This chapter covers Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack types, including their mechanisms, variants, and mitigation strategies. These topics are critical for the N10-009 exam, particularly under Objective 4.1 (Explain common security concepts). Expect approximately 5-7% of exam questions to test your ability to identify attack types, understand their impact, and select appropriate countermeasures. Mastery of this chapter will help you recognize attack patterns and apply foundational security principles.
Jump to a section
A DoS attack is like customers flooding a restaurant with so many orders that the kitchen can't keep up, and legitimate customers never get served. A DDoS attack is like that restaurant being simultaneously targeted by hundreds of food delivery apps, each sending hundreds of orders from different addresses. The kitchen's phone lines (network links) are jammed, the cooks (servers) are overwhelmed, and the order printer (CPU) can't stop printing. The restaurant manager (firewall) tries to block suspicious orders, but the volume from so many different sources makes it impossible to distinguish fake orders from real ones. Eventually, the kitchen collapses—orders are lost, food burns, and customers leave. In networking, the attacker(s) send massive traffic to consume bandwidth, saturate server resources, or exploit protocol weaknesses, causing denial of service for legitimate users.
What Are DoS and DDoS Attacks?
Denial of Service (DoS) attacks aim to make a network resource unavailable to its intended users by overwhelming it with traffic or exploiting vulnerabilities. A Distributed Denial of Service (DDoS) attack amplifies this by using multiple compromised systems (a botnet) to launch the attack simultaneously, making detection and mitigation harder. The core goal is resource exhaustion—consuming bandwidth, CPU, memory, or connection state tables.
How DoS/DDoS Attacks Work
At the packet level, attackers send a flood of packets that appear legitimate but are crafted to consume resources. For example, a SYN flood sends many TCP SYN packets without completing the three-way handshake, exhausting the server's half-open connection table. The server allocates memory for each SYN, and when the table fills, new legitimate connections are dropped. In a UDP flood, the attacker sends large volumes of UDP packets to random ports; the server checks for listening applications, and if none are found, it replies with ICMP Destination Unreachable, consuming both inbound and outbound bandwidth.
Key Components and Values
SYN flood: Default TCP backlog size varies (e.g., 128 on Linux, 200 on Windows Server). Attackers send thousands of SYNs per second.
ICMP flood: Uses ping packets (type 8) to overwhelm bandwidth; a single 64-byte ping can trigger a 56-byte reply, but amplification is minimal.
UDP flood: Targets random ports; server response (ICMP) can double traffic.
Amplification factor: For NTP reflection, a small query (e.g., 64 bytes) can trigger a response of up to 4000 bytes (factor ~60). DNS amplification can reach factor 50-100.
Mirai botnet: Default password lists target IoT devices; peak traffic exceeded 1 Tbps.
Attack Types Detailed
Volume-based attacks: Saturate bandwidth. Examples: UDP floods, ICMP floods, amplification attacks (NTP, DNS, SSDP). Measured in bits per second (bps). Protocol attacks: Exploit protocol weaknesses. Examples: SYN flood, Ping of Death, Smurf attack. Measured in packets per second (pps). Application-layer attacks: Target specific applications (HTTP, DNS). Examples: HTTP GET/POST floods, Slowloris (slow HTTP headers). Measured in requests per second (rps).
Amplification Attacks
Attackers spoof the victim's IP address and send small queries to vulnerable servers (e.g., NTP monlist, DNS open resolvers). The servers respond with large replies to the victim, amplifying traffic. For example, a 64-byte DNS query to an open resolver with the ANY record can return a response of ~4000 bytes. The attacker uses a botnet to send many such queries, each magnified.
Reflection Attacks
Similar to amplification, but the attacker spoofs the victim's source IP in requests sent to reflectors (e.g., DNS servers, NTP servers). The reflectors send responses to the victim. Combined with amplification, this creates massive traffic. Common reflectors: DNS (port 53), NTP (port 123), SSDP (port 1900), Memcached (port 11211). Memcached amplification can reach factors of 10,000-50,000.
Botnet Structure
A botnet is a network of compromised computers (bots) controlled by a command-and-control (C&C) server. The attacker issues commands (e.g., start attack) to the C&C, which relays to bots. Bots execute attacks simultaneously. Modern botnets use peer-to-peer (P2P) communication to avoid a single point of failure. Example: Mirai botnet used a centralized C&C but later variants used P2P.
Mitigation Techniques
Ingress/egress filtering: Block packets with spoofed IP addresses at the network edge (BCP 38).
Rate limiting: Limit traffic rate per source IP or per port.
Access control lists (ACLs): Block specific protocols or ports (e.g., block NTP monlist requests).
SYN cookies: Avoid allocating resources until handshake completes (Linux net.ipv4.tcp_syncookies=1).
DDoS scrubbing services: Cloud-based mitigation (e.g., Cloudflare, AWS Shield) that filters malicious traffic before it reaches the target.
Anycast networks: Distribute traffic across multiple data centers, absorbing attack volume.
