CEH Denial of Service Attack Methods

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks remain a fundamental threat to network and service availability, making them a critical area of knowledge for any Certified Ethical Hacker (CEH). Understanding these attacks is not just about recognizing how to disrupt services but, more importantly, about architecting robust defenses and responding effectively to incidents.

Understanding the Core: DoS vs. DDoS

A Denial of Service (DoS) attack is any malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of illegitimate traffic. The key characteristic is that the attack originates from a single machine or a small number of machines. A Distributed Denial of Service (DDoS) attack, however, achieves the same goal by leveraging a multitude of compromised devices, often globally distributed, to generate attack traffic. This distribution makes DDoS attacks far more potent and difficult to mitigate, as the traffic comes from many legitimate-looking sources simultaneously.

The compromised devices used in a DDoS attack form a botnet—a network of hijacked computers, IoT devices, or servers controlled by an attacker (the "bot-herder"). Botnets are typically created through malware infections and are rented out or used to launch large-scale attacks. The shift from DoS to DDoS represents the evolution of these attacks from targeted nuisances to powerful tools capable of crippling major corporate and governmental infrastructure.

Categories of DoS/DDoS Attack Techniques

Attack methods are broadly classified by the layer of the OSI model they target and their mechanism of operation. For the CEH, you must be fluent in three primary categories.

1. Volumetric Attacks

These are the most brute-force attacks, aiming to consume all available bandwidth between the target and the wider internet. They generate massive traffic volume to saturate the network pipe. A classic example is a UDP flood, where the attacker sends a high volume of User Datagram Protocol (UDP) packets to random ports on the target. The target checks for applications listening on those ports, finds none, and sends back "Destination Unreachable" packets, exhausting its resources. Volumetric attacks are often measured in gigabits or terabits per second.

2. Protocol Attacks

Protocol attacks (or state-exhaustion attacks) focus on consuming the actual connection state tables and resources of network infrastructure like firewalls, load balancers, and web servers. They exploit weaknesses in the protocols themselves. The most famous example is the SYN flood, a type of TCP attack. In a normal TCP handshake, a client sends a SYN packet, the server replies with SYN-ACK and reserves memory for the connection, waiting for the final ACK. In a SYN flood, the attacker sends a barrage of SYN packets, often with spoofed source IPs, and never sends the ACK replies. This leaves the server with an overwhelming number of half-open connections, exhausting memory and preventing legitimate connections.

3. Application Layer Attacks

These are the most sophisticated and stealthy attacks, targeting layer 7 (the application layer). They aim to crash the web server or application by exhausting its ability to process specific, resource-intensive requests. Unlike volumetric attacks, they require relatively low bandwidth, making them harder to detect. The quintessential example is Slowloris. This attack works by opening many HTTP connections to the target web server and keeping them open as long as possible. It does this by sending partial HTTP headers and periodically sending small amounts of data to keep the connections alive, never completing the request. This consumes all the server's available concurrent connection slots, denying access to legitimate users.

Amplification and Reflection Techniques

Attackers use clever techniques to magnify their attack power. An amplification attack is one where the attacker sends small requests that generate much larger responses directed at the victim. This is paired with a reflection attack, where the attacker spoofs the source IP address in the request packet to be that of the target victim. The server receiving the request then sends the large response to the victim, not the attacker.

A common vector for this is the DNS amplification attack. The attacker sends a small DNS query (e.g., a request for all DNS records) to an open DNS resolver, with the source IP spoofed as the victim's. The DNS resolver then sends a large DNS response to the victim. With a high amplification factor, a botnet can generate an enormous volumetric attack on a target using relatively little bandwidth from the attacker's own resources.

Modern Mitigation and Incident Response Strategies

Defending against these multi-vector threats requires a layered, proactive strategy. For the CEH, understanding defense is as crucial as understanding the attack.

Rate Limiting is a fundamental control implemented on routers, firewalls, and web application firewalls (WAFs). It restricts the number of requests a server will accept from a single IP address over a specified time window. This can be effective against some application-layer attacks and simple volumetric floods but is less effective against large-scale DDoS attacks from distributed botnets.

Traffic Scrubbing is performed by dedicated DDoS mitigation services or appliances. When an attack is detected, all traffic is routed through a "scrubbing center." Here, advanced algorithms and threat intelligence filter out malicious traffic, allowing only clean, legitimate traffic to pass through to the target network. This is essential for mitigating large volumetric and complex protocol attacks.

Content Delivery Network (CDN) Protection leverages a globally distributed network of proxy servers. By serving content from locations close to users, a CDN inherently absorbs some attack traffic due to its massive bandwidth capacity and dispersion. Many CDNs also integrate DDoS mitigation features, spreading the attack load across multiple points of presence (PoPs) and filtering malicious requests before they reach the origin server.

A formal Incident Response Procedure for Service Disruptions is non-negotiable. Your plan should include:

• Detection and Declaration: How to identify an attack vs. a surge in legitimate traffic and declare an incident.
• Mitigation Activation: Steps to activate your DDoS mitigation service, reroute traffic, or implement emergency firewall rules.
• Communication: A protocol for notifying internal stakeholders, upstream providers, and possibly customers.
• Analysis and Post-Mortem: Documenting the attack vectors, duration, and impact to improve future response and hardening.

Common Pitfalls

1. Misconfigured Rate Limiting: Setting rate limits too strictly can block legitimate users (a self-inflicted DoS), while setting them too loosely provides no protection. You must baseline normal traffic patterns to set effective thresholds.
2. Over-Reliance on a Single Defense: Relying solely on on-premise firewalls or ISP protection is insufficient against modern, large-scale attacks. A hybrid strategy incorporating cloud-based scrubbing and CDN protection is necessary for resilience.
3. Ignoring Application-Layer Threats: Focusing only on high-bandwidth volumetric attacks leaves you vulnerable to low-and-slow attacks like Slowloris. You must deploy and tune Layer 7 protections in your WAF or application servers.
4. Poor Incident Response Planning: Having no practiced response plan leads to chaos and extended downtime during an attack. Regular tabletop exercises for your incident response team are essential for a coordinated, effective defense.

Summary

• DoS attacks originate from one or a few sources, while DDoS attacks leverage a distributed botnet for greater scale and complexity.
• Attack methods are categorized as volumetric (consuming bandwidth), protocol (exhausting connection state tables), or application layer (crushing server processing power), with Slowloris being a prime Layer 7 example.
• Amplification attacks, like DNS amplification, use reflection to magnify attack traffic by spoofing the victim's IP address, turning small queries into massive response floods.
• Effective mitigation is layered, combining rate limiting, cloud-based traffic scrubbing, and CDN protection.
• A rehearsed incident response procedure is critical for minimizing downtime and managing communication during a service disruption.