DISTRIBUTED DENIAL OF SERVICE ATTACKS

Sarah Reecy
Florida State University
sr10@my.fsu.edu

Abstract
Denial of Service Attacks are common attacks meant to disrupt access to a server. They function
by flooding a server with packets beyond its capacity to handle. Their purpose is to disrupt or end
service to a machine. Large DoS attacks, such as distributed denial of service attacks, can affect
entire networks. Any machine on a network that can receive packets can be affected by a DoS
attack. DoS attacks can be repelled through some techniques, such as blocking the source address
or rate limiting. Overall, they are very difficult to prevent or mitigate and will frequently disrupt
server access, making them very effective at their purpose. Fortunately, these attacks do not
normally allow a hacker access to the system. This means that information within a server is
usually still secure, if inaccessible, during a DoS attack.
Keywords: denial of service attacks, DoS

Introduction
Distributed Denial of Service (DDoS) attacks are one of the most common attack types in modern times. They are a
type of Denial of Service (DoS) attack distinguished by the geographic diversity and number of machines involved
in the attack. They work by spamming a server with requests far beyond its capacity to process, which causes
slowed performance and can even make the server inaccessible. They not only affect the target server, but much of
the traffic on the network. While there are many potential motivations for this type of attack, they are all the same in
intent: to disrupt access to a network, device or service by flooding it with more requests that it can reasonably
handle.
Recently in the news, the major webhosting service Namecheap was the victim of a DDoS attack. The attack was
very large, about 100Gbps, and is one of the largest DDoS attacks ever seen. These loads were significantly greater
than the typical use the Namecheap servers see. As a result of the attack on February 20th, 2014, the 300 affected
servers all experienced either slowed performance or simply became unavailable to any actual site requests (Kerr).
This was significant as Namecheap is the hosting service for many websites, and many of those sites were affected.
Feb 11th, 2014 there was also a record-breaking attack against Cloudflare, a European security provider and content
delivery network. The attack was the largest ever seen, with over 400 Gbps at its height (Musil). According to Krebs
Security, attacks from 200 to 400 Gbps are becoming the new normal. Such large attacks are going to place
enormous strain on networks. If network is not equipped to handle floods up to 400Gbps, then it will go down.
Team A was given a network of five machines to protect from outside intrusion. A secondary objective was to test
the network security of competitor teams. The final objective was to model the attack type of the project, in this
case: Denial of Service Attacks. The tools given to Team A allowed for simple access to vulnerable systems, as well
as opportunities to practice system penetration and defense. This network was configured to best protect the network
using such as Security Onion, Unconfigured Firewall and Honeybot. Team A was able to demonstrate malicious
attack activity against other teams while actively defending their network against undesired use. The scope of this
paper explores DoS Prevention, Detection, Mitigation, Botnets, and models of the two main attack types, DoS and
DDoS.

Literature Review
Denial of Service attacks are one of the most common types of attack in the modern age. They are easily
perpetuated, rarely expose system files and can be difficult to trace when done properly. A DoS attack is unique in

