Trending : Unpatched “VPN Bypass” Vulnerability in Apple iOS

Update is in progress

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are two of the most intimidating threats that modern enterprises face.

What Is DoS (Denial of Service)

The DoS (Denial of service) attack is one of the more powerful hacks, capable of completely taking a server down. In this way, the server will not be able to handle the requests of valid users. With a DOS attack, many computer systems connected to the internet will try to flood a server with false requests, leading to a service disruption. There are many ways in which an attacker can enact this attack on a server system over the network or the internet.

As mentioned earlier, A DoS attack is a denial of service attack where a computer (or computers) is used to flood a server with TCP and UDP packets. During this type of attack, the service is put out of action as the packets sent overload the server’s capabilities and make the server unavailable to other devices and users throughout the network. DoS attacks are used to shut down individual machines and networks so that they can’t be used by other users.

How DoS Attacks can be perfomed?

There are a number of different ways that DoS attacks can be performed. These include the following:

Method Description
Buffer overflow attacks This type of attack is the most common DOS attack experienced. Under this attack, the attacker overloads a network address with traffic so that it is put out of use.
Ping of Death or ICMP flood An ICMP (Internet Control Message Protocol) flood attack is used to take unconfigured or misconfigured network devices and uses them to send spoof packets to ping every computer within the network. This is also known as a ping of death (POD) attack.
SYN flood SYN flood attacks send requests to connect to a server but don’t complete the handshake. The end result is that the network becomes inundated with connection requests that prevent anyone from connecting to the network.
Teardrop Attack During a teardrop DOS attack, an attacker sends IP data packet fragments to a network. The network then attempts to recompile these fragments into their original packets. The process of compiling these fragments exhausts the system and it ends up crashing. It crashes because the fields are designed to confuse the system so that it can not put them back together.
DoS attacks are simple but effective and can bring about devastating damage to the companies or individuals they are aimed at. With one attack, an organization can be put out of action for days or even weeks.


A DDoS attack is one of the most common types of DoS attack in use today. During a DoS attack, multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations. By using multiple locations to attack the system the attacker can put the system offline more easily. The reason for this is that there is a larger number of machines at the attackers’ disposal and it becomes difficult for the victim to pinpoint the origin of the attack.

In addition, using a DDoS attack makes it more complicated to recover. Nine times out of ten the systems used to execute DDoS attacks have been compromised so that the attacker can launch attacks remotely through the use of slave computers. These slave computers are referred to as zombies or bots.

These bots form a network of devices called a botnet that is managed by the attacker through a command and control server. The command and control server allows the attacker or botmaster to coordinate attacks. Botnets can be made up of anywhere between a handful of bots to hundreds of different bots.

Common Forms of DDoS Attacks:

DDoS attacks are the more complex threat because they use a range of devices that increase the severity of attacks. Being attacked by one computer is not the same as being attacked by a botnet of one hundred devices!

DDoS attacks can come in various forms including:

Method Description
Ping of Death: During a Ping of Death (POD) attack the attacker sends multiple pings to one computer. POD attacks use manipulated packets to send packets to the network which have IP packets that are larger than the maximum packet length. These illegitimate packets are sent as fragments.

