DoS and DDoS Attacks

[!NOTE] This module explores the core principles of DoS and DDoS Attacks, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. The Real-World Scenario: The Flash Mob

Imagine running a small, popular bakery. You can comfortably handle 10 customers at a time. Suddenly, 500 people storm your shop. They don’t buy anything; they just ask complex questions about recipes, block the door, and refuse to leave. Legitimate customers can’t get in, and your staff is overwhelmed.

In the digital world, this is a Denial of Service (DoS) attack. When the attackers coordinate and attack from thousands of different cities simultaneously, it becomes a Distributed Denial of Service (DDoS) attack.

2. Anatomy of an Attack

Attacks generally target two primary constraints:

  • Volumetric (Bandwidth Exhaustion): Filling up the “pipe”. If your data center has a 10Gbps link, and the attacker sends 20Gbps of junk data, legitimate traffic simply cannot physically reach your servers.
  • Protocol/Resource Exhaustion: Filling up the “brain”. Exploiting the internal state tables (like connection tracking in firewalls, or CPU/RAM on web servers) so the server physically cannot accept new connections, even if there is bandwidth left.

3. Deep Dive: Layer 4 vs. Layer 7 Attacks

Layer 4: The SYN Flood (Resource Exhaustion)

This takes advantage of the TCP 3-Way Handshake.

The Anatomy of the Attack:

  1. Attacker Sends SYN: The attacker sends millions of SYN (synchronize) packets with spoofed source IP addresses.
  2. Server Allocates Memory: The server responds with SYN-ACK and allocates memory in its Transmission Control Block (TCB) table for a “half-open” connection.
  3. Attacker Stays Silent: The attacker never sends the final ACK.
  4. Table Exhaustion: The server waits for a timeout (often minutes). The TCB table fills up, and the operating system drops any new incoming SYN packets from legitimate users.

Analogy: A prank caller calls a restaurant, makes a reservation, and hangs up before confirming the time. The restaurant holds the table (memory allocation), turning away real customers, until they realize the prankster isn’t coming.

Layer 3/4: UDP Amplification (Volumetric)

Attackers exploit public, connectionless UDP services (like DNS, NTP, or Memcached) to reflect and amplify traffic.

The Mechanism:

  1. Spoofing: The attacker sends a small request (e.g., 64 bytes) to an open NTP server, forging the source IP address to be the Target’s IP.
  2. Amplification: The NTP server processes the request and sends a massive response (e.g., 3000 bytes) back to the “source” (the Target).
  3. The Crush: An attacker with a 1Gbps botnet can achieve an Amplification Factor of 50x, burying the Target under 50Gbps of traffic.

Layer 7: HTTP Flood

Instead of targeting network infrastructure, attackers send thousands of complex, legitimate-looking HTTP requests (GET /search?q=expensive_query). This exhausts the application’s CPU or the backend database pool.

4. Interactive: SYN Flood Simulation

Watch the connection table overflow.

🤖🤖🤖
Botnet
Server Connection Table
🔥
TARGET
Server Healthy.

5. Defense in Depth: Mitigation Strategies

Mitigating a DDoS attack requires defense at multiple layers of the OSI model.

Strategy Layer How it works
SYN Cookies Layer 4 The server computes a cryptographic hash (cookie) based on the connection details and sends it in the SYN-ACK. It allocates zero memory. It only allocates memory if the client returns the valid cookie in the final ACK.
Anycast Routing Layer 3 Announcing the same IP address from multiple global data centers (e.g., Cloudflare, AWS Route53). Traffic naturally flows to the geographically closest data center, diluting a 1Tbps attack across 100 different facilities.
Scrubbing Centers Layer 3/4 BGP routes traffic through specialized hardware (like Arbor Networks) that performs deep packet inspection, dropping malicious packets and forwarding only “clean” traffic to your origin servers via a GRE tunnel.
Rate Limiting Layer 7 Dropping requests from IPs that exceed a certain threshold (e.g., 100 requests per second). Advanced forms use CAPTCHAs or JS challenges to verify the client is a real browser, not a script.
WAF (Web App Firewall) Layer 7 Inspects HTTP headers and payloads to block known malicious signatures or anomalies (e.g., stopping a sudden flood of POST requests to a login endpoint).

[!NOTE] War Story: The GitHub Memcached DDoS In 2018, GitHub was hit with a massive 1.35 Tbps DDoS attack. Attackers used UDP Amplification, specifically exploiting unsecured Memcached servers on the internet. Because Memcached had an amplification factor of up to 51,200x, attackers turned relatively small botnets into a devastating tsunami of traffic. GitHub mitigated this by automatically routing traffic through Akamai’s scrubbing centers, neutralizing the attack within minutes.