FINAL PROJECT REPORT

Overview of Distributed Denial of Service (DDoS)

Hailey Reeves

Submitted: May 1, 2023

I. A BSTRACT

DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are increasingly
prevalent and require only basic skills to execute. Such attacks pose a significant threat to a
network, effectively jamming network traffic or servers with meaningless requests, rendering them
inoperable. DDoS is easy to implement and can be carried out through a variety of techniques.
According to Microsoft, DDoS attacks have increased almost three hundred percent every year
over the last two decades [17]. DDoS attacks can target a host, application, resource (such as a
DNS server), network, and general infrastructure [18]. Penetration tools exist to assess the strength
of a defense and prevent or mitigate the consequences of a successful attack, but no current defense
eliminates the possibility of these attacks. This report examines DDoS security mechanisms while
also analyzing DDoS attack tools and techniques for their ease of use and impact.

II. I NTRODUCTION

The proliferation of the Internet of Things (IoT) means more devices are connected to the
internet, creating a larger attack surface and a greater likelihood of cybersecurity threats. Denial of
service and distributed denial of service attacks have become more accessible, easier to implement,
and more difficult to defend against. A DoS attack often floods a target with requests, preventing
further requests from being made and denying legitimate users access to specific resources [15].
DDoS attacks serve the same function as DoS attacks but are larger in scale and typically make use
of bots or a botnet. The term bot generally refers to a compromised machine infected with malware
or a set of software performing an automated task through the internet; a botnet is a collection
of bots operating underneath a primary controller [14]. Detecting DDoS attacks is challenging as
the stream of malicious packets can be indistinguishable from authentic users. These packets are
diffused by millions of IP addresses exchanging data through the internet. Attackers benefit from
a dispersed network like the internet, making a meaningful defense against DDoS arduous.

III. M OTIVATION AND DD O S BACKGROUND

DDoS attacks have been used as a weapon for political gain, extortion, business conflicts, and
as general warfare. The impacts of DDoS attacks include loss of business, revenue, or general
services. The largest attack ever recorded was against Google Cloud, which reached 2.54 Tbps of
traffic in 2017, four times larger than the previous record set a year prior [4]. The attack purportedly
used several networks to spoof millions of packets every second to 180,000 servers [4]. Another
 2

proportionally large attack affected Amazon Web Services (AWS), which saw up to 2.3 Tbps in
2020 [4]. The AWS attack exploited web servers utilizing the connection-less lightweight directory
access protocol (CLDAP) [4]. Other infamous attacks include targets such as GitHub, Dyn (a large
DNS provider), SpamHaus, and even entire countries, such as the 2007 Estonian attack which took
out government services, financial institutions, and media outlets [4]. The attack against Estonia
was from Russia as a consequence of relocating a World War II monument [4]. This particular
event led to the creation of international cyber-warfare laws [4]. In 2000, a fifteen-year-old took
down E-Trade, eBay, and Yahoo, the largest search engine at the time [17]. The teenager’s attack
affected the stock market and initiated the creation of cybercrime laws. While many DDoS attacks
use a botnet, the attack against GitHub in 2018 used Memcached servers to amplify a single attack
by a factor of fifty thousand [17].

