DoS Categories β Side-by-Side
| Category | Source | Method | Example | Defense |
|---|---|---|---|---|
| DoS β Resource Exhaustion | Single attacker | Flood target with traffic/requests to exhaust bandwidth, CPU, memory, or connections | Single machine sending thousands of TCP SYN packets per second | Rate limiting; SYN cookies; upstream filtering |
| DoS β Vulnerability Exploitation | Single attacker | Craft malformed packet or trigger design flaw to crash or destabilize the service | Ping of Death: malformed oversized ICMP packet crashes unpatched OS | Patch management β patches close known vulnerability vectors |
| Friendly DoS (Unintentional) | Internal accident / infrastructure failure | Misconfiguration (L2 loop), bandwidth saturation, physical infrastructure failure | Two switches connected in a loop without STP β broadcast storm | STP on all switches; bandwidth monitoring; redundant infrastructure design |
| DDoS β Volumetric | Botnet (thousands to millions of sources) | Aggregate traffic from many sources overwhelms target capacity | Zeus botnet (3.6M devices) directed at a single web server | DDoS mitigation services; anycast routing; upstream filtering; redundancy |
| DDoS β Reflection/Amplification | Botnet + open third-party services | Small spoofed queries to open resolvers generate large responses directed at victim | DNS amplification: 15-byte query β 1,300-byte response (86Γ amplification) | Close open resolvers; BCP38 ingress filtering; rate-limit query responses |
DoS Attack Motivations
| Motivation | Description | Example Scenario |
|---|---|---|
| Competitive Advantage | Take a competitor's online presence offline; redirect their customers | E-commerce attacker launches DDoS against a rival during peak shopping season |
| Extortion | Demand payment to stop the attack; ransom for availability | "Pay X Bitcoin or your site stays down"; Ransom DoS (RDoS) attacks |
| Smokescreen / Distraction | Use DoS to redirect security team attention while a secondary attack proceeds undetected | DDoS floods monitoring dashboards while attacker modifies DNS records or exfiltrates data |
| Hacktivism / Protest | Disrupt an organization to make a political or ideological statement | Activist group targets a government agency's website for a political reason |
| Precursor Attack | Cause a service outage that forces the victim into a fallback mode that is less secure | DoS against DNS server forces fallback to a compromised or attacker-controlled resolver |
DDoS Botnet Architecture
Attacker / Bot Herder
Controls the botnet from a single location. Issues attack commands to the C2 infrastructure. Direct resources are modest β the power comes from the botnet, not the attacker's own connection.
β
Command-and-Control (C2) Infrastructure
Receives commands from the attacker and distributes them to all infected bots. May be centralized (single C2 server β easy to take down) or peer-to-peer (distributed β harder to neutralize). Sends attack parameters: target IP, port, method, duration.
β
Botnet (Infected Devices Worldwide)
Thousands to millions of compromised computers, servers, routers, and IoT devices scattered globally. Owners are unaware. Zeus: 3.6 million at peak. Each device executes the attack command simultaneously on receipt.
β
Target Receives Traffic From Millions of Sources
The victim's servers and network connections are flooded from millions of geographically distributed IP addresses simultaneously. Blocking by source IP is impractical β there are too many, and they are all "legitimate" user IPs from around the world.
DNS Amplification Attack β Step by Step
C2 Issues Attack Command
The attacker commands the botnet: query these open DNS resolvers for maximum-size responses; spoof the source IP to be the victim's address; begin now.
β
Botnet Sends Small Spoofed DNS Queries
Each bot sends a DNS query (~15 bytes) to an open resolver. The source IP in each packet is forged to show the victim's IP address. The query asks for maximum available DNS data (e.g., ANY record for a large domain).
β
Open DNS Resolvers Process and Respond
Each open resolver sees a valid DNS query and sends back a full response (~1,300 bytes) to the apparent source β the victim's IP address. The resolver has no way to know the source was spoofed. Amplification factor: ~86Γ.
β
Victim Flooded With DNS Responses
The victim receives massive volumes of DNS response traffic from thousands of legitimate, distributed DNS servers. The traffic looks like legitimate DNS traffic β from real servers. Blocking "DNS" would break normal operations. The victim is overwhelmed.
The attacker's actual traffic (the small queries) is hidden within normal internet DNS activity. The destructive traffic (large responses) comes from legitimate servers the victim cannot shut down.
Amplification Protocol Comparison
| Protocol | Purpose | Why It Amplifies | Approximate Factor |
|---|---|---|---|
| DNS | Domain name resolution | ANY query requests all available record types; response contains far more data than the query | Up to ~86Γ |
| NTP | Network time synchronization | MONLIST command returns list of last 600 hosts that queried the server β massive response to tiny request | Up to ~550Γ |
| ICMP | Network diagnostics (ping, error reporting) | Directed broadcast or specific ICMP types can generate large responses; Smurf attack used ICMP amplification | Variable |
All three protocols share the property that made them useful for amplification: they provide responses to any requester with no authentication, and the response is larger than the request.
Friendly DoS β Three Scenarios
| Scenario | Cause | Effect | Prevention |
|---|---|---|---|
| Layer 2 Loop (Broadcast Storm) | Two switches connected in a loop without STP to block redundant paths | Broadcast frames circulate endlessly, consuming all bandwidth on the connected segment; devices cannot communicate | Enable Spanning Tree Protocol (STP/RSTP) on all switches; verify before cabling new infrastructure |
| Bandwidth Saturation | Large file download consumes entire available bandwidth of a limited connection | Production applications (VoIP, ERP, video) degrade or fail; branch office effectively offline for normal work | Bandwidth monitoring; traffic shaping/QoS policies that prioritize critical applications; download limits |
| Infrastructure Failure | Physical failure β broken water pipe, power outage, HVAC failure, hardware failure | Service disruption with no attacker; same outcome as a malicious attack from the business perspective | Infrastructure redundancy; no single points of failure; proper data center design (no water above server rooms) |
DoS Defense Stack
| Defense | Threat It Addresses | How It Works |
|---|---|---|
| Patch management | Vulnerability-based DoS | Patches close the software flaws that crafted packets exploit; patched systems handle malformed traffic gracefully |
| STP on all switches | Layer 2 loop / broadcast storm | STP detects and logically blocks redundant paths, preventing loops; enables loop-free redundant cabling |
| Rate limiting and traffic shaping | Bandwidth saturation; volumetric DDoS | Caps traffic from individual sources or categories; QoS prioritizes critical applications over bulk transfers |
| Close open resolvers / BCP38 | Reflection and amplification attacks | DNS servers configured to respond only to authorized clients cannot be used as amplifiers; BCP38 filters spoofed source IPs |
| DDoS mitigation services (CDN/scrubbing) | Large-scale volumetric DDoS | Anycast routing distributes attack traffic across global PoPs; scrubbing centers filter malicious traffic; only clean traffic reaches origin |
| Redundancy and load balancing | All DoS types targeting a single point | Distributes service across multiple systems and locations; no single failure point takes down the entire service |