Denial of Service Attacks
DDoS attack patterns, amplification vectors, botnet architectures, and comprehensive DoS defense strategies
Chapter 7: Denial of Service Attacks
The 2.3 Tbps Attack on AWS
In February 2020, Amazon Web Services reported mitigating the largest DDoS attack ever recorded at that time: 2.3 terabits per second (disclosed in the AWS Shield Threat Landscape Report Q1 2020). To put that in perspective, thatβs enough bandwidth to download the entire Netflix library every few seconds.
The attack used CLDAP (Connection-less Lightweight Directory Access Protocol) reflectionβa technique where small queries to misconfigured servers generate massive responses directed at the victim. AWS Shield, Amazonβs DDoS protection service, absorbed the traffic and kept customer services online.
But not everyone has AWS-scale resources. In October 2016, the Mirai botnet took down Dyn DNS and, with it, major websites including Twitter, Netflix, and Reddit. The attack peaked at 1.2 Tbps using a botnet of compromised IoT devicesβcameras, DVRs, routers.
These incidents illustrate the modern DDoS landscape: massive botnets, powerful amplification techniques, and attacks that can overwhelm even large infrastructure providers. This chapter explores how DoS attacks work and how to defend against them.
Understanding Denial of Service
Denial of Service attacks aim to make systems or networks unavailable to legitimate users. They target the CIA triadβs Availability component.
DoS Attack Categories
DoS Attack Categories:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VOLUMETRIC ATTACKS β
β Overwhelm bandwidth capacity β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ UDP Floods β’ DNS Amplification β
β β’ ICMP Floods β’ NTP Amplification β
β β’ Memcached Attacks β’ SSDP Amplification β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PROTOCOL ATTACKS β
β Exhaust server/infrastructure resources β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ SYN Floods β’ Ping of Death β
β β’ ACK Floods β’ Smurf Attack β
β β’ Fragmented Packets β’ Connection Floods β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β APPLICATION ATTACKS β
β Target application-layer resources β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ HTTP Floods β’ Slowloris β
β β’ GET/POST Floods β’ R-U-Dead-Yet (RUDY) β
β β’ API Abuse β’ HashDoS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββDoS vs DDoS
| Feature | DoS | DDoS |
|---|---|---|
| Sources | Single | Multiple (botnet) |
| Scale | Limited | Massive |
| Blocking | Block one IP | Must filter traffic patterns |
| Sophistication | Usually simple | Often coordinated |
| Cost | Free tools | Botnet rental ($50-$500/hour) |
MITRE ATT&CK Reference
DoS attacks map to:
- T1498 - Network Denial of Service
- T1498.001 - Direct Network Flood
- T1498.002 - Reflection Amplification
- T1499 - Endpoint Denial of Service
- T1499.002 - Service Exhaustion Flood
Volumetric Attacks
UDP Flood
Simple attack flooding target with UDP packets to consume bandwidth.
UDP Flood
UDP Flood:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker βββ UDP packets ββββββββββββββββββββββββββββββββΊ Victim
βββ UDP packets ββββββββββββββββββββββββββββββββΊ
βββ UDP packets ββββββββββββββββββββββββββββββββΊ
βββ (millions per second) ββββββββββββββββββββββΊ
Target: Saturate victim's network bandwidth
Result: Legitimate traffic can't get through
Characteristics:
- Simple to execute
- Easy to detect (random ports, no application data)
- Relatively easy to filterAmplification Attacks
Amplification multiplies attack traffic by exploiting UDP services that send larger responses than requests.
