This chapter covers Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, a critical topic for the SY0-701 exam under Objective 2.3: 'Given a scenario, analyze potential indicators associated with application attacks.' Understanding these attacks is essential because they can cripple any online service, from small websites to global infrastructure. We'll explore attack mechanisms, common variants, detection techniques, and mitigation strategies that you'll need to know for the Security+ exam and real-world incident response.
Jump to a section
Imagine a popular restaurant that can serve 100 customers per hour. The kitchen has a limited number of chefs, stoves, and serving staff. Under normal conditions, customers arrive steadily, place orders, receive food, and leave. Now, an attacker (a rival restaurant owner) hires 1,000 people to walk into the restaurant, each asking for a glass of water and then leaving without ordering a meal. These fake customers occupy all the tables and keep the waitstaff busy fetching water, while genuine customers cannot get a seat and leave. This is a volumetric DDoS attack—the attacker overwhelms the restaurant's capacity with useless requests.
But the attacker can also use a more sophisticated method: instead of many people, they send a single customer who asks for a complicated dish that requires 30 minutes of chef time. While the chef prepares that dish, no other orders can be processed. This is a resource exhaustion attack (like a Slowloris attack) that ties up a critical resource with a single, slow request. The restaurant's defense would be to limit the number of water requests per person, set a maximum time to serve a table, or use a reservation system (rate limiting). The attacker might also spoof their identity by using fake names (IP spoofing) so the restaurant cannot block them easily.
What Are DoS and DDoS Attacks?
A Denial of Service (DoS) attack aims to make a computer or network resource unavailable to its intended users. The attacker overwhelms the target with a flood of traffic or exploits a vulnerability to crash the system. A Distributed Denial of Service (DDoS) attack is a DoS attack launched from multiple compromised systems (often part of a botnet) simultaneously, making it harder to stop because traffic comes from many sources.
How Do They Work Mechanically?
At the network level, a volumetric DDoS attack works by sending more traffic than the target's bandwidth or processing capacity can handle. For example, an attacker might send a flood of ICMP Echo Request (ping) packets to a target server. Each packet requires the server to respond with an ICMP Echo Reply, consuming CPU and bandwidth. If the attacker sends 10 Gbps of traffic but the server's link is only 1 Gbps, the link saturates, and legitimate packets are dropped.
At the application layer, an attacker might exploit a vulnerability like Slowloris (CVE-2007-1858). Slowloris opens many HTTP connections to a web server and sends partial HTTP requests, never completing them. The server keeps each connection open waiting for the rest of the request, eventually exhausting its connection pool. This attack uses very little bandwidth but can take down a server with a single machine.
Key Components and Variants
Volumetric Attacks: Flood the bandwidth. Examples: UDP flood, ICMP flood, DNS amplification (using open DNS resolvers to amplify traffic). In a DNS amplification attack, the attacker sends a small DNS query with a spoofed source IP (the victim's IP) to an open DNS resolver. The resolver sends a large response to the victim, amplifying traffic by a factor of 50-100.
Protocol Attacks: Exploit weaknesses in network protocols. Examples: SYN flood (sends many TCP SYN requests without completing the handshake), Smurf attack (ICMP echo request to broadcast address with spoofed source).
Application Layer Attacks: Target the application itself. Examples: HTTP flood (sends many legitimate-looking HTTP GET/POST requests), Slowloris, and attacks on SSL/TLS handshake.
How Attackers Exploit These
Attackers build botnets by infecting vulnerable devices (IoT cameras, routers, PCs) with malware. They then command the botnet to send traffic to the target. For amplification attacks, they scan for misconfigured services (e.g., open DNS resolvers, NTP servers with monlist enabled). The attacker spoofs the victim's IP as the source, so responses go to the victim. For example, an NTP amplification attack uses the monlist command (CVE-2013-5211) to send a list of up to 600 hosts in response to a small query, achieving amplification factors of up to 556.
Real Command/Tool Examples
Attackers might use tools like LOIC (Low Orbit Ion Cannon) for simple HTTP floods, or hping3 for crafted packet floods. For example, a SYN flood with hping3:
hping3 -S --flood -p 80 <target IP>This sends a flood of SYN packets to port 80. Defenders can use netstat to see half-open connections:
netstat -n | grep :80 | grep SYN_RECV | wc -lA large number of SYN_RECV connections indicates a SYN flood. For detection, intrusion detection systems (IDS) like Snort can have rules to detect such patterns. For example, a Snort rule for detecting a DNS amplification attack might look for DNS responses with a high ratio of response size to query size.
Mitigation Strategies
Rate Limiting: Limit the number of requests a single IP can make per second.
Traffic Filtering: Use Access Control Lists (ACLs) to block traffic from known malicious IPs or protocols.
Blackholing/Sinkholing: Divert attack traffic to a null interface or a sinkhole server.
