A distributed attack where the goal is to target a system or network out of service by consuming a critical resource.

• Use more client systems to starve the victim of whatever resource you're targeting (commonly bandwidth)
• Become more difficult to mitigate/stop
• Victim may be attacked by many thousands of sources, many of which they might expect to exchange traffic with normally

• Can target all five layers
• Application layer
• Consume appication resources, overload server
• Transport layer
• Exploit TCP or UDP e.g. (TCP SYN attacks)
• Network layer
• Exploit IP, e.g. source routing, IPv6 ND exhaustion
• Data link layer
• Exploit Ethernet, ARP attacks
• Physical layer
• RF interference, cut cables

• Mischiviewous in nature (Fun, fame, etc)
• Tacting for significant national conflicts
• Russia vs Georgia 2008
• Extortion threats by organised crime gangs
• Pay to avoid your service going offline
• Peaceful protest or virtual sit-in
• Revenge attacks

• Low Orbit Ion Cannon (LOIC)
• User joins a voluntary DDoS
• High Orbit Ion Cannon (HOIC)
• Wrapper for HTTP attacks - 'booster' stcripts
• PenTBox
• Slowloris
• Low bandwidth, keeps HTTP sockets open
• Useful for 'surgical' DoS attacks in low bandwidth networks

• Activity could be traced back to your IP address
• Anonimity can be achieved through
• Use ToR (if using TCP) - uses a set of relay nodes to hide the original source of TCP traffic
• Not high performance overlay
• Anonymous VPN service
• Spoof your IP address - particularily for UDP attacks

• Normally an IP packet is sent with the source addres set to an IP address belonging to the sending host
• With a given destination IP address
• In principle you can usually set the IP source address to be any address
• Write own scripts or use tools like Scapy
• In practice you don't do this as you would never get a reply
• If you want to shift blame, then it's appealing

• Usually downloaded, these are malicious inter-connected programs connected with other similar programs in order to perform tasks like sending spam e-mail, DDoS attacks, etc.
• They go undetected.
• May not have much uplink capacity, so attacks via third party are desirable.
• Key logger botnet is stealthy by design.
• Botnet has more value if it can be re-used (Don't generate heavy traffic directly from client)

• Always have to look for a way to exploit third party services to target a victim
• Gain 'free' extra bandwidth/resource
• Especially if the amplification effect can be large
• If designing a protocol or distributed system, you should consider the potential for this
• Less easily traced back to original source
• Especially when participants are an involuntary botnet

• One of the earliest amplification methods
• Ping is sent to destination network broadcast address
• Vicrim IP is the spoofed IP Source address
• All live hosts in the target network will respond
• Causes an amplification attack on the victim
• Relatively easy to configure and avoid
• No genuine reason to let externally sourced traffic into a subnet directed at its broadcast IP address
• Fragile variant used UDP packets instead

• Both IPv4 and IPv6 have an option that allows the sender to specify IP addresses for the packet to route through towards the destination
• At each specified intermediate node, the next node on the path list becomes the destination
• One packet can be made to "ping pong"
• Can thus amplify load on a specific link between two nodes
• Can also be used to circumvent firewalls
• Send packet via allowed destination

• An example of the bad guys looking for more sophisticated 'reflectors'
• Relies on availability of open recursive DNS servers to non-local users
• Such servers will answer external DNS queries for domains other than those belonging to the local site
• And on attacker being able to send DNS requests to those open resolvers, spoofing the IP source address
• Generates a UDP reply to the victim
• Small query, larger response
• The victim is hit by Dns replies to queries it never sent

• Any site/ISP responsible for a domain will operate a DNS service to answer queries for its clients who wish to connect to external services by name
• The DNS-based amplification attack relies on such servers also answering queries form external vlients
• Known as 'open recursive' servers; attackers can then send queries that will be known to generate large replies

• An attacker could equally target any site's DNS servers and send spoofed DNS requests querying domains that that site is actually authoritative for
• This would still cause DNS responses to be sent to the victim
• It's easier though for attackers to build lists of open resolvers that are known to generate large replies to small DNS queries
• Also, a site that disables open resolvers probably also configures rate limiting on DNS responses

• The real core of the problem is the ability of attackers to spoof IP source address, therefore this is one of the best DDoS defences:
• Recommends sites and ISPs to check source addresses
• Drop packets tat cross a firewall/router with a source address that does not belong to site network behind that interface
• Do not let packets from your network that do not have one of your IP addresses as a source address
• Applying BCP38 ensures your site can't be part of such an amplification attack
• May be applied by a site and/or its upstream ISP
• But many ISPs/sites still don't do this (55%)

• Running multiple instances on the same server/service, on the same IP address
• The routing system leads clients accessing the service to the nearest instancel every router still only has one best route to destination network/service
• Still 1:1 communication but the load is distributed
• Useful for content distribution networks (CDNs) and indirectly spread DDooS load
• Provides resilence for the root DNS servers

• Spread your service using anycast
• Black holding, sink holding, upstream by your ISP
• Has implications if DDoS comes from systems you might normally exchange traffic with
• Filtering traffic with spoofed source addreses; BCP38
• Not running open recursive DNS resolvers
• Rate limiting - e.v. Response rate limiting on DNS
• Hardware accelerators, application preprocessors
• Darknets; monitor/detect randomly spoofed IP addreses