Amplification Attack Concept
Amplification Attack Concept:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker
β
Spoofed request β Request: 64 bytes
(src=victim_ip) β
βΌ
βββββββββββββββββββ
β Amplifier β
β (Open DNS, β
β NTP, etc.) β
ββββββββββ¬βββββββββ
β
β Response: 3,000+ bytes
βΌ
Victim
Amplification Factor = Response Size / Request Size
= 3000 / 64 = ~47x
With 1 Gbps attack bandwidth, attacker achieves 47 Gbps at victim!Amplification Vectors Comparison
| Protocol | Port | Amplification Factor | Notes |
|---|---|---|---|
| memcached | 11211 | 10,000-51,000x | Highest known, mostly patched |
| NTP monlist | 123 | 556x | Legacy servers still vulnerable |
| DNS ANY | 53 | 28-54x | Open resolvers |
| SSDP | 1900 | 30x | UPnP devices |
| CLDAP | 389 | 56-70x | Windows domain controllers |
| Chargen | 19 | Variable | Obsolete, rare |
| SNMP | 161 | 6.3x | Network devices |
| RIPv1 | 520 | 131x | Legacy routing |
DNS Amplification
DNS Amplification Attack
DNS Amplification Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
REQUEST (64 bytes):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DNS Query: ANY dnsamplificationtest.com β
β Source IP: 192.0.2.1 (VICTIM - SPOOFED) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RESPONSE (3,000+ bytes):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DNS Response to: 192.0.2.1 (victim) β
β β
β A records, AAAA records, MX records, TXT records, β
β NS records, SOA records, DNSSEC signatures... β
β β
β All sent to victim! β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββUsing hping3 (Demonstration):
# DO NOT use without authorization
# Demonstrates concept only
# Spoofed DNS request
# Real attacks use many reflectors simultaneously
sudo hping3 --udp -p 53 --spoof VICTIM_IP DNS_SERVER_IP --data 64NTP Amplification
NTPβs monlist command returns addresses of last 600 clientsβhuge amplification.
# Check if NTP server has monlist enabled
ntpdc -n -c monlist NTP_SERVER_IP
# If returns list of IPs, server is vulnerable
# Modern NTP servers have monlist disabled
# Detection in traffic:
# Large UDP port 123 responses
# monlist response format identifiableMemcached Amplification (2018 Record)
Memcached Attack Record Breaking
Memcached Attack - Record Breaking:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
February 2018: GitHub attacked with 1.35 Tbps
February 2018: Record 1.7 Tbps attack detected
How it works:
1. Attacker stores large value in open memcached server:
set key 0 0 1000000
[1MB of data]
2. Attacker sends spoofed request:
get key (src=victim)
Request: ~15 bytes
3. Memcached responds to victim:
Response: 1,000,000 bytes (1MB!)
Amplification: ~51,000x
Why so effective:
- memcached default: listen on 0.0.0.0 (all interfaces)
- No authentication required
- UDP support enabled by default (older versions)Mitigation:
# Bind memcached to localhost only
memcached -l 127.0.0.1
# Or disable UDP entirely
memcached -U 0
# Firewall memcached port
iptables -A INPUT -p udp --dport 11211 -j DROP
iptables -A INPUT -p tcp --dport 11211 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 11211 -j DROPBotnet Architectures
Traditional Command & Control
Centralized C2
Centralized C2:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ
β C2 Server β
β (IRC, HTTP, etc)β
ββββββββββ¬βββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ
β β β
ββββββ΄βββββ ββββββ΄βββββ ββββββ΄βββββ
β Bot β β Bot β β Bot β
β (Host 1)β β (Host 2)β β (Host n)β
βββββββββββ βββββββββββ βββββββββββ
Pros: Simple, direct control
Cons: Single point of failure, easy to takedownP2P Botnet Architecture
PeertoPeer Botnet
Peer-to-Peer Botnet:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ βββββββββββ βββββββββββ
β Bot A ββββββββΊβ Bot B ββββββββΊβ Bot C β
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ
β β β
ββββββββββββββββββΊβββββββββββββββββββ
β
ββββββ΄βββββ
β Bot D β
βββββββββββ
Commands propagate through peer network
No single point of failure
Harder to takedown
Examples: GameOver Zeus, TDL-4Mirai Botnet Architecture
Mirai Architecture (IoT Botnet)
Mirai Architecture (IoT Botnet):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SCANNING COMPONENT:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Infected devices scan for: β
β - Open Telnet (23) β
β - SSH (22) β
β Using hardcoded credential list (admin/admin, root/root, etc.) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
C2 INFRASTRUCTURE:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Report Server - Receives vulnerable targets β
β Load Server - Delivers malware payload β
β C2 Server - Sends attack commands β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ATTACK CAPABILITIES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β - UDP floods β
β - SYN floods β
β - ACK floods β
β - GRE floods β
β - DNS water torture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Peak: 600,000+ infected devices
Record attack: 1.2 Tbps against Dyn DNSDDoS-for-Hire (Booter Services)
DDoSasaService
DDoS-as-a-Service:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Cost: $10-500+ per attack
Access: Tor hidden services, clear web (disguised as "stress testing")
Power: Up to hundreds of Gbps
Customer βββ Orders attack ββββΊ Booter Service
β
βΌ
Botnet Controller
β
ββββββββββββββββββΌβββββββββββββββββ
βΌ βΌ βΌ
Bot 1 Bot 2 Bot n
β β β
ββββββ Attack Traffic ββββββββββββΊβ VictimApplication Layer Attacks
HTTP Flood
Legitimate-looking HTTP requests overwhelming web application.