Verification Commands
On Linux:
- netstat -n | grep :80 | grep SYN_RECV – count half-open connections.
- tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' – capture SYN packets.
- iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT – rate limit SYNs.
On Cisco IOS:
- show ip interface | include FastEthernet – check input/output rates.
- access-list 100 deny tcp any host 192.168.1.1 eq 80 – block traffic to victim.
- ip verify unicast reverse-path – enable RPF for anti-spoofing.
Interaction with Related Technologies
Firewalls: Stateful firewalls track connections; SYN floods can exhaust state tables. Stateless firewalls pass all allowed traffic but cannot detect attack patterns.
IDS/IPS: Intrusion detection systems (e.g., Snort) can alert on attack signatures (e.g., high SYN rate). Intrusion prevention systems can drop malicious packets.
Load balancers: Distribute traffic across servers, but can become targets themselves. Application-level load balancers can inspect HTTP headers for attack patterns.
CDN: Content delivery networks cache content and absorb traffic; they can filter malicious requests at edge nodes.
Attacker reconnoiters target
The attacker identifies the target's IP address, services (ports), and potential vulnerabilities using scanning tools like Nmap. They may also identify reflectors (e.g., open DNS resolvers) for amplification. This step is passive and often goes undetected. The attacker determines the best attack vector—whether to flood bandwidth, exhaust connections, or target an application.
Attacker builds or rents botnet
The attacker compromises vulnerable devices (e.g., IoT cameras, routers) using default passwords or known exploits. Each compromised device becomes a bot. The botnet is controlled via a C&C server. For DDoS, the attacker may rent botnet time from services like 'stressers' or 'booters,' which charge for attack duration. Modern botnets can include millions of devices.
Attacker launches attack
The attacker sends a command to the C&C server specifying target IP, attack type, duration, and intensity. The C&C relays the command to all bots. Bots begin sending packets simultaneously, often with spoofed source IPs to hide the attacker's identity and complicate mitigation. The attack traffic converges on the target's network link.
Target's resources become exhausted
The target's bandwidth is saturated, causing packet loss for legitimate traffic. For protocol attacks, the server's connection table fills (e.g., TCP backlog), preventing new legitimate connections. For application attacks, the server's CPU/memory is consumed handling malicious requests. Monitoring tools show high interface utilization, dropped packets, and connection timeouts.
Legitimate users experience denial
End users cannot access the target service—web pages time out, DNS queries fail, or VoIP calls drop. The target may crash or become unresponsive. If the target is a critical service (e.g., bank, hospital), business operations halt. Attack may last minutes to days. Mitigation teams work to filter traffic or reroute through scrubbing centers.
In enterprise environments, DDoS attacks are a constant threat. Consider a large e-commerce platform hosting a flash sale. The network team expects high traffic but must distinguish legitimate users from attackers. They deploy a cloud-based DDoS mitigation service (e.g., Cloudflare) that uses anycast to distribute traffic across multiple data centers. During an attack, the scrubbing center analyzes traffic patterns—e.g., a sudden spike in SYN packets from many IPs—and drops malicious packets while allowing legitimate traffic. The team monitors using NetFlow and SNMP to detect anomalies. A common misconfiguration is setting rate limits too low, blocking legitimate users during peak times. Another scenario: a financial institution uses on-premises mitigation appliances (e.g., Arbor Networks) that inspect traffic at the perimeter. They configure thresholds—e.g., if UDP traffic exceeds 1 Gbps, the appliance drops all UDP packets to non-essential ports. However, if the attack uses application-layer HTTP floods, the appliance must inspect Layer 7, which is CPU-intensive. During a real attack, the appliance may become a bottleneck. The team must have a failover plan to route traffic to a cloud scrubbing center if on-premises capacity is exceeded. Performance considerations: mitigation appliances must handle line-rate traffic (e.g., 40 Gbps) without introducing latency. In cloud environments, auto-scaling groups can absorb traffic, but attackers can target the auto-scaling API itself. Misconfigurations: failing to implement BCP 38 anti-spoofing filters allows attackers to use reflection. Not patching IoT devices leaves them vulnerable to botnet recruitment. A real-world example: the 2016 Dyn DDoS attack used Mirai botnet from thousands of IoT cameras to disrupt DNS services, taking down major sites like Twitter and Netflix. The attack exploited open DNS resolvers for amplification. Mitigation required coordinated filtering across ISPs.