IV. C OMMON D O S/DD O S ATTACK T OOLS AND M ETHODS

There are several internet-based tools available for conducting denial of service attacks, such as
TFN or TFN2K [10], Trinoo [6], Trinity, Low Orbit Ion Cannon (LOIC) [5], hping [22] and thc-ssl-
dos [20]. Kali Linux is a Debian distribution of the Linux operating system which is specifically
made for penetration testing and includes native programs to execute such attacks. These tools
can target various protocols including User Datagram Protocol (UDP), Internet Control Message
Protocol (ICMP), and Transmission Control Protocol (TCP). Flooding attacks can be challenging
to detect since they resemble legitimate requests that require a completed connection and may not
be an immediate red flag to a system administrator, especially if the network regularly receives a
large volume of traffic. A prominent flooding attack is HTTP flood, and it is the most common
application-based denial of service attack [21]. An example HTTP flood tool is Slowloris, which
uses uncompleted HTTP GET and POST requests to take down a web server [24]. Slowloris was
used to overwhelm Iranian government servers in 2009 following its presidential election [24].
One of the most well-known platforms to conduct penetration testing and DoS attacks is Kali
Linux. Kali Linux’s tool, thc-ssl-dos, exploit SSL’s secure recognition feature by overloading a
server with renegotiation requests through one TCP connection [20]. Kali Linux also includes
hping or hping3, which generates TCP/IP packets to launch attacks on a target by altering header
fields [2]. Command-line arguments can be used to control and change packet behavior, including
randomizing a packet’s source address by simply appending a command line flag [22]. Hping can
send large amounts of ICMP, UDP, and TCP packets and is commonly used to test firewalls and
 3

network performance [22]. Metasploit and Slowloris are also readily available through Kali Linux
distribution [20].
Low Orbit Ion Cannon (LOIC) is a widely used open-source tool that provides a user-friendly
graphical interface. LOIC allows a user to select a protocol from a drop-down list, such as TCP,
UDP, HTTP, and ICMP. To customize the attack, the user adjusts parameters such as attack timeout,
port numbers, and the speed of the packet transmission. After entering the target IP or URL, the
user can initiate the attack by clicking a button once all the above parameters are properly chosen,
without any need to interact with a command line. LOIC also supports Internet Relay Channels
(IRCs) to run in ”hivemind” mode, which enables one user to control multiple networked machines
that compose a botnet [8]. IRC-based botnets are most commonly used alongside TCP SYN and
UDP flooding attacks [14].

V. D O S/DD O S D EFENSE S TRATEGIES

Defense mechanisms can be deployed at the target, intermediate, or source network [18].
Although deployment at the source network level is desirable, it typically is the most expensive [18].
Measures to protect a host or network start with personal choices and basic end-user cybersecurity
training. Users should be vigilant when downloading material or navigating to a web page. Anti-
malware utilities should be installed and the system should be updated frequently. Regular system
backups or personal firewalls are also valuable options. Administrators should monitor logs and
isolate any malicious activity on the network [14]. Beyond personal practices, other defense
strategies can be generalized into two categories, preventative and reactive [18]. An example of a
reactive defense strategy is an intrusion detection system.
An intrusion detection or prevention system (IDS) monitors a network for self-defined policy
violations or malicious traffic. An IDS can be anomaly or signature-based; an example of a popular
signature-based IDS is SNORT [12]. A signature-based IDS looks at patterns in network traffic,
such as byte sequences, to determine whether traffic is benign or not. Anomaly detection refers to
the ability to distinguish normal network behavior from abnormal, or potentially malicious behavior
[12]. Anomaly detection can be rooted in statistical distributions, categorical evaluations, graph
theory, or comparison of neighboring traffic [12].
An anomaly-based IDS can also use fuzzy logic or artificial neural networks to categorize
suspicious behavior, and will probably advance significantly as artificial intelligence continues
to evolve. Network traffic packet analysis, also known as packet sniffing, is another method of
 4