HTTP Flood Characteristics
HTTP Flood Characteristics:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SIMPLE GET FLOOD:
GET / HTTP/1.1
Host: target.com
(thousands per second)
SOPHISTICATED HTTP FLOOD:
- Rotates User-Agents
- Uses real browser headers
- Varies request patterns
- Targets expensive endpoints (search, login)
- Uses HTTPS (encrypted, harder to inspect)
Detection Challenge:
Each request looks legitimate individually
Volume/pattern analysis requiredSlowloris and Slow Attacks
(Covered in detail in Chapter 5)
Slow Attack Variants
Slow Attack Variants:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SLOWLORIS:
- Sends partial HTTP headers slowly
- Keeps connections open indefinitely
- Exhausts connection pool
SLOW POST (R-U-Dead-Yet):
- Sends POST with large Content-Length
- Sends body 1 byte at a time
- Server waits for complete body
SLOW READ:
- Completes request normally
- Sets tiny window size
- Reads response very slowly
- Server buffers response in memoryAPI-Based DDoS
API Abuse Patterns
API Abuse Patterns:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
EXPENSIVE ENDPOINT TARGETING:
- Search endpoints with complex queries
- Report generation
- Data export functions
- Authentication endpoints (hashing cost)
EXAMPLE - Search DoS:
GET /api/search?q=a*&sort=relevance&filter=all&page=1
GET /api/search?q=b*&sort=relevance&filter=all&page=1
(thousands per second)
Each request triggers:
- Database query
- Full-text search
- Result sorting
- Response formatting
CPU exhaustion without massive bandwidthDDoS Mitigation Strategies
Architectural Defenses
DDoSResilient Architecture
DDoS-Resilient Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
β CDN / ANYCAST β
β (Geographic distribution) β
βββββββββββββββββββ¬ββββββββββββββββββββ
β
βββββββββββββββββββ΄ββββββββββββββββββββ
β DDoS MITIGATION SERVICE β
β (Cloudflare, AWS Shield, Akamai) β
β - Traffic scrubbing β
β - Rate limiting β
β - Challenge pages β
βββββββββββββββββββ¬ββββββββββββββββββββ
β
βββββββββββββββββββ΄ββββββββββββββββββββ
β LOAD BALANCER β
β (Connection limits, health checks)β
βββββββββββββββββββ¬ββββββββββββββββββββ
β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
β β β
ββββββ΄ββββββ ββββββ΄ββββββ ββββββ΄ββββββ
β Server 1 β β Server 2 β β Server n β
β(Hardened)β β(Hardened)β β(Hardened)β
ββββββββββββ ββββββββββββ ββββββββββββNetwork-Level Defenses
Rate Limiting:
# iptables - Rate limit by source
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
# Nginx - Connection limits
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100; # Max 100 connections per IP
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20 nodelay;BGP Blackhole/Flowspec:
BGP Blackhole Routing
BGP Blackhole Routing:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
When under attack:
1. Identify victim IP (e.g., 192.0.2.100)
2. Announce to upstream: "Route 192.0.2.100/32 to null"
3. Attack traffic dropped at network edge
RTBH (Remotely Triggered Black Hole):
router bgp 65001
neighbor 10.0.0.1 remote-as 65002
neighbor 10.0.0.1 route-map RTBH out
route-map RTBH permit 10
match tag 666
set community 65002:666
ip route 192.0.2.100 255.255.255.255 Null0 tag 666
Cons: Victim IP unreachable (attacker wins?)