Once the victim’s network attempts to reassemble these packets network resources are used up, they are unavailable to legitimate packets. This grinds the network to a halt and takes it out of action completely.
UDP Floods: A UDP flood is a DDoS attack that floods the victim network with User Datagram Protocol (UDP) packets. The attack works by flooding ports on a remote host so that the host keeps looking for an application listening at the port. When the host discovers that there is no application it replies with a packet that says the destination wasn’t reachable. This consumes network resources and means that other devices can’t connect properly.
Ping Flood: Much like a UDP flood attack, a ping flood attack uses ICMP Echo Request or ping packets to derail a network’s service. The attacker sends these packets rapidly without waiting for a reply in an attempt to make the network unreachable through brute force. These attacks are particularly concerning because bandwidth is consumed both ways with attacked servers trying to reply with their own ICMP Echo Reply packets. The end result is a decline in speed across the entire network.
SYN Flood: SYN Flood attacks are another type of DoS attack where the attacker uses the TCP connection sequence to make the victim’s network unavailable. The attacker sends SYN requests to the victim’s network which then responds with a SYN-ACK response. The sender is then supposed to respond with an ACK response but instead the attacker doesn’t respond (or uses a spoofed IP address to send SYN requests instead). Every request that goes unanswered takes up network resources until no devices can make a connection.
Slowloris: Slowloris is a type of DDoS attack software that was originally developed by Robert Hansen or RSnake to take down web servers. A Slowloris attack occurs when the attacker sends partial HTTP requests with no intention of completing them. To keep the attack going, Slowloris periodically sends HTTP headers for each request to keep the network’s resources tied up. This continues until the server can’t make any more connections. This form of attack is used by attackers because it doesn’t require any bandwidth.
HTTP Flood: In a HTTP Flood attack the attacker users HTTP GET or POST requests to launch an assault on an individual web server or application. HTTP floods are a Layer 7 attack and don’t use malformed or spoofed packets. Attackers use this type of attacks because they require less bandwidth than other attacks to take the victim’s network out of operation.
Zero-Day Attacks: Zero-Day attacks are attacks that exploit vulnerabilities that have yet to be discovered. This is a blanket term for attacks that could be faced in the future. These types of attacks can be particularly devastating because the victim has no specific way to prepare for them before experiencing a live attack.

Types of DOS and DDOS Attacks

There are a number of approaches & broad categories that DOS attacks fall into for taking any system, website & networks offline. These are few types that are mentioned bellow:
ATTACK Name ATTACK Description
Volumetric Attacks: Volumetric attacks are classified as any form of attack where a network’s bandwidth resources are deliberately consumed by an attacker. Once network bandwidth has been consumed it is unavailable to legitimate devices and users within the network. Volumetric attacks occur when the attacker floods network devices with ICMP echo requests until there is no more bandwidth available.
Fragmentation Attacks: Fragmentation attacks are any kind of attack that forces a network to reassemble manipulated packets. During a fragmentation attack the attacker sends manipulated packets to a network so that once the network tries to reassemble them, they can’t be reassembled. This is because the packets have more packet header information than is permitted. The end result is packet headers which are too large to reassemble in bulk.
TCP-State Exhaustion Attacks: In a TCP-State Exhaustion attack the attacker targets a web server or firewall in an attempt to limit the number of connections that they can make. The idea behind this style of attack is to push the device to the limit of the number of concurrent connections.
Application Layer Attacks: Application layer or Layer 7 attacks are attacks that target applications or servers in an attempt to use up resources by creating as many processes and transactions possible. Application layer attacks are particularly difficult to detect and address because they don’t need many machines to launch an attack.

DoS VS DDoS Attacks:

A DoS attack is a denial of service attack where a computer (or computers) is used to flood a server with TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations.

The key difference between DoS and DDoS attacks is that the DDoS uses multiple internet connections to put the victim’s network offline whereas the DoS uses a single connection. DDoS attacks are more difficult to detect because they are launched from multiple locations so that the victim can’t tell the origin of the attack. Another key difference is the volume of attack leveraged, as DDoS attacks allow the attacker to send massive volumes of traffic to the victim’s network.

It is important to note that DDoS attacks are executed differently to DoS attacks as well. DDoS attacks are executed through the use of botnets or networks of devices under the control of an attacker. In contrast, DoS attacks are generally launched through the use of a script or a DoS tool like Low Orbit Ion Cannon.

All DDoS = DoS but all DoS ! = DDoS.

Purpose of Performing DDoS & DDoS Attacks :

Whether it is a DoS or DDoS attack, there are many possible reasons why an attacker would want to put a system or network offline.

Let's have a look at some of the most common reasons why DoS attacks are used to attack business & enterprises. Most of common reasons include:

