DoS Attack Classification

Dos Attack

DoS Attack Classification – There are two main kinds of attacks: denial-of-service attacks and distributed denial-of-service attacks. In distributed denial-of-service attacks, multiple compromised systems are coordinated in an attack against one target.

DoS Attack Classification

There are different ways to carry out denial-of-service attacks. Although there are many exploits used by attackers, the basic objectives remain the same: bandwidth consumption, network connectivity, or the destruction of configuration information.

The following are representative types of denial-of-service attacks:

• Smurf
• Buffer overflow attack
• Ping of death
• Teardrop
• SYN flood

DoS Attack Classification

Smurf Attack

The smurf attack is a network-level attack against a host. It is named after its exploit program. The attacker sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses with a spoofed source IP of a victim. If the routing device delivering traffic to those broadcast addresses accepts the IP broadcast, hosts on that IP network will take the ICMP echo request and will each reply to it with an echo reply, multiplying the traffic by the number of hosts that are responding. On a multiaccess broadcast network, there could potentially be hundreds of machines replying to each packet, overwhelming the victim’s network connection.

A fraggle attack uses UDP echo packets in the same fashion as the smurf attack uses ICMP echo packets. IRC servers and their providers are the most common targets of smurf and fraggle attacks.

Smurf attacks affect two parties: the intermediary (broadcast) devices and the spoofed address target. The victim is the target of the large amount of traffic that the broadcast devices generate.

Assume a colocated switched network with 100 hosts. The attacker sends a 768-kbps stream of ICMP echo packets, with a spoofed source address of the victim, to the broadcast addresses of the bounce sites.

These ping packets hit each bounce site’s broadcast network of 100 hosts. Each of them takes the packet and responds to it, creating 100 outbound ping replies. As a result, 76.8 Mbps of network traffic heads to the victim.

DoS Attack Classification

Buffer Overflow Attack

The buffer overflow attack is one of the most common kinds of DoS attacks. A buffer overflow attack is a type of attack that sends excessive data to an application that either brings down the application or forces the data being sent to the application to be run on the host system. It is used to crash a vulnerable system remotely by sending excessive traffic to an application.

Sometimes, attackers are also able to execute arbitrary code on the remote system via a buffer overflow vulnerability. Sending too much data to the application overwrites the data that controls the program, and the hacker’s code is run instead.

Examples of attacks based on the buffer characteristics of a program or system include:

• Sending e-mails that have attachments with 256-character file names to Netscape and Microsoft mail programs
• Sending huge Internet Control Message Protocol (ICMP) echo requests, known as the ping of death
• Exploiting vulnerabilities in FTP and IIS servers using the list command, either as an authenticated user or via anonymous FTP, to crash the server.

Ping of Death Attack

In the ping of death attack, an attacker deliberately sends an ICMP echo packet of more than the 65,536 bytes allowed by the IP protocol. Packets sent over TCP/IP can be broken down into smaller segments and reassembled at the destination. Attackers can take advantage of this feature by sending a packet of more than 65,536 bytes broken up into segments. Many operating systems do not know what to do when they receive an oversized packet, so they freeze, crash, or reboot.

Ping of death attacks are dangerous because it is easy for the attacker to spoof his source address. Also, the attacker does not need to know anything about the machine that he or she is attacking except its IP address.

By the end of 1997, operating system vendors had prepared patches to avoid the ping of death. Several Web sites block Internet Control Message Protocol (ICMP) ping messages at their firewalls to avoid any future problems with this type of DoS attack.

Teardrop Attack

Internet Protocol (IP) requires that a packet that is too large for the next outgoing router interface to handle be broken up into fragments. Attackers can exploit this vulnerability to launch a denial-of-service attack. The fragment packets contain an offset value that enables the entire original packet to be reassembled by the receiving system. In a teardrop attack, the attacker manipulates the offset value of the second or latter fragment(s) to overlap with a previous fragment. The receiving system is not able to reassemble the packet and may crash, hang, or reboot.

This type of attack has been around for some time, and most operating system vendors have patches available to guard against this sort of malicious activity.

The Unnamed Attack

The unnamed attack is a variation of the teardrop attack that attempts to cause a denial of service to the victim host. In this case, rather than overlap, the packet fragments have gaps between them. The attackers manipulate the offset value so that there are parts of the fragments that are skipped. Some operating systems may behave unreliably when this exploit is used against them.

SYN Attack

In a SYN attack, the attacker sends a series of SYN requests to a target machine. The attack creates incomplete TCP connections that use up network resources. Normally, when a client wants to begin a TCP connection to a server, the client and the server exchange a series of messages as follows:

  1. A TCP SYN (synchronize packet) request is sent to a server.
  2. The server sends back a SYN/ACK (acknowledgement) in response to the request.
  3. The client sends a response ACK to the server to complete the session setup.

This method is called the three-way handshake method. In a SYN attack, the hacker sends a fake SYN request to the server and when the server sends an ACK to the client, a response ACK is never sent. This leaves the server waiting to complete the connection.


Proper packet filtering is a viable solution. An administrator can also modify the TCP/IP stack. Tuning the TCP/IP stack will help reduce the impact of SYN attacks while still allowing legitimate client traffic through.

Some SYN attacks do not attempt to upset servers, but instead try to consume all the bandwidth of the Internet connection. Two tools to counter this attack are SYN cookies and SynAttackProtect.

To guard against an attacker trying to consume the bandwidth of an Internet connection, there are some additional safety measures that an administrator can implement. For example, decreasing the time-out period for keeping a pending connection in the SYN RECEIVED state in the queue can block such an attack. Normally, a server will retransmit the first ACK packet when no response ACK is sent from the client. Decreasing the time of the first packet’s retransmission, decreasing the number of packet retransmissions, or turning off packet retransmissions entirely can erase this vulnerability.

If You Like This Please Comment Down And For More Hacking Content Click Here

Related posts

Leave a Comment