Denial of Service is exactly what it sounds : a type of attack that disrupts normal service functions, making it deny requests from legitimate clients. For an easier understanding, we'll just take an example the castlecops.com webpage. It is ran by a UNIX service called a "daemon" - think of it as an always-on, server-side program that makes the web page available when you visit it. This service is designed to support a certain number of connections and a certain quantity of traffic. If at any given time, the service would get 100.000 requests to display the main page in a second, the service wouldn't be able to fulfill any other requests, because of the overflow of incoming and outgoing traffic that the 100.000 requests have generated.

There are 3 types of Denial of Service attacks:
1. Denial of Service (DoS) - this type of attack implies a single attacker that sends packets directly to the targeted system so we have a single attacker and a single target.

2. Distributed Denial of Service (DDoS) - In this case scenario we have multiple infected computers (called zombies) that are being remotely controlled by the attacker, thus we have multiple attacks, coming from multiple attackers.

3. Distributed Reflective Denial of Service (DRDos) - In this type of attack the attacker uses an "Amplification Network". It sends an ICMP or UDP packet to the Amplification Network spoofing the "Source" and "Destination" of the packet with the victim's address. Thus, every system from the Amplification Network will reply with an echo packet to the victim.

Here are some of the most popular forms of DOS attacks:

Ping Flood - ICMP packets sent directly to the victim system (rather old tehnique)

Smurf - a type of DrDos attack (using an Amplification network) with ICMP packets - described above at 3

Fraggle - similar to Smurf, but uses UDP packets towards port 7 and 19

SYN Flood - Exploits the TCP three-way handshake - The attacker sends an initial SYN packet, and the victim system replies with a SYN ACK packet. The attacker doesn't reply with the ACK packet to complete the 3-way handshake, but leaves the victim for a response.

Land - Spoofed SYN packets with the source and destination addresses identified as the victim site. This causes the system to crash as it attempts to respond to its own packet.

Teardrop - this attack is made out of fragmented UDP packets that, when received by the victim system, and rebuilding them, and invalid UDP packet is created, causing a system error, crash or reboot.

Links and reference:
http://www.cert.org/tech_tips/denial_of_service.html
http://www.denialinfo.com/dos.html
http://tools.ietf.org/html/rfc4732
http://www.linuxsecurity.com/content/view/121960/49/

We are also seeing attacks to the SMPT port - similar to the SYN Flood ones - they start a connection and leave things hanging.
They at DDoS too not DoS.

A new topic to cover more sites under ddos Chris?

Not in public Paul - as they may not all be my own domains.

Also my team/methods, being very proactive, have keep them 'at bay' for the moment.

another type - very hard to notice.

Multi get requests from the same IP for the same file, offen linked with others to a DDoS via that method.

Sometimes the file will not even exist.

Can should be taken with this, as moved files can show up, where a link is still in place elsewhere on the web, linking to the removed file.

Good write-up, YG.

I wanted to add this: Sadly then, depending on the severity of the attack, hosts have to take the attacked servers off line by null-routing IPs, otherwise, the attacks can bring down its entire data center.

If a server is engaged in an outbound DOS attack (due to its being compromised) same deal, depending on its severity, it, too, is taken offline. High bandwidth charges often follow. The host or the its customer has to pay for the overages. Upstream providers often get involved in the larger attacks.

When Ironport first took over Spamcop, people wondered how they would make it profitable. Since botnets have spread the spam sources so widely that most never make it onto the Spamcop blocklist, that would seem even more of a question today. But if they are constantly under DDoS, they must have amassed a pretty marketable list of IP addresses. Do we know if they are offering DDoS mitigation services or selling data to companies like Prolexic?

Just to add a little bit of detail and commentary...

Everyone of these techniques can be mitigated with proper ingress filtering and synflood control. Most modern routers and firewalls have syn flood protection and rate limiting.

Anyone that gets whacked by Teardrop or Land deserves it


Amplification attacks like smurf and fraggle are when spoofed source address packets like icmp or udp are sent to the broadcast address of large netblocks and all hosts on that network respond to the packet. Once again proper ingress antispoofing filtering and denial of directed broadcast packets make these attacks less effective.

Why ISP's dont do this is simple. There is no incentive for them to do so.

Your posting back in September has not received a reply. I know that it is a long time, but ere is my belated response.

Let's say a small ISP is under DDOS attack, flogging its bandwidth or killing its resources. You state