  • Ransom:
    Perhaps the most common reason for DDOS attacks is to extort a ransom. Once an attack has been completed successfully the attackers will then demand a ransom to halt the attack and get the network back online. It isn’t advised to pay these ransoms because there is no guarantee that the business will be restored to full operation.
  • Malicious Competitors:
    Malicious competitors looking to take a business out of operation are another possible reason for DDoS attacks to take place. By taking an enterprise’s network down a competitor can attempt to steal your customers away from you. This is thought to be particularly common within the online gambling community where competitors will try to put each other offline to gain a competitive advantage.
  • Hacktivism:
    In many cases the motivation for an attack won’t be financial but personal and political. It is not uncommon for hacktivist groups to put government and enterprise sites offline to mark their opposition. This can be for any reason that the attacker deems to be important but often occurs due to political motivations.
  • Causing Trouble:
    Many attackers simply like causing trouble for personal users and networks. It is no secret that cyber attackers find it amusing to put organizations offline. For many attackers, DDoS attacks offer a way to prank people. Many see these attacks as ‘victimless’ which is unfortunate given the amount of money that a successful attack can cost an organization.
  • Disgruntled Employees:
    Another common reason for cyber attacks is disgruntled employees or ex employees. If the person has a grievance against your organisation then a DDoS attack can be an effective way to get back at you. While the majority of employees handle grievances maturely there are still a minority who use these attacks to damage an organization they have personal issues with.

  • Some hackers try such attack with their own coded tools while others use previously available tools. One of such tools widely used for DDoS and DoS Attack is LOIC Tool.

    ARP spoofing

    Dos & DDos Attack Using LOIC

    ARP spoofing is used to link an attacker’s MAC to a legitimate network IP address so the attacker can receive data meant for the owner associated withthat IP address.
    ARP spoofing is commonly used to steal or modify data but can also be used in denial-of-service and man-in-the-middle attacks or in session hijacking.

    Prevent DoS and DDoS attacks

    Even though DOS attacks are a constant threat to modern bussiness & organizations, there are a number of different steps that one can take to stay protected against before and after DoS attack. Before implementing a protection strategy it is very much important to recognize that we won’t be able to prevent every DoS attack that comes our way. That being said, we will be able to minimize the damage of a successful attack that comes our way.

    Minimizing the damage of incoming DOS Attacks:

    It includes mainly three actions, which are as follow:
  • Preemptive Measures
    It includes network monitoring, are intended to help you identify attacks before they take your system offline and act as a barrier towards being attacked.
  • Test Run DOS Attacks
    It allows you to test your defenses against DoS attacks and refine your overall strategy.
  • Post-attack Response
    It will determine how much damage a DoS attack does and is a strategy to get your organization back up and running after a successful attack.

  • Preemptive Measures: Network Monitoring Monitoring your network traffic is one of the best preemptive steps you can take. Monitoring traffic will allow you to see the signs of an attack before the service goes down completely. By monitoring your traffic you’ll be able to take action the moment you see unusual traffic levels or an unrecognized IP address. This can be the difference between being taken offline or staying up.

    Before executing an all-out attack, most attackers will test your network with a few packets before launching the full attack. Monitoring your traffic will allow you to monitor for these small signs and detect them early so that you can keep your service online and avoid the costs of unexpected downtime.
    Test Run DoS Attacks: Unfortunately, you won’t be able to prevent every DoS attack that comes your way. However, you can make sure you’re prepared once an attack arrives. One of the most direct ways to do this is to simulate DDoS attacks against your own network. Simulating an attack allows you to test out your current prevention methods and helps to build up some real-time prevention strategies that can save lots of money if a real attack comes your way.
    Post-Attack Response: Create a Plan If an attack gets off the ground then you need to have a plan ready to run damage control. A clear plan can be the difference between an attack that is inconvenient and one that is devastating. As part of a plan, you want to designate roles to members of your team who will be responsible for responding once an attack happens. This includes designing procedures for customer support so that customers aren’t left high and dry while you’re dealing with technical concerns.

    Keep in touch for latest and recent articles regarding DoS & DDoS in CyberSpace..

    About Author :

    Sanjeev Singh
    Sanjeev Singh is Certified Cyber Security Specialist & Professional. Also, Founder of "CYBER4ALL Community".
    His area of interest are Red Teaming, Offensive Security, Digital forensics, Malware analysis & Security Assessments & Penetesting. He is active blogger and publisher of Cyber Security related articles on Cyber4All.
    LinkedIn Profile: Singhsanjeev617

    Warning :
    The articles and tutorials published on this site are performed under safe environments with all safety measures and supervision of Cyber Experts & Professionals. And it is only intend for educational purposes & to be aware about such activities. These contents should not be used for any illegal purposes.
    Always Remember,
    "Performing such things without taking concerns of respective owners of System & Resources is tottaly illegal and punishable under various IT Acts and Laws."