Pros: Protects rest of infrastructureBGP Flowspec (More Granular):
Flowspec Granular Traffic Filtering
Flowspec - Granular Traffic Filtering:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Instead of black-holing destination, filter specific traffic:
"Drop UDP traffic to 192.0.2.100:53 from any source"
Preserves legitimate traffic while blocking attack patterns
Requires Flowspec-capable routersApplication-Level Defenses
Challenge Systems:
JavaScript Challenge (Bot Detection)
JavaScript Challenge (Bot Detection):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Initial request ββββΊ Challenge Page (JavaScript required)
β
βΌ
Browser executes JavaScript
Computes proof-of-work
Sends solution
β
βΌ
Server validates ββββΊ Access granted
Bots: Can't execute JavaScript, fail challenge
Humans: Minor delay, then normal accessCAPTCHA:
# Trigger CAPTCHA under attack conditions
# After rate limit exceeded or suspicious pattern
if request_rate > threshold:
show_captcha()DoS Detection
Traffic Analysis
# Monitor connection states
watch -n 1 'netstat -ant | grep -c SYN_RECV'
watch -n 1 'netstat -ant | grep -c ESTABLISHED | wc -l'
# High SYN_RECV = potential SYN flood
# Excessive ESTABLISHED = potential HTTP flood
# Bandwidth monitoring
iftop -i eth0
nethogs eth0
# Packet capture for pattern analysis
tcpdump -i eth0 -w attack_capture.pcapAttack Pattern Recognition
| Pattern | Likely Attack |
|---|---|
| High UDP to single port | UDP flood |
| Many SYN, few ACK | SYN flood |
| Large UDP responses (53, 123) | Amplification reflection |
| Consistent packet sizes | Botnet flood |
| Many HTTP requests, few complete | Slowloris |
| HTTP floods to single endpoint | Application DoS |
Monitoring Tools
| Tool | Purpose |
|---|---|
| Netflow/sFlow | Traffic analysis |
| Prometheus + Grafana | Metrics and alerting |
| Elastic Stack | Log analysis |
| Arbor/Netscout | Commercial DDoS detection |
| FastNetMon | Open source detection |
Lab Exercise: DDoS Analysis
Objective
Understand DDoS traffic patterns through analysis (not execution).
Exercise 1: Traffic Capture Analysis
# Download sample DDoS capture (from public datasets)
# CAIDA DDoS attack datasets: https://www.caida.org/catalog/datasets/ddos/
# Analyze with tshark
tshark -r ddos_sample.pcap -q -z conv,ip
# Shows conversation statistics
tshark -r ddos_sample.pcap -q -z io,phs
# Protocol hierarchy statistics
# Look for:
# - Predominant protocol (UDP for volumetric)
# - Packet size distribution
# - Source IP diversityExercise 2: Amplification Factor Measurement
# Safely measure DNS amplification potential
# (Against your OWN server)
# Request size
dig @your-dns-server ANY example.com | wc -c
# Compare request vs response
# Calculate amplification factor
# Response size / Request size = AmplificationExercise 3: Mitigation Testing
# Test rate limiting effectiveness
# On YOUR test server
# Configure rate limiting
iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/s -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
# Use Apache Bench to test
ab -n 1000 -c 100 http://localhost/
# Observe that requests beyond 10/s are dropped
# Monitor with iptables -L -v -nKey Takeaways
-
Volumetric attacks overwhelm bandwidthβrequires upstream filtering or DDoS services
-
Amplification multiplies attackerβs bandwidth up to 51,000xβclose open reflectors
-
Botnets provide distributed attack sourcesβIoT devices are frequent targets for recruitment
-
Application attacks are harder to detectβlook like legitimate traffic
-
Defense requires layers: ISP filtering, DDoS services, rate limiting, application hardening
-
BGP techniques (blackhole, flowspec) provide network-level response capabilities
Self-Assessment
-
Comprehension: Why canβt simple IP blocking stop a DDoS attack?
-
Application: Your web server is under a Slowloris attack. How do you identify it, and whatβs your immediate mitigation?
-
What if: An attacker is using HTTPS for their HTTP flood. How does this complicate detection and mitigation?
Review Questions
- Explain the difference between volumetric, protocol, and application layer attacks.
- How does UDP amplification work, and what makes memcached particularly effective?
- Describe the architecture of the Mirai botnet.
- Why is HTTP flood detection challenging?
- How do BGP blackhole and flowspec differ in their approach to DDoS mitigation?
- What role do challenge systems (JavaScript challenges, CAPTCHA) play in DDoS defense?
MITRE ATT&CK Mapping
| Attack | Technique ID | Tactic |
|---|---|---|
| UDP Flood | T1498.001 | Impact |
| SYN Flood | T1498.001 | Impact |
| Amplification Attack | T1498.002 | Impact |
| HTTP Flood | T1499.002 | Impact |
| Slowloris | T1499.002 | Impact |
| Botnet C2 | T1071 | Command and Control |