Distributed denial of service (DDOS) attacks aim to make computer or network resources unavailable. DDOS involves using bots, or infected computers controlled by an attacker, to flood a target with traffic. Common DDOS attacks include TCP SYN floods, which overwhelm a target with TCP connection requests, and Smurf attacks, which exploit IP broadcast addressing. Defenses against DDOS include rate limiting, intrusion prevention systems, blackholing traffic, and sinkholing or taking over botnets. Botnets are increasingly rented out to launch large scale DDOS attacks against targets like websites and payment processors.

1. DOS Threats and Countermeasure

2. DOS Attacks in news
• Anonymous takes down formula1 website with ddos attack against
the bahrain’s hosting the grand prix race.
Source-jalopnik.com
• DDOS attack on paypal,visa and mastercard against blocking the
accounts of wikileaks.

3. Terminology-:
• DOS,DDOS attack is an attempt to make computer or network
resource unavailable to its intended users.
• However, DDOS is something more artistic and involves the
masters controlling bots which are then used to attack the network
all together.
• DRDOS i.e. distributed reflected DOS that involves spoofing the
victim
• Bots also known as zombies are infected computers under the
control of attacker.
• Botnet is the network of bots.
• C&C server is known as command and control server.

4. DDOS in action

5. Classification of DoS attacks-:
Bandwidth consumption
Local Resource starvation
Programming flaws

6. Different types of DOS Attack
TCP SYN attack
TCP SYN flood sends a host more TCP SYN packets than the
protocol implementation can handle.

7. Smurf attack
• A smurf attack is an exploitation of the Internet Protocol (IP)
broadcast addressing to create a denial of service.

8. Vulnerable HTTP
Type of resource starvation attack
Slow http response attack Exploiting the content-length field of the
http request which is used to specify the length of message body in
bytes.
Slow Read basically sends a legitimate HTTP request and then very
slowly reads the response, thus keeping as many open connections
as possible and eventually causing a DoS.

9. DHCP Starvation & prevention
• An idea to make dummy leased for all the IPs in DHCP range and
will effectively cause the DOS to new connecting users that are
trying to receive ip from DHCP.

10. Programming flaws exploited

11. TORPIG BOTNET-an analysis

12. Communicating bots
• IP fast-flux which provides multiple IPs to a domain name and the
IPs changing frequently.
• Domain flux involves the use of DGA i.e.Domain Generation
Algorithm.

13. Countermeasures
• Delayed binding (TCP connection splicing)
• Rate limiter
• IPS and rate based IPS
• Blackholing
• Sinkholing
• Clean Pipes
• Bogon filtering, URPF i.e. unicast reverse path forwarding
• Wan-link failover

14. Some more to know
• Bots are available on rent pricing as $3
per day to $300 a week.
• Zombies are also used for spamming but
difficult to get blocked by DNSBLs.
• Know hacking but no hacking.

15. References
`
• http://en.wikipedia.org/wiki/Denial-of-service_attack
• DDOS attack and countermeasure by Pier Luigi Rotondo
• RioRey_Taxonomy_DDoS_Attacks_2.2_2011
• http://www.honeynet.org/node/132
• IEEE security and privacy magazine-volume9,number 1