Florida State University iSchool

Denial of Service Attacks

that the actions of the individual being attacked do not mean very much in terms of prevention. The problem is
caused by the insecurities inherently designed into the world wide web. Since each device that interacts with the
internet must communicate with packets from other devices on the network to do so, all systems on the network are
vulnerable to this type of attack. Malicious sources are given equal access to routing pathways because it is almost
impossible to distinguish malicious traffic from legitimate traffic when en route, given that source information can
be spoofed and that there may be multiple sources.
Regardless of how well secured the victim system may be, its susceptibility to DDoS attacks depends on the state
of security in the rest of the global Internet (Mirkovic, Reiher 2004).
There is no real way to prevent all DoS attacks (US-CERT) ; however, devices that are not on a network cannot be
attacked. It is significantly rarer for a device isolated from the internet to ever be attacked. The typical DoS attack
simply floods a router or server with packets. Processing the flood of information causes the device to slow or,
depending on the size of the attack, to stop entirely. These basic attacks are not the only type of DoS. There are
many different variables that can be used to categorize attacks, such as victim type, attack rate and attack method
(Mirkovic 2004).
Distributed Denial of Service (DDoS) attacks are the most common type of DoS. These attacks send packets from a
network of agent machines, which typically form a large botnet. The owners of the agent machines may not
realize they are participating in a DDoS attack or even that they are infected. This means that it is very difficult, if
not impossible, to distinguish malicious traffic from benign, because it is from a variety of addresses and not a single
malicious source. These attacks have many machines sending a flood of packets to one target. This large volume of
packets is what affects the victim network. A DDoS-like effect is observable after a small site has been feature on a
larger media outlet, such as on the front page of Reddit or on the Colbert Report. Frequently, the traffic to the
smaller site is entirely benign, however the demand on the servers is so great that it is similar to a DDoS attack.
Application level attacks are DoS attacks that exploit a known vulnerability in order to take up more system services
such as memory. Buffer Overflow is a common type of system vulnerability that can be exploited in DoS attacks to
further impede system use. Buffer Overflow exploits take advantage of poor coding to access adjacent data stacks. If
a DoS attack uses a buffer overflow exploit, then it can possibly do something such as write to the system
repeatedly, filling the memory of the affected system and straining the entire system. Attackers can also use an
application level attack to simply prevent legitimate users from being able to access a service. If an authentication
application if being DoS, but the server still has resources available, then other services such as ICMP ECHO
requests should still function. These types of attacks are normally smaller and harder to detect. (Mirkovic 2004)
DNS Amplification Attacks are a type of DoS attacks that uses publically accessed DNS servers to send DNS
requests to a server using a spoofed address. The address is spoofed to be that of that target; when the target replies,
it routes the information back to itself. Attackers will attempt to make the queries to the target server as large as
possible so that the target can overload itself as quickly as possible. The US Department of Homeland Security
suggests Source IP verification and disabling or limiting recursion on Name servers; however there are very few
ways to mitigate an Amplification attack in progress.

Research Based Network Solutions

Most defenses against DoS attacks are based in network topology. They frequently involve have the routers identify
pathways and routes that malicious traffic is taking and throttling it. This affects benign traffic as well as malicious,
so these solutions are imperfect (Mirkovic, Prier, Reiher, 2002). Systems such as D-WARD can be effective, but
they must be installed on perimeter routers. It creates a statistical baseline of traffic and will rate-limit traffic if it
vastly exceeds that baseline; however, there is a weakness in this system to UDP traffic which does not provide
acknowledgement of receipt.
Statistics based rate-limiting is effective in ensuring that the network is not pushed beyond its hardware capacity;
however, it fails to allow all benign traffic through and so the DoS attack will be effective still in that the service is
down to the people who desire to use it. Other possible solutions would be blocking the source IP, assuming it is not
spoofed.
Proper network configuration is the best defense available against malicious traffic. Having a system that contends
with large amounts of traffic is ideal, but not financially feasible for everyone. In this situation, having a router that

Florida State University iSchool

Denial of Service Attacks

is able to distinguish the what other routers are flooding it with information is best, because such a router can then
throttle based on the path the traffic is coming from in a Pushback System (Ioannidis, Bellovin 2002).
Another significant defense is to ensure that routers and servers are configured such that they have fewer exploits.
Name servers that are improperly configured can be exploited by hackers to add these machines to a botnet.
Individual machines can be invaded by malicious programs and used in a DDoS attack when they are least expected.
If every individual does their best to ensure that their device is secure, then there will be fewer devices for hackers to
exploit and use in DDoS attacks, making DDoS attacks less powerful. As populations grow and more people come
online, awareness programs are needed to educate people on the importance of securing their personal machines so
that they can be exploited to target other machines.

Lab Settings
For the purposes of this class, a network of virtual machines was used. The network was a private network available
only to students and the Cyber Security Club through HyperV. Each group was given a set of five virtual machines
(VM). These five machines each served a different purpose within the network and were intended to represent
different aspects of a functioning professional network. The machines were as follows: Security Onion, Windows 7
with Comodo Firewall, HoneyBot, Kali Linux, and a LAMP server.
The Windows 7 machine is meant to simulate a standard end user on the network, such as an office worker or CEO.
Comodo Firewall is installed to isolate the machine from outside intrusions while still allowing the worker to
complete the tasks necessary for their position. This machine was not used or infected for the semester.