The N10-009 exam tests your ability to identify DoS/DDoS attack types and their characteristics under Objective 4.1. Key areas: 1. Differentiate between volume-based, protocol, and application-layer attacks. Common wrong answer: confusing a SYN flood (protocol) with a UDP flood (volume). Remember: SYN flood exploits TCP handshake; UDP flood sends random packets. 2. Recognize amplification and reflection attacks. Wrong answer: thinking amplification only occurs with DNS. Know that NTP, SSDP, Memcached also amplify. Exam may ask: 'Which attack uses small queries to generate large responses?' Answer: amplification attack. 3. Identify botnet characteristics. Wrong answer: assuming botnets are only for DDoS. Botnets can also send spam, mine crypto, etc. But for DDoS, they coordinate attacks. 4. Understand mitigation techniques. Wrong answer: choosing 'block all ICMP' as the only solution. Mitigation requires multiple layers: filtering, rate limiting, scrubbing. 5. Specific numbers: Default TCP backlog (128-200), amplification factor for NTP (~60), DNS (~50-100), Memcached (~10,000). 6. Edge cases: The exam may ask about 'Ping of Death' (sending oversized ICMP packets) or 'Smurf attack' (ICMP echo to broadcast address with spoofed source). These are older but still tested. 7. Eliminate wrong answers: If the question mentions 'multiple sources,' it's DDoS, not DoS. If it mentions 'spoofed IP,' it's reflection or amplification. If it mentions 'slowloris,' it's application-layer. Always match the attack to its layer.
DoS attacks aim to make a resource unavailable; DDoS uses multiple sources.
Three categories: volume-based, protocol, application-layer.
Amplification attacks use small queries to generate large responses (e.g., NTP, DNS).
Reflection attacks spoof victim IP to make reflectors send responses to victim.
SYN flood exploits TCP three-way handshake; mitigation includes SYN cookies.
Botnets are networks of compromised devices controlled via C&C.
Mitigation layers: ingress filtering, rate limiting, ACLs, scrubbing services.
Default TCP backlog is typically 128-200; SYN flood fills this.
Amplification factor for NTP monlist can be ~60; DNS ANY ~50-100; Memcached up to 50,000.
Application-layer attacks target HTTP, DNS, etc.; example: Slowloris.
These come up on the exam all the time. Here's how to tell them apart.
Volume-based Attacks
Saturates bandwidth; measured in bps
Example: UDP flood, ICMP flood
Uses high packet volume
Mitigation: bandwidth scaling, scrubbing
Can be amplified via reflection
Protocol Attacks
Exhausts server resources; measured in pps
Example: SYN flood, Ping of Death
Exploits protocol weaknesses
Mitigation: SYN cookies, connection limits
Often uses spoofed IPs
Mistake
A DoS attack always comes from a single source.
Correct
DoS can be from a single source, but DDoS is from multiple sources. The exam expects you to distinguish based on the number of attacking systems, not just impact.
Mistake
SYN flood attacks only target web servers.
Correct
SYN floods can target any TCP service (e.g., SMTP, SSH). The attack exhausts the TCP connection table, not just HTTP. Any service with a limited backlog is vulnerable.
Mistake
Amplification attacks always use DNS.
Correct
While DNS is common, NTP, SSDP, Memcached, and SNMP can also be used. The exam may test multiple protocols. NTP monlist command is a classic example.
Mistake
A firewall can fully stop a DDoS attack.
Correct
Firewalls can filter some attacks but can be overwhelmed by traffic volume. Stateful firewalls may crash under high connection rates. DDoS requires dedicated mitigation appliances or cloud services.
Mistake
Rate limiting alone prevents DDoS.
Correct
Rate limiting can help but may block legitimate traffic during spikes. Attackers can bypass by using many sources. Rate limiting is one layer, not a complete solution.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
DoS originates from a single source, while DDoS uses multiple compromised systems (botnet). DDoS is harder to mitigate because traffic comes from many IPs, making filtering challenging. The exam often asks which is more difficult to stop—DDoS is the correct answer.
The attacker sends many TCP SYN packets to a server without completing the handshake. The server allocates resources for each half-open connection until its backlog fills. New legitimate connections are rejected. Mitigation includes SYN cookies, which defer resource allocation until handshake completes.
An attacker sends small queries to a vulnerable server (e.g., open DNS resolver) with a spoofed source IP of the victim. The server sends a large response to the victim, amplifying traffic. Common protocols: DNS (factor 50-100), NTP (factor 60), Memcached (factor 10,000+).
A botnet is a network of compromised devices (bots) controlled by a command-and-control server. The attacker commands bots to simultaneously send traffic to a target, overwhelming it. Botnets can be rented from 'stresser' services. Example: Mirai botnet infected IoT devices.
Implement ingress filtering (BCP 38) to block spoofed IPs, rate limit traffic, use ACLs to block unused protocols, deploy SYN cookies, and use cloud-based scrubbing services. For high-volume attacks, anycast networks distribute traffic. Regular patching prevents botnet recruitment.
An old attack that sends oversized ICMP packets (over 65,535 bytes) that cause buffer overflows in vulnerable systems. Modern systems are patched, but the exam may test it as a legacy attack. It is a protocol attack because it exploits ICMP protocol weakness.
An application-layer DDoS attack that opens multiple HTTP connections to a server and sends partial HTTP headers slowly, keeping connections open and exhausting server connection pool. It targets web servers and is mitigated by limiting connection timeouts or using reverse proxies.
You've just covered DoS and DDoS Attack Types — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?