How Denial-of-Service Attacks work

This tutorial explains Denial-of-Service Attacks. Learn what a Denial-of-Service Attack is, the types of the DoS attack, and how DoS attacks work.

Services have their limits. They cannot serve unlimited clients at the same time. A service can serve to its limit. At a given point in time, if a service gets more clients than its limit, it will not serve clients who come after the limit. A DoS attack works on this basic principle. A DoS attack blocks a service from serving genuine clients. In a DoS attack, a hacker creates more fake clients than the limit of the service and sends them to the service. The service becomes too busy in serving or replying to the fake clients that it does not get time for genuine clients. Genuine clients keep waiting for their turn.

Let take an example to understand how Denial-of-Service attacks work.

On a TCP/IP network, applications use TCP to transmit data. TCP transmits data only over an established connection. To establish a connection between two communicating nodes, TCP uses the three-way handshake process. In the three-way handshake process, a node sends a SYNC signal to another node. The SYNC signal indicates that the node wants to open a new connection for data transmission.

The other node accepts the new connection request, assigns a unique ID to the connection, and replies to the first node that its request has been accepted. To reply, the other node uses SYNC/ACK signal. This signal contains all information that the first node needs to establish the new connection.

When the first node receives this signal from the other node, it sends an ACK signal back to the other node. This signal confirms that the first node has received the required information and is ready to establish a new connection. When the other node receives the ACK from the first node, the three-way process completes, and the state of the connection changes to the established. Once a connection is established, the nodes can exchange data.

The following image shows the typical workflow of the TCP handshake process.

SYNC flood attack

Now, suppose a hacker wants to abuse TCP. The hacker creates thousands of SYNC requests by using the IP address spoofing technique and sends them to the server. In the IP address spoofing technique, a hacker uses a fake IP address in the source address field of the IP packet. To learn how IP address spoofing works, you can check the following tutorial.

How IP Address Spoofing or Masquerading Works

For every request, the server creates a new entry, assigns a unique ID, replies with a SYNC/ACK signal, and waits for an ACK signal to establish the connection. TCP waits for a response until the wait-time is over. If it does not receive a response till the wait-time is over, it terminates the connection.

Since the hacker used a spoofed address in the source address field, the server will never get a response for the SYNC/ACK signal. The server has no choice besides waiting till the wait-time is over. Meanwhile, since the TCP connection has filled with the (fake) SYNC connections, TCP does not accept new connections from genuine users.

The following image shows how a DoS attack works on TCP connections.

DoS attack example

Distributed denial-of-service

Distributed denial-of-service is the extended version of DoS. In this technique, instead of using a single system, a hacker uses many systems to initiate a denial-of-service attack against a single target host. To do this, the hacker sets up a master computer somewhere on the Internet.

Later, it creates malware, virus, or a script and hides it in pirated software. The hacker shares the pirated software on the Internet. When a user downloads and installs the pirated software on his computer, his computer silently becomes a bot. A bot is a system that silently waits for a command from the master computer. It operates normally, so the user can't detect any change in the system.

When the hacker wants to launch an attack, it sends a command from the master computer to every bot and orders it to launch a DoS attack against the target host. Since the attack is distributed across a large number of bots, the attack is called a distributed denial-of-service attack.

Types of DoS attacks

A hacker can perform many types of DoS attacks. The following are some of the most common types of attacks.

ICMP ping attack

ICMP is used to debug and troubleshoot a network. It includes several tools for testing and debugging. The ping command is part of ICMP. It allows an administrator to test connectivity between devices. Since all devices support the ping command, a hacker can use the ping command to launch a DoS attack. To launch a DoS attack on a server, a hacker can send thousands of ping requests in a millisecond to the server. The server becomes too busy dealing with ping requests that it doesn't get time to respond to other requests. This attack is also known as "The ping of Death".

ICMP overwhelm attack

In this attack, a hacker modifies the IP header of the packet in such a way that the target server believes that the packet contains more data than there really is. To overwhelm and crash the server, the hacker sends millions of modified packets to the server.

Chargen attack

In this attack, a hacker sends a massive number of UDP packets into the network. Usually, this attack is performed to create tremendous congestion on the network or to consume all available bandwidth of the network.

SYNC flood attack

In this attack, a hacker randomly sends several SYNC requests to open too many TCP connections. We have discussed an example of sync flood in this tutorial.

Packet fragmentation and reassembly attack

An interface can automatically reassemble and fragment a packet. This feature is very efficient for a network. To abuse this feature, a hacker can create fragments that can't be reassembled.

Email attack

In this attack, a hacker uses a bot or a script to send too many emails to a target user, consuming all available space of the user's inbox.

That's all for this tutorial. In this tutorial, we discussed what a DoS attack is and how it works. If you like this tutorial, please share this tutorial on Facebook and subscribe to our YouTube channel.

ComputerNetworkingNotes CCNA Study Guide How Denial-of-Service Attacks work