Intrusion Detection
HoneyBot is the honeypot of this system. It functions to capture traffic on the network and to mislead potential
attackers. Any traffic to this machine is actually isolated from the rest of the network, while simultaneously
recording relevant information about the attempted intrusion. One pitfall of this network design is that all the IPs are
shared between groups, so any potential attacks at the system would know to avoid the honeypot because they were
given its IP. When other teams were directed to attack our machine, the traffic was shown. No malicious traffic was
found and no teams attempted to load a piece of malware into our machine.
Security Onion is a linux distro that is used as the Intrusion Detection System (IDS) of our network. It was
configured using the setup process that was preinstalled with the system. Security Onion offers a suite of tools that
make it very powerful as an IDS. Each tool is logged into and is supposed to monitor the action of the entire
network. Squil shows all attacks to the system. In this lab setting, it has been configured to monitor all traffic on the
network. Unfortunately, our team was never able to change any of the rules settings within any of the security onion
suite in order to make full use of the tools. Squil was able to detect the large traffic influx from DoS attacks on the
network, as they were plentiful enough to be distinguished from the background noise that was not filtered out. A
more subtle attack would not have been as easily noticed.

Web Server
The Web Server is the most critical part of the entire assignment. It runs on a LAMP server, which is a linux server
with Apache2, MySQL and PHP. It must be secure from outside attack while simultaneously available to website
viewers. This security was assured mostly through the unconfigured firewall (ufw) that is available by default in
LAMP servers. The firewall was set to deny all traffic that is not through port 80. The firewall was effective, as
Team B announced in class that it had deterred them from attacking us in favor of more vulnerable targets.
The website is a wordpress site, which is based in PHP. It has its own database and user in mysql. Some wordpress
sites can be vulnerable to sql injection. In the case that our team did not fully secure our machine, the specifc
wordpress user was meant to provide a degree of separation from wordpress and root control of the database.
Our team also installed security plug-ins at the application level. Immediately after installation, a plugin was
installed that limited login attempts by IP. This was to prevent dictionary attacks from other teams. If a user had
more than three failed passwords they had to wait an hour to try to log in again. The admin user on the website is
also different than the admin name from the rest of the machine, because that admin name is known to the entire
class. This was so that potential attackers would have to guess both the administrator username and password. The
settings on the wordpress site were changed so that any new users created can only view the site; they cannot create,

Florida State University iSchool

Denial of Service Attacks

update, delete or in any way alter files. These changes were meant to secure the website itself from intrusion, since
the firewall makes everything but the website harder to access.
This server hardening has made the server more difficult to access from the outside, but has had one significant
downside. Our website does not easily allow for updates and each plugin and theme must be installed manually. We
fell victim to the white screen of death whenever an application needed to update and our website had to be
reinstalled. The firewall also had to be taken down any time an update needed to be downloaded, including server
updates. This is not the recommended way to run a web server, but it was the most secure way. If no traffic could
get through, other than port 80, the machine was secure but not very functional.

Kali Linux
Kali Linux is meant to be the offensive tool of the network. It offers many tools, including tools that have DoS
capability. Tools such as nmap were used to probe the networks of other teams, as well as to check for
vulnerabilities within our own network. For example, nmap was used to discover that team C left port 22 open on
their web server. This vulnerability would have been harder to discover without tools such as nmap.

Figure 1: nmap example

Recently in class, Team C accidently exposed their password in plain text to a room full of people who wanted to
break into their machines. They did not change their password immediately afterwards and so their machine was
incredibly vulnerable to outside attacks. This vulnerability, combined with the open ssh port, allowed for the system
to be easily penetrated. After using this vulnerability to get root access, I decided to create another admin user
account on their machine called admin. This was to ensure that if they later changed their password, Team A
would continue to have root access to their machine with minimal effort. This allows us to make the changes we
desire while not taking any system resources. All this was done through the ssh shell in Kali Linux.
Kali Linux was also used to model both a Denial of Service attack and a Distributed Denial of Service attack.
Slowloris was used to flood packets at a target in a DoS attack. This resulted in slowdown of service to the target. A
Distributed Denial of Service attacked was modeled through cooperation with Team C. Using our two Kali Linux
machines, we were able to provide multiple attack vectors from which to attack a single machine. This would make
our attack distributed in the most basic sense of the word; however, we were unable to model a botnet style attack or
an attack where the devices are all on different networks.

