Pervasive Technology Labs at Indiana University Advanced Networking Management Lab (ANML)
Distributed Denial of Service Attacks(DDoS) Resources
DDoS Case Online

Attacks Against GRC.COM

DoS Attack on a Check Point Firewall

Technical Information

SANS' DDoS Roadmap


Dave Dittrichs' Homepage

DDoS Attacks/tools



Types of DDoS Attacks

DoS attacks can be classified into two main categories:

Flood attacks

A remote system is overwhelmed by a continuous flood of traffic designed to consume resources at the targeted server (CPU cycles and memory) and/or in the network (bandwidth and packet buffers). These attacks result in degraded service or a complete site shutdown.

Logic or software attacks

A small number of malformed packets are designed to exploit known software bugs on the target system. These attacks are relatively easy to counter either through the installation of software patches that eliminate the vulnerabilities or by adding specialized firewall rules to filter out malformed packets before they reach the target system.

Flood attacks

  • TCP SYN Flood Attack: Taking advantage of the flaw of TCP three-way handshaking behavior, an attacker makes connection requests aimed at the victim server with packets with unreachable source addresses. The server is not able to complete the connection requests and, as a result, the victim wastes all of its network resources. A relatively small flood of bogus packets will tie up memory, CPU, and applications, resulting in shutting down a server.

    More information:
    CERT® Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks
    CISCO: Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
    SGI Security Advisory: TCP SYN Denial of Service Attack
    A Detailed description of the TCP SYN Flood Attack and IP-spoofing

  • Smurf IP Attack: An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

    More information:
    CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks

  • UDP Flood Attack: UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood Attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.

    More information:
    CERT® Advisory CA-1996-01 UDP Port Denial-of-Service Attack

  • ICMP Flood Attack: An ICMP attack can come in many forms. There are 2 basic kinds, Floods and Nukes.
    An ICMP flood is usually accomplished by broadcasting either a bunch of pings (Not IRC pings, ICMP pings. Similar purpose, but handled differently) or UDP packets (which are used in software like PointCast). The idea is, to send so much data to your system, that it slows you down so much that you're disconnected from IRC due to a ping timeout.
    Nukes exploit bugs in certain Operating systems, Like Windows 95, and Windows NT. The idea is to send a packet of information that the OS can't handle. Usually, they cause your system to lock up.

    More information:
    The #mIRC_Lounge ICMP Protection Page
    More Nuke Information and Patches

Logic or Software Attacks

  • Ping of Death: An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result.

    More information:
    More Ping of Death information

  • Teardrop: An attacker sends two fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system. Many other variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.

    More information:
    CERT® Advisory CA-1997-28 IP Denial-of-Service Attacks

  • Land: An attacker sends a forged packet with the same source and destination IP address. The victim system will be confused and crashed or rebooted

    More information:
    CERT® Advisory CA-1997-28 IP Denial-of-Service Attacks

  • Echo/Chargen: The character generator (chargen) service is designed to simply generate a stream of characters. It is primarily used for testing purposes. Remote users/intruders can abuse this service by exhausting system resources. Spoofed network sessions that appear to come from that local system's echo service can be pointed at the chargen service to form a "loop." This session will cause huge amounts of data to be passed in an endless loop that causes heavy load to the system.
    When this spoofed session is pointed at a remote system's echo service, this denial of service attack will cause heavy network traffic/overhead that considerably slows your network down.
    It should be noted that an attacker does not need to be on your subnet to perform this attack as he/she can forge the source addresses to these services with relative ease.

Page developed by

107 S. Indiana Ave., Bloomington, IN 47405-7000 (812) 855-4810

© 2001, The Trustees of Indiana University
Pervasive Technology Labs at Indiana University