Anycast Network: Distribute traffic across multiple data centers so that no single point is overwhelmed.
Web Application Firewall (WAF): Filter out malicious HTTP requests at the application layer.
Content Delivery Network (CDN): Absorb traffic by caching content at edge servers.
DDoS Protection Services: Services like Cloudflare or AWS Shield provide automated mitigation.
Detection Indicators
Unusual spike in traffic from a single IP or a range of IPs
High number of half-open TCP connections (SYN_RECV)
Unusually large DNS responses (for amplification attacks)
Server logs showing repeated requests for the same resource
Network interface counters showing high packet drops
Standards and RFCs
RFC 4732: Internet Denial-of-Service Considerations
RFC 4987: TCP SYN Flooding Attacks and Common Mitigations
RFC 2827 (BCP 38): Network Ingress Filtering (prevents IP spoofing)
Exam Relevance
For SY0-701, you need to distinguish between DoS and DDoS, understand common attack types (SYN flood, DNS amplification, Ping of Death, Smurf, Fraggle, Slowloris), and know mitigation techniques. Be able to read a scenario and identify the attack type based on indicators. For example, a large number of incomplete TCP handshakes suggests a SYN flood; a high volume of DNS responses from many sources suggests a DNS amplification DDoS.
Reconnaissance and Target Selection
The attacker identifies a target with a public-facing service (web server, DNS server, etc.). They may scan for open ports and services using tools like Nmap. For example, an attacker might scan for open DNS resolvers on port 53 to use in an amplification attack. Logs from the target might show unusual port scans from a single IP. The attacker also determines the target's bandwidth capacity to estimate the required attack volume.
Botnet Building or Amplifier Discovery
For a DDoS, the attacker compromises vulnerable devices (e.g., IoT devices with default passwords) and installs malware to create a botnet. Alternatively, they scan for misconfigured services like open DNS resolvers or NTP servers that can be used for amplification. The attacker may use Shodan to find such devices. The botnet or amplifiers are then organized and tested. A defender might see an increase in scans from known malicious IPs or unexpected traffic to uncommon ports.
Attack Launch and Traffic Generation
The attacker commands the botnet or sends spoofed queries to amplifiers to generate traffic toward the target. For a SYN flood, each bot sends thousands of SYN packets per second. For a DNS amplification, each bot sends a small query with the victim's spoofed IP to many open resolvers. The target's network interface shows a sudden spike in incoming packets. Tools like Wireshark or tcpdump can capture the flood. Example tcpdump filter: `tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and not tcp[tcpflags] & tcp-ack != 0'` to capture SYN packets.
Target Resource Exhaustion
The target's resources (bandwidth, CPU, memory, connection table) become exhausted. For a SYN flood, the target's half-open connection queue fills up, preventing new legitimate connections. For a volumetric flood, the link saturates, dropping all packets. System logs may show errors like 'connection refused' or 'out of memory'. The server may become unresponsive. Monitoring tools like `top` or `vmstat` show high CPU usage. Network monitoring (e.g., MRTG) shows bandwidth at 100%.
Detection and Mitigation Response
The target's IT team detects the attack via alerts from IDS/IPS, network monitoring, or user complaints. They analyze traffic patterns to identify the attack type. For example, many SYN packets from random source IPs indicate a SYN flood. Mitigation steps include: enabling SYN cookies (if SYN flood), applying rate limiting, contacting ISP for blackholing, or activating DDoS protection service. Post-attack, the team reviews logs to identify the attack vector and implements preventive measures like ingress filtering (BCP 38).
Scenario 1: Small Business Web Server Under SYN Flood
A small e-commerce site suddenly becomes inaccessible. The network engineer checks the firewall and sees hundreds of thousands of TCP SYN packets from random IPs hitting port 443. The server's CPU is at 100% due to the half-open connection queue. Using netstat -an | grep :443 | grep SYN_RECV | wc -l, they see 10,000+ half-open connections. The correct response is to enable SYN cookies on the server (sysctl -w net.ipv4.tcp_syncookies=1) and configure the firewall to rate-limit SYN packets per IP. A common mistake is to block the IPs manually, which is futile since they are spoofed. The engineer should also contact the ISP to implement upstream filtering.
Scenario 2: Enterprise DNS Amplification Attack
A large company's DNS servers are overwhelmed by massive DNS responses. The security analyst sees a traffic spike from many external DNS servers (port 53) to the company's IP. Using Wireshark, they see DNS response packets with sizes > 1000 bytes for queries like 'ANY isc.org'. The source IPs are legitimate open resolvers, but the queries have the company's IP as the source (spoofed). The correct response is to block all incoming DNS traffic from external sources at the firewall (since the company's DNS servers are only for internal use) and implement BCP 38 ingress filtering at the ISP. A common mistake is to block the resolver IPs individually, which doesn't stop the attack because the attackers can use different resolvers.