Threat Type
Denial of Service attacks are simple to generate within the lab setting; however, they are limited in their power. The
teams are all given only one machine with which to attack other machines. The most powerful DoS attacks use
entire networks of machines to attack a victim. We were limited to only the Kali Linux VM. Since all the machines
are on the same network, getting the IP of the machine to infect was very simple. Deciding what type of DoS attack
to attempt to initiate was important, because the strength of a DoS normally relies on the number of attack machines.
An application level attack is the most dangerous on this small scale, because the environments are so similar
between teams meaning attackers would have more knowledge of potential exploits. In this situation, the best
consideration was to try to find a DoS attack that would use some sort of exploit, such as a buffer overflow exploit.
Unfortunately, a suitable exploit was not found in conjunction with a DoS attack and so that could not be modeled
within this network. This serves to prove the high levels of security the teams had established within in their

Florida State University iSchool

Denial of Service Attacks

networks and machines. Even if DoS attacks do not typically reveal information, they are still a direct threat to the
functionality of the network and its services.
Kali Linux was used by this team to simulate a small DoS attack on Team C machine. This was done using
slowloris, which is a simple program that will flood packets to an IP. This worked by sending as many packets as
possible in a round and then resting, as seen in Fig. 2. The access to their website was slowed during the attack
because system resources were being consumed by bursts of over 4000 packets every few seconds.

Figure 2: Slowloris in action

In the log files, a DoS attack would be obvious. It would be an atypically large influx of packets to the system,
generally with a corresponding uptick in system resource use. The specific log information might change depending
on the type of attack, such as the source IP. It would be impossible for an attacker to hide a DoS attack, since the
point of such an attack is the visible degradation of resources.
DDoS attacks can be very large in scale. While slowloris only provides 4000 packets a burst, the author has
witnessed attacks of over 4 billion packets a second. This attack occurred in the South East Collegiate Cyber
Defense Competition and was conducted by Red Team members against the Florida State team. The team was not
able to conduct any defense actions as the attack given the constraints we were in; however, seeing an attack of that
magnitude was impressive and had a heavy affect on our services.

Botnets
Botnets are a popular tool for performing a DDoS attack. In many cases, it would be difficult or impossible for the
attacker to coordinate multiple DoS attacks across several machines individually. Due to physical limitations, it
would not be possible for an attacker to go to every machine and start the DoS attack, especially given the large
number of machines required to generate the number of packets seen in major attacks today. What an attacker does
to get around this is to create a botnet.
A botnet is a collection of slave machines all silently controlled by one command machine. These machines are used
by the command machine to perform tasks, such as flooding a server with packets. These machines are infected with
malware that allows the attacker to issue secret commands to the device. This piece of malware then attempts to
silently slip past the notice of a user in order for the attacker to retain access as long as possible.
Botnets have many purposes beyond DDoS attacks. They are frequently created by attackers, who are then paid by
people and companies wanting to use the large network of computers for purposes such spam generation. Someone
can be part of a botnet without knowing, because this malware is mostly meant to silently wait for commands. The
malware that lets the attacker in is commonly some type of Trojan.

Florida State University iSchool

Denial of Service Attacks

The malware behind botnets relies on 3 components: a database, a command center and an infected machine. There
are two types of botnet, http and IRC. These types are distinguished by how command centers communicate with
infected machines. IRC bots communicate with the command center using a hidden IRC channel. HTTP is the most
popular type, with popular bots such as Zeus falling into this category. These bots use http to communicate with the
command center.
Zeus was a very common type of botnet malware that is now available open source online for educational purposes
(Visgean). First, an attacker must set up a web server and database. For this class, a xampp server was used with
apache and mysql. The source code for Zeus must then be compiled for it to run, which was not possible in our
network as Kali Linux does not work with Visual Studio, which is required to compile Zeus. If the code had been
able to be compiled, then Zeus would have been installed onto the web server and then used to build the initial piece
of malware. The malware must be built to fit the specifics of the command machine. In this way, slave machines
will know which device to report to.
After the malware has been constructed, it simply needs to be distributed. There are many potential distribution
methods, including phishing and driveby download. Most of these methods require some sort of social engineering
and are effective enough that large scale botnets are not uncommon. Regardless of how the malware is distributed,
once it is installed on a users machine it will then send a packet back to the command center informing command of
its success. The machine then opens a port to listen for commands on.
A botnet can only be created if the malware is broad enough and distributed well enough to infect multiple
machines. Botnets rely on the success of the Trojan horse malware products they are commonly wrapped in to
succeed. These bots are then commonly used to steal information from infected machines and to send it back to
command.
The command center can then send tasks to the slave machines using a PHP GUI that runs on the web server
portion. The database back end is used to document all the slave machines, which can number into the tens of
thousands. Commands are sent out to the slave machines using predefined options, including denial of service attack
directives.

