DoS and DDoS Attacks
[!NOTE] This module explores the core principles of DoS and DDoS Attacks, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. What is a DoS?
A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
- Volumetric: Filling up the “pipe” (bandwidth) with junk.
- Exhaustion: Filling up the “brain” (CPU/RAM/Connection table) of the server.
2. Distributed DoS (DDoS)
A DDoS attack uses a Botnet (a network of thousands of compromised computers/IoT devices) to attack a target simultaneously. It is much harder to block because the traffic comes from thousands of different IP addresses.
3. Common Attack Types
SYN Flood (Layer 4)
Takes advantage of the TCP 3-Way Handshake.
- Attacker sends thousands of
SYNpackets but never replies to theSYN-ACK. - The server keeps connections “half-open,” waiting for the final
ACK. - The server’s connection table fills up, and it stops accepting new legitimate users.
UDP Amplification (Layer 3/7)
Attacker sends a small request to a public server (like DNS or NTP) using the Target’s IP as the source (Spoofing).
- The server sends a massive response to the Target.
- A 10Gbps botnet can turn into a 500Gbps attack on the target.
HTTP Flood (Layer 7)
Sending thousands of complex HTTP requests (GET /search?q=everything) to exhaust the web server’s CPU or database.
4. Interactive: SYN Flood Simulation
Watch the connection table overflow.
5. Mitigation
- Anycast Network: Distributes attack traffic across multiple global data centers (e.g., Cloudflare).
- Scrubbing Centers: Inspects traffic and removes “bad” packets before sending “clean” traffic to the target.
- Rate Limiting: Limiting the number of requests a single IP can make.
- SYN Cookies: A technique for the server to avoid storing state for the initial SYN packet.