuck in an infinite loop of responding to itself, exhausting its resources and causing it to crash.

👨‍👩‍👧‍👦 Smurf / Smurfing

A Smurf attack works by spoofing the source IP to the target's IP and then sending an ICMP Echo request to the broadcast address of a network. All devices on the network respond to the spoofed IP address—the target—overwhelming it with a massive amount of traffic. This can be considered a type of DRDoS.

Where does the name "Smurf" come from? 🍄

The name of this attack comes from the cartoon "The Smurfs."

• Small but numerous Smurfs: The many devices connected to the network (PCs, printers, etc.).
• Running towards a single target: All these devices simultaneously send responses to a single victim.

The name "Smurf Attack" was coined because the attack resembles numerous 'Smurfs' (devices) swarming a single 'Gargamel' (the victim). It's quite an intuitive name, isn't it? 😄

💧 Teardrop

Data is broken down into smaller pieces (fragments) for transmission over a network and then reassembled at the destination. A Teardrop attack exploits vulnerabilities in this process. The attacker intentionally sends fragments with overlapping offsets or missing pieces. The receiving system becomes overloaded or crashes while trying to reassemble the malformed fragments.

💀 Ping of Death

The Ping of Death is an attack that involves sending an ICMP packet that is larger than the maximum allowed size (65,535 bytes). Older operating systems were unable to handle such abnormally large packets, leading to system crashes. Most modern systems are patched against this vulnerability.

🚪 SYN Flooding

SYN Flooding exploits a vulnerability in the TCP three-way handshake. The attacker sends a large number of SYN (connection request) packets but never sends the final ACK packet to complete the handshake. The server allocates resources for each SYN request and waits for a response, entering a "SYN-RECEIVED" state. As numerous connections are left half-open, the server's connection table fills up, preventing it from accepting new, legitimate connections.

What is SYN? 🤔

SYN stands for 'Synchronize'.

In TCP communication, it's the initial greeting sent before any data is exchanged, like saying, "Hi! Shall we start communicating? Are you ready? 👋"

This signal contains a 'Sequence Number' that says, "My data will start with this number!" In essence, SYN not only initiates the communication but also plays a crucial role in synchronizing the starting numbers to ensure data is exchanged in the correct order.

🌊 UDP Flooding

Unlike TCP, UDP is a connectionless protocol without a handshake process. UDP Flooding exploits this by sending a large number of UDP packets to random ports on a target server. The server checks for an application at the specified port. If none is found, it sends back an ICMP "Destination Unreachable" message. This process, when repeated, exhausts the server's resources, making it unable to handle legitimate requests.

Exam Preparation Problems

Recommended Next Posts

• 🔒 Types of Network Attacks - 🚀 Includes Prep Questions for Engineer Exam
• 🔐 Types of Security Attacks
• Ultimate Guide to the Information Processing Engineer Practical Exam 📝