Scenario 3: Application Layer Slowloris Attack
A web application becomes slow and eventually times out. The web server logs show many connections from a single IP with partial HTTP requests (e.g., 'GET / HTTP/1.1\r
Host: example.com\r
' without the final \r
). The connection count in Apache's server-status shows many connections in 'W' (waiting) state. The correct response is to configure the web server to limit the maximum number of connections per IP and set a short timeout for incomplete requests. For Apache, use mod_reqtimeout and mod_qos. A common mistake is to increase the maximum connections, which only makes the attack worse. The attacker can be blocked by adding the IP to the firewall, but if the IP is spoofed, this won't help; however, Slowloris typically uses real IPs because it needs a TCP connection.
Exactly What SY0-701 Tests on This Objective
Objective 2.3 requires you to 'analyze potential indicators associated with application attacks.' For DoS/DDoS, you must recognize indicators such as: unusual network traffic spikes, high number of half-open connections, large DNS responses, and server resource exhaustion. You need to differentiate between attack types: SYN flood, DNS amplification, Ping of Death, Smurf, Fraggle, Slowloris, and HTTP flood. Know mitigation techniques: rate limiting, filtering, blackholing, anycast, CDN, WAF, and DDoS protection services.
Common Wrong Answers and Why
'Block the attacker's IP address' – Candidates choose this because it seems logical. However, in DDoS, IPs are often spoofed or come from many sources, so blocking a single IP is ineffective. The correct approach is to use rate limiting or upstream filtering.
'Increase server bandwidth' – This might help for small attacks but is expensive and doesn't stop the attack. Attackers can simply increase their traffic. The correct answer is to filter malicious traffic.
'Use a firewall to block ICMP' – While this helps against ICMP floods, it doesn't protect against SYN floods or DNS amplification. Candidates often pick this because they remember ICMP floods, but the scenario may describe a different attack type.
'Enable SYN cookies' – This is correct for SYN floods, but candidates might apply it to all attacks. For application layer attacks like Slowloris, SYN cookies don't help; you need connection limits.
Specific Terms and Acronyms on the Exam
SYN flood: Attack that sends many TCP SYN packets without completing the handshake.
DNS amplification: Uses open DNS resolvers to amplify traffic.
Ping of Death: Sends oversized ICMP packets to crash a system (CVE-1999-0128).
Smurf attack: Sends ICMP echo requests to a broadcast address with spoofed source IP.
Fraggle attack: Similar to Smurf but uses UDP echo packets.
Slowloris: Holds connections open by sending partial HTTP requests.
BCP 38: Best current practice for ingress filtering to prevent IP spoofing.
Anycast: Routing method that directs traffic to the nearest server in a group.
Blackholing: Diverting attack traffic to a null interface.
Sinkholing: Redirecting traffic to a server that analyzes it.
Common Trick Questions
Question: 'A server is overwhelmed by incomplete TCP connections. What is the attack?' Answer: SYN flood. Trick: They might describe it as 'TCP handshake attack' but the correct term is SYN flood.
Question: 'A DNS server receives many small queries but sends large responses to a victim.' Answer: DNS amplification. Trick: Candidates might confuse this with DNS cache poisoning.
Question: 'An attacker uses a single machine to send partial HTTP requests.' Answer: Slowloris. Trick: They might think it's a DDoS because of the word 'distributed,' but Slowloris can be done from one machine.
Decision Rule for Scenario Questions
Identify the attack type by the indicator: (1) Many half-open TCP connections = SYN flood. (2) Large DNS responses from many sources = DNS amplification. (3) Single source with many incomplete HTTP requests = Slowloris. (4) High bandwidth usage from ICMP or UDP = volumetric flood. Then select the mitigation that matches: SYN cookies for SYN flood, block external DNS for amplification, limit connections per IP for Slowloris, rate limiting for floods.
A DoS attack originates from a single source; a DDoS attack originates from multiple sources (distributed).
SYN flood attacks are mitigated by enabling SYN cookies (sysctl -w net.ipv4.tcp_syncookies=1).
DNS amplification attacks use open DNS resolvers and can amplify traffic by a factor of 50-100.
BCP 38 (RFC 2827) recommends ingress filtering to prevent IP spoofing, a common technique in DDoS.
Slowloris is an application-layer attack that holds connections open by sending partial HTTP requests.
The Smurf attack sends ICMP echo requests to a broadcast address with a spoofed source IP.
Anycast routing distributes traffic across multiple data centers to absorb DDoS traffic.
Blackholing diverts all traffic to a null interface, dropping both malicious and legitimate traffic.
These come up on the exam all the time. Here's how to tell them apart.