Botnets and Distributed Denial of Service Attacks

The crux of an DDoS is the distributed factor. If only a single machine is used for the attack, then it is limited to the
capacity of that one machine and one IP which could be easily blocked through a simple firewall configuration. The
strength of a DDoS attack is not only in the number of packets it can overwhelm a system with, but with the range of
IPs that are attacking a system. A botnet has the advantage of not only a wide number of attack vectors, but also a
wide range of IPs. If the IPs are not even on the same network then they cannot be cannot be distinguished from
genuine traffic, which makes blocking them almost impossible. In many cases, the victim has no choice but to wait
for the attack to stop.
Due to the fact that botnet generated malicious traffic cannot be distinguished from benign traffic, victims are often
forced to throttle all their traffic in order to keep services functional. This means that authorized traffic would be
dropped alongside malicious traffic. This renders the service unusable for many, emphasizing the name Denial of
Service. In 2010, a botnet could be rented for $9 an hour, with predictions that it would only grow cheaper as time
went on (Danchev). DDoS attacks are known as one of the simplest types of attacks to commit, because they are so
easy to initiate with minimal effort. If a tee shirt sales company knocks a competitor offline long enough to sell a
single $20 shirt, then the company has already recouped their losses for likely less than the cost of shipping that shirt
to the customer. The cheap cost of access makes the tools for these sorts of attacks available for many people;
consequently these are attacks will remain very common.
With the use of a botnet, a DDoS attack can be very easy to conduct for anyone, especially if they do not even need
to build the malware to do it. If anyone can rent a botnet, they can easily attack most sites. Sites without a load
balancing system or firewall are especially vulnerable to these sorts of attack. ISPs and end users alike need to focus
on ways to mitigate these attacks, because it is very difficult to prevent them only they are in progress and the
number of infected slave machines will only grow.

Florida State University iSchool

Denial of Service Attacks

Prevention
Prevention is the most critical component of Denial of Service handling. This affects all users on the internet, not
only system administrators. There is much more that can be done to prevent a DoS attack from happening than to
secure a machine against DoS attacks. The only way to be entirely certain that a machine cannot be DDoS attacked
is to disconnect it from the internet or even any network. This means it is most critical to properly configure
machines in order to ensure that they are not used maliciously and exploited against other users.
Distributed Denial of Service attacks are common because they are easy to commit. Preventative measures in the
form of firewalls and proper device configuration are critical.
Proper machine configuration is number one to preventing DDoS attacks. This goes from the end users on
workstations all the way to DNS servers. Even those who are not information professionals need to be involved,
because their machines can be vulnerable to infection and then recruited into a botnet unknowingly. One important
thing to note is that this proper configuration and security initiative cannot be limited to the United States. Many
infected machines exist outside the US and due to the worldwide nature of the web, they can attack from anywhere
to anywhere. Machines need to be kept patched and secure, especially vulnerable windows machines. If possible,
users should discontinue use of machines which are not supported, such as Windows XP.
There are many steps an individual client can take to ensure that their machine is not implicated in a botnet or DDoS
attack. Up-to-date virus protection is vital in order to prevent users from being infected by the malware that attackers
rely on to create botnets. Users should try to avoid social engineering schemes and be suspicious of links, because
these can commonly infect vulnerable machines with malware. A host-based firewall with rules configured to deny
suspicious connections and open ports would also be effective. Botnets rely on having an open port to listen for
commands on. If that port is closed by a firewall rule then the command center cannot order the machine to being to
DoS or steal information off of that machine. A botnet cannot exist if no machines are infected with the malware.

DNS Configuration
Proper device configuration also includes DNS servers. A misconfigured DNS server can be a powerful tool in the
hands of a malicious user. They can use this server for reflection or amplification attacks, both of which
dramatically increase the amount of packets directed at a router. There are many poorly configured routers out there
already, but in order to prevent further misuse administrators should update their routers and ensure that they are not
configured to be vulnerable to misuse. That means they should not allow unrestricted recursive resolution, as this is
the most common vulnerability. Network administrators might also want to consider response rate limiting as
another preventative measure (US-CERT). Below is the Department of Homeland Securitys configuration tips to
disable Recursion on Authoritative Name Servers using Bind9 and Microsoft DNS server.

