Chapter 45 Β· Concepts

Denial of Service β€” Concept Maps

DoS categories, botnet architecture, how DNS amplification multiplies attack traffic 86Γ—, and the defense stack that addresses each threat layer.

DoS Categories β€” Side-by-Side

CategorySourceMethodExampleDefense
DoS β€” Resource Exhaustion Single attacker Flood target with traffic/requests to exhaust bandwidth, CPU, memory, or connections Single machine sending thousands of TCP SYN packets per second Rate limiting; SYN cookies; upstream filtering
DoS β€” Vulnerability Exploitation Single attacker Craft malformed packet or trigger design flaw to crash or destabilize the service Ping of Death: malformed oversized ICMP packet crashes unpatched OS Patch management β€” patches close known vulnerability vectors
Friendly DoS (Unintentional) Internal accident / infrastructure failure Misconfiguration (L2 loop), bandwidth saturation, physical infrastructure failure Two switches connected in a loop without STP β†’ broadcast storm STP on all switches; bandwidth monitoring; redundant infrastructure design
DDoS β€” Volumetric Botnet (thousands to millions of sources) Aggregate traffic from many sources overwhelms target capacity Zeus botnet (3.6M devices) directed at a single web server DDoS mitigation services; anycast routing; upstream filtering; redundancy
DDoS β€” Reflection/Amplification Botnet + open third-party services Small spoofed queries to open resolvers generate large responses directed at victim DNS amplification: 15-byte query β†’ 1,300-byte response (86Γ— amplification) Close open resolvers; BCP38 ingress filtering; rate-limit query responses

DoS Attack Motivations

MotivationDescriptionExample Scenario
Competitive Advantage Take a competitor's online presence offline; redirect their customers E-commerce attacker launches DDoS against a rival during peak shopping season
Extortion Demand payment to stop the attack; ransom for availability "Pay X Bitcoin or your site stays down"; Ransom DoS (RDoS) attacks
Smokescreen / Distraction Use DoS to redirect security team attention while a secondary attack proceeds undetected DDoS floods monitoring dashboards while attacker modifies DNS records or exfiltrates data
Hacktivism / Protest Disrupt an organization to make a political or ideological statement Activist group targets a government agency's website for a political reason
Precursor Attack Cause a service outage that forces the victim into a fallback mode that is less secure DoS against DNS server forces fallback to a compromised or attacker-controlled resolver

DDoS Botnet Architecture

πŸ’»
Attacker / Bot Herder
Controls the botnet from a single location. Issues attack commands to the C2 infrastructure. Direct resources are modest β€” the power comes from the botnet, not the attacker's own connection.
↓
πŸ“‘
Command-and-Control (C2) Infrastructure
Receives commands from the attacker and distributes them to all infected bots. May be centralized (single C2 server β€” easy to take down) or peer-to-peer (distributed β€” harder to neutralize). Sends attack parameters: target IP, port, method, duration.
↓
🌐
Botnet (Infected Devices Worldwide)
Thousands to millions of compromised computers, servers, routers, and IoT devices scattered globally. Owners are unaware. Zeus: 3.6 million at peak. Each device executes the attack command simultaneously on receipt.
↓
🎯
Target Receives Traffic From Millions of Sources
The victim's servers and network connections are flooded from millions of geographically distributed IP addresses simultaneously. Blocking by source IP is impractical β€” there are too many, and they are all "legitimate" user IPs from around the world.

DNS Amplification Attack β€” Step by Step

πŸ’»
C2 Issues Attack Command
The attacker commands the botnet: query these open DNS resolvers for maximum-size responses; spoof the source IP to be the victim's address; begin now.
↓
πŸ“€
Botnet Sends Small Spoofed DNS Queries
Each bot sends a DNS query (~15 bytes) to an open resolver. The source IP in each packet is forged to show the victim's IP address. The query asks for maximum available DNS data (e.g., ANY record for a large domain).
↓
πŸ”„
Open DNS Resolvers Process and Respond
Each open resolver sees a valid DNS query and sends back a full response (~1,300 bytes) to the apparent source β€” the victim's IP address. The resolver has no way to know the source was spoofed. Amplification factor: ~86Γ—.
↓
🎯
Victim Flooded With DNS Responses
The victim receives massive volumes of DNS response traffic from thousands of legitimate, distributed DNS servers. The traffic looks like legitimate DNS traffic β€” from real servers. Blocking "DNS" would break normal operations. The victim is overwhelmed.

The attacker's actual traffic (the small queries) is hidden within normal internet DNS activity. The destructive traffic (large responses) comes from legitimate servers the victim cannot shut down.

Amplification Protocol Comparison

ProtocolPurposeWhy It AmplifiesApproximate Factor
DNS Domain name resolution ANY query requests all available record types; response contains far more data than the query Up to ~86Γ—
NTP Network time synchronization MONLIST command returns list of last 600 hosts that queried the server β€” massive response to tiny request Up to ~550Γ—
ICMP Network diagnostics (ping, error reporting) Directed broadcast or specific ICMP types can generate large responses; Smurf attack used ICMP amplification Variable

All three protocols share the property that made them useful for amplification: they provide responses to any requester with no authentication, and the response is larger than the request.

Friendly DoS β€” Three Scenarios

ScenarioCauseEffectPrevention
Layer 2 Loop (Broadcast Storm) Two switches connected in a loop without STP to block redundant paths Broadcast frames circulate endlessly, consuming all bandwidth on the connected segment; devices cannot communicate Enable Spanning Tree Protocol (STP/RSTP) on all switches; verify before cabling new infrastructure
Bandwidth Saturation Large file download consumes entire available bandwidth of a limited connection Production applications (VoIP, ERP, video) degrade or fail; branch office effectively offline for normal work Bandwidth monitoring; traffic shaping/QoS policies that prioritize critical applications; download limits
Infrastructure Failure Physical failure β€” broken water pipe, power outage, HVAC failure, hardware failure Service disruption with no attacker; same outcome as a malicious attack from the business perspective Infrastructure redundancy; no single points of failure; proper data center design (no water above server rooms)

DoS Defense Stack

DefenseThreat It AddressesHow It Works
Patch management Vulnerability-based DoS Patches close the software flaws that crafted packets exploit; patched systems handle malformed traffic gracefully
STP on all switches Layer 2 loop / broadcast storm STP detects and logically blocks redundant paths, preventing loops; enables loop-free redundant cabling
Rate limiting and traffic shaping Bandwidth saturation; volumetric DDoS Caps traffic from individual sources or categories; QoS prioritizes critical applications over bulk transfers
Close open resolvers / BCP38 Reflection and amplification attacks DNS servers configured to respond only to authorized clients cannot be used as amplifiers; BCP38 filters spoofed source IPs
DDoS mitigation services (CDN/scrubbing) Large-scale volumetric DDoS Anycast routing distributes attack traffic across global PoPs; scrubbing centers filter malicious traffic; only clean traffic reaches origin
Redundancy and load balancing All DoS types targeting a single point Distributes service across multiple systems and locations; no single failure point takes down the entire service