DoS Attack
Single source of attack traffic
Easier to block by blacklisting the source IP
Less bandwidth capacity, typically smaller impact
Often uses a single exploit or vulnerability
Examples: Ping of Death, Slowloris (single machine)
DDoS Attack
Multiple sources (botnet or amplifiers)
Harder to block due to distributed nature and IP spoofing
Can generate massive traffic (hundreds of Gbps)
Often uses many compromised devices or amplification
Examples: DNS amplification, SYN flood from botnet
Volumetric Attack
Goal: Saturate bandwidth
Uses simple floods (UDP, ICMP, TCP)
Easy to detect by high traffic volume
Mitigated by rate limiting and blackholing
Example: UDP flood
Application Layer Attack
Goal: Exhaust server resources (CPU, memory)
Uses legitimate-looking requests (HTTP, DNS)
Harder to detect because traffic appears normal
Mitigated by WAF, connection limits, and request throttling
Example: Slowloris, HTTP flood
Mistake
A DoS attack always comes from a single source.
Correct
A DoS can come from a single source, but a DDoS comes from multiple sources. The exam distinguishes between the two: DoS is one-to-one, DDoS is many-to-one. Many candidates use the terms interchangeably, but the exam expects precise terminology.
Mistake
Blocking the source IP address stops a DDoS attack.
Correct
In a DDoS, source IPs are often spoofed or come from a large botnet. Blocking individual IPs is ineffective. The correct approach is to use rate limiting, blackholing, or upstream filtering.
Mistake
SYN cookies prevent all types of DoS attacks.
Correct
SYN cookies only prevent SYN flood attacks by eliminating the half-open connection queue. They do not help against volumetric floods, DNS amplification, or application layer attacks like Slowloris.
Mistake
DDoS attacks always require a botnet.
Correct
While many DDoS attacks use botnets, amplification attacks (e.g., DNS amplification) can be executed using a small number of open resolvers, without needing a large botnet. The attacker sends spoofed queries to these resolvers, which then flood the victim.
Mistake
A Ping of Death attack is still a common threat today.
Correct
The Ping of Death (sending oversized ICMP packets) was patched in most systems by the late 1990s. Modern systems are not vulnerable, but the exam includes it for historical context. The exam focuses more on modern attacks like SYN flood and DNS amplification.
A DoS (Denial of Service) attack comes from a single source, while a DDoS (Distributed Denial of Service) attack comes from multiple sources, often a botnet. On the SY0-701 exam, you must distinguish between them. For example, a scenario with many different IPs sending traffic indicates a DDoS; a single IP indicates a DoS. Mitigation differs: blocking a single IP works for DoS but not for DDoS.
A SYN flood exploits the TCP three-way handshake. The attacker sends many TCP SYN requests to the target but never completes the handshake by sending the final ACK. The target allocates resources for each half-open connection, filling its connection queue. This prevents legitimate clients from connecting. Mitigation includes SYN cookies, which encode connection state in the SYN-ACK response, eliminating the need for a queue. On the exam, look for indicators like high number of SYN_RECV connections.
A DNS amplification attack is a type of DDoS that uses open DNS resolvers to amplify traffic. The attacker sends a small DNS query (e.g., ANY record) with the victim's spoofed IP as the source. The resolver sends a large response (up to 50x larger) to the victim. This allows an attacker to send a small amount of traffic but cause a large flood to the victim. Mitigation includes closing open resolvers and implementing response rate limiting.
The Ping of Death is an old DoS attack that sends an ICMP Echo Request packet larger than the maximum IP packet size (65535 bytes). Older systems would crash or reboot when handling such packets. Modern systems are patched against this attack. The exam may include it as a historical example. The key takeaway: it exploits packet fragmentation and reassembly vulnerabilities.
Slowloris attacks are detected by monitoring web server logs for many connections from a single IP with incomplete HTTP requests. The server status page (e.g., Apache's server-status) shows many connections in 'W' (waiting for request) state. Tools like `netstat` show many connections in ESTABLISHED state but with no data transfer. Mitigation includes setting a low timeout for incomplete requests and limiting connections per IP.
A Content Delivery Network (CDN) distributes website content across multiple edge servers worldwide. During a DDoS attack, the CDN absorbs the traffic by caching content and serving it from edge nodes, preventing the origin server from being overwhelmed. The CDN can also filter malicious traffic. For the exam, know that CDNs are a key mitigation technique for application-layer and volumetric DDoS attacks.
BCP 38 (Best Current Practice 38) recommends that network providers implement ingress filtering to drop packets with source IP addresses that do not belong to the network. This prevents IP spoofing, which is commonly used in DDoS attacks to hide the true source. By filtering spoofed traffic at the edge, ISPs can reduce the effectiveness of amplification attacks. The exam expects you to know that BCP 38 helps mitigate DDoS by preventing spoofing.
You've just covered DoS and DDoS Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?