Florida State University iSchool

Denial of Service Attacks

Figure 3: Configuration Recommendations

Disabling recursion prevents attackers from spoofing the IP of the attack packets to cause an attack loop between the
misconfigured DNS server and the target. This can be easily fixed with proper configuration; however, it is
commonly missed as a small step in server installation. This needs to be remedied in order to secure the machine and
make the internet safer as a whole.
Recursion can also limited to authorized users, which would prevent malicious users from exploiting the server in an
unauthorized manger. Below is the command which can be used in Bind9 to limit recursion to authorized users.
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { any; };
allow-recursion { corpnets; };
};
Bind9, the DNS server, allows response rate limiting as well. This can be used to limit the number of responses a
DNS server sends out if they are beyond a certain threshold. This will limit all traffic, not just malicious traffic, but
functions as a whole to make the internet a safer and more secure place. Below are the lines that need to be edited
into bind9 in order to being rate limiting.
rate-limit {
responses-per-second 5;
window 5;
};
These configurations are very simple steps that can be taken to ensure the security of the web against Reflection and
Amplification Attacks. They are easy to overlook; however, they are critical in the fight against DoS attacks.

Detection
Distributed Denial of Service attacks can be detected in a couple ways. The first is an obvious slowdown in service,
especially in terms of access to web sites. The end user will see the site produce errors that saying the connection is

Florida State University iSchool

Denial of Service Attacks

unavailable or timed out, commonly resulting in a 404 error. This is the most obvious way for a client to see that the
service they want to reach is being attacked with Denial of Service. If a network administrator notices this slowdown
or receives complaints then they can move on to the second detection mechanism.
The second way to detect such an attack is through monitoring the tcp traffic. A DoS attack by its very nature will
show in traffic logs. This is because it relies on traveling through the networking protocols that machine use to
communicate. Commands such as tcpdump will show all traffic on a network and a DoS attack will present as an
atypically large number of packets. If there is a great deal of traffic on the network, then an administrator can
suspect DoS as the cause. This is not always true, in some cases there may just be a genuine uptick in traffic to a
network, such as when a site is featured on a popular news outlet. In this case the many interested users will attempt
to visit a site at the same time, flooding it with traffic. This will cause the site to go down and make it unavailable.
This is the effect that DDoS attacks attempt top emulate.
Netstat can be used to show the number of simultaneous connections from a single IP, which is more useful in terms
of DoS attacks than DDoS attacks. This can be used to block the IP in the mitigation phase. A high number of
connections from a single IP or range of IPs may be indicative of DoS attack. In the mitigation phase, the IP or
network of IPs can then be blocked or the firewall rules changed to drop all traffic from that network/

Mitigation
As the web stands now, not all networks use best practices when it comes to DDoS prevention. Consequently, DDoS
attacks will still occur and will need to be handled. There are three methods that can be used to deal with this: packet
dropping, firewall configuration, and, on the ISP level, load balancing.
During an attack, a host can simply drop all the incoming packets using a process such as tcpkill. This may mitigate
the attack for a very short amount of time, but within minutes a DDoS attack will have returned to full strength. This
is because no matter how quickly the packets are dropped, a human cannot keep up with hundred of devices. This
leaves a need for some sort of automated process. If the IP is known or discovered during the Detection phase, then
it can be blocked using IPtables. Rules that enforce rate limiting, especially by IP, can also be effective. So if a rule
is in place that limits the number of simultaneous incoming connections from one device, an attacker might have to
reconsider their plan. This is not as simple when the attack has multiple sources, such as in a botnet based DDoS
attack.
Rules for a firewall are critical. A firewall is needed to defend your network. If a server is left to defend itself
against a DDoS attack, its host firewall will quickly be overwhelmed. An external firewall, preferably on a router, is
needed. PFSense is one such router, but there are alternatives such as Checkpoint. These routers can be configured
with rules that throttle traffic past a certain point. IPtables is host-based method of blocking connections; however, it
is of limited success in a DoS situation because the host must use resources to drop the packets. Even if it is minimal
resource use, when a machine is receiving 4 billion packets a minute that adds up to a great deal of processing
power. The downside to traffic throttling is that there is no way to affect only malicious traffic. Benign traffic will
also be affected, but this may be required into order to restore service to your network.
Internet Service Providers frequently deal with DDoS attacks. One method used is load balancing, which distributes
the traffic through the network and allows the burden of the attack to be held up by multiple machines. Load
balancing prevents the client from making contact with the server directly, allowing the server with secure
information to continue function as normal. They balance the traffic between several routers which can allow a
system to continue to provide service to benign traffic. ISPs

Conclusion and Further Implications

Denial of Service attacks are effective tools for disrupting access to a network and services. They are becoming
more powerful as the world becomes more connected. Even small personal devices are at risk if they do not have the
protection of a well-configured network. Every person should take personal responsibility for their own machine,
because an infected machine can be used to affect other machines through botnets. Network administrators should
attempt to upgrade their routers to high serving capacity if possible and preferably to ones with statistical filtering
software. They should always attempt to block vulnerability such as unrestricted recursion. Firewalls are can also
help networks defend themselves against attack.

Florida State University iSchool

Denial of Service Attacks

Our team demonstrated DoS attacks against another unit through Slowloris. A DDoS was exemplified through the
assistance of Team C, using Slowloris and Metasploits synflood module. The entire network was configured to
defend the web server, through services such as Security Onion and the linux firewall. The network could have been
further defended by a firewall, such as PFsense. This technology would have allowed us to more accurately control
what traffic affects our network and web server.
DDoS attacks likely will continue into the future. As long as user machines can be easily infected with malware,
such as Trojans, which will surreptitiously recruit them into large scale botnets, then these attacks can be conducted
with ease. A change in network configuration procedures across the board is required in order to stop these types of
attacks.
Fortunately, these attacks do not commonly cause long term affects on the target. In extreme situations, they may
cause a system to be overheat; however, this is rare. Normally the purpose of these attacks is to deny service, which
can frustrate and annoy, but cannot steal information. Botnets are not exclusive to DDoS attacks and can be easily
used to steal information from the infected. This is not the purpose of a DDoS attack. There is a history of DDoS
attacks being used to mask other attacks. While network administrators are attempting to restore service, attackers
perform other attacks that are aimed at other purposes, such as stealing information.
Overall, this is not a problem with an easy solution. The solution is prevention and that is difficult because it replies
on the coordination of many users in order to keep all those users safe from DDoS attacks.

References
Namecheap targeted in monumental DDoS attack cnet, Dara Kerr, 20 Feb. 2014. Web. 20 Feb. 2014
<http://news.cnet.com/8301-1009_3-57619235-83/namecheap-targeted-in-monumental-ddos-attack/>
Recordbreaking DDoS attack in Europe hits 400Gbps cnet, Steven Musil. 11 Feb . 2014. Web. 20 Feb. 2014
<http://news.cnet.com/8301-1009_3-57618762-83/record-breaking-ddos-attack-in-europe-hits-400gbps/>
Hackers spend Christmas break launching Large Scale NTP-Reflection attacks Symantec, uuallan, 26 Dec. 2013.
Web, 20 Feb. 2014 <http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-largescale-ntp-reflection-attacks>
The new normal: 200-400 Gbps DDoS attacks Krebs on Security, Brian Krebs. 14 Feb, 2014. Wen. 20 Feb. 2014
<http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/#more-24271>
Alert (TA13-088A) DNS Amplification Attacks US-CERT, 29 Mar. 2013. Web. 20 Feb. 2014.
<https://www.us-cert.gov/ncas/alerts/TA13-088A>
Security Tip (ST04-015) Understanding Denial-of-Service attacks US-CERT. 06 Feb. 2013. Web. 20 Feb. 2014.
<http://www.us-cert.gov/ncas/tips/ST04-015>
Zeus Github. Visgean. 23 April. 2014. < https://github.com/Visgean/Zeus >
Study finds the average price of renting a botnet ZDNet. Dancho Danchev. 26 May, 2010. Web. 23 April 2014. <
http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528 >
Mirkovic, Jelena; Reiher, Peter; A Taxonomy of DDoS Attack and DDoS Defence Mechanisms. ACM SIGCOMM
Computer Communications Review. 34. 39-53. April 2004.
Mirkovic, Jelena; Prier, Gregory; Reihler, Peter; Attacking DDoS at the Source. IEEE Internation Confernence on
Network Protocols. 2002.
Ioannidis, John; Bellovin, Steven. Implementing Pushback: Router-Based Defense against DDoS Attacks. AT&T
Labs Research. 2002

10

Florida State University iSchool