anomaly detection and can utilize tools like Wireshark. As an example, common IRC ports, such as
TCP port 6667, can be monitored more closely due to the high prevalence of IRC-type botnets [14].
Although traffic analysis is useful, packet sniffing is not a completely reliant means of detection
due to the attacker’s ability to introduce noise, or the attacker’s ability to change the port number
[14].
The listed anomaly-based detection techniques are examples of passive monitoring, whereas
active monitoring requires the use of injected packets; the latter strategy is not preferred due to
the possibility of overloading the network [12]. Passive monitoring can be classified further into
protocols and the applications each serves, such as HTTP or DNS [12]. The primary issue with
some anomaly-based detection systems and signature-based intrusion detection type defenses is
that they rely on a database of known attacks and patterns, so the security system needs to be
updated periodically for new attacks [12].
Other detection strategies include overlapping a network on top of the IP network, creating
a simulated legitimate network, also called a honeynet, or utilizing router-based filters [15].
Honeypots spoof real, vulnerable machines and attract bots. Honeypots also help network security
professionals understand botnet behavior patterns by exposing sacrificial machines to attacks [14].
A honeynet is composed of multiple honeypots on a network [14]. A firewall can be used in
tandem with a honeypot to uncover whether a port has been compromised and can block traffic
thereafter [14]. Although honeypots have been effective, malicious attackers have been able to
detect and expose honeypots by identifying the use of virtual machines or a virtual environment
such as VMware [14].
During an attack, network resources can be multiplied by tapping into a pool of high bandwidth
servers or making use of a network load balancer [18]. These are examples of preventative defense.
Selective blackholing is used to block or drop packets from an IP address or traffic toward a
specific target IP [9]. Aside from these reactive or preventative botnet mitigation and deterrence
methods, direct countermeasures against DDoS attacks require both disabling the botnet control
and regaining access to compromised machines, which is a challenging and improbable feat.

VI. C OMMON D O S/DD O S S ECURITY T OOLS

Due to the increase in denial of service attacks, many web and proxy servers offer DoS security
features integrated within its hosting platform. Some of these servers offer real-time IP reputation,
IP-base geolocation, load balancing, and access control based on client IP addresses [1][19].
 5

Configuration files allow users to customize security preferences, such as client connection duration
and processing rate from a single IP address [19]. In the event of an attack on a local system,
the suspected IP is initially grey-listed to enable validation of the threat. If the IP is found to be
legitimate, it is moved to a white list of authorized IPs to prevent repeated grey-listing. Examples
include web server BitNinja’s Denial of Service (DoS) detection feature which offers continuous
monitoring of concurrent connections to a server [1]. If the number of connections exceeds 80,
the offending IP address is blacklisted for a default duration of 60 seconds to prevent further
connections to the server during this time [1]. Other cloud providers, web servers, and applications
also offer DDoS protection, including CloudFlare [3], NGINX [19], Google Cloud, and Akamai
[7]. Mazebolt offers DDoS simulations to clients and provides recommendations for any potential
network misconfigurations or vulnerabilities [16].

VII. C ONCLUSION

Large-scale, denial of service attacks are becoming more prevalent and potent every year.
Revenue loss due to DDoS attacks almost doubled in 2017, according to NETSCOUT [23]. That
year, businesses estimated a loss of revenue of five hundred to one thousand dollars per minute
of network downtime [23]. Distributed Denial of Service attacks can not only impact businesses
directly but can also impact essential services provided by the government, as shown by the
attacks on Iranian and Estonian networks. There are countless tools and methods available for a
novice to successfully execute these attacks. The sophistication and impact of these attacks have
exponentially increased especially with the use of botnets, while the difficulty of implementation
has steadily decreased. The best prevention strategies are adopting a cybersecurity culture at one’s
home, company, or organization, and having the resources available to offset high volumes of
traffic. The second best defenses are anomaly and intrusion detection systems, firewalls, as well as
anti-malware software. Collectively, a network can also consider using other tools like honeypots,
packet sniffers, and DoS security applications that offer tailored services. Security may be optimized
by using a combination of the methods outlined above.

VIII. F UTURE W ORK AND O PEN P ROBLEMS

Software Defined Networking (SDN) is one popular solution for protecting data centers and
cloud-based services from DDoS [9]. In traditional TCP/IP networks, a switch contains both the
control and data plane, whereas a SDN contains only the data plane; the SDN controller can block
 6

or blackhole malicious traffic once identified [9]. Due to the architecture of the SDN network, the
controller can be easily overloaded and necessitates the need for machine learning [13]. Different
machine learning algorithms are being tested to increase the resiliency of SDN-based networks and
intrusion detection systems. Selecting the most relevant information from a dataset for algorithm
training remains an open problem [13]. Machine learning algorithms have clearly aided SDN
networks and the controller’s ability to detect DoS, but it is unclear how it can be further optimized
in a multi-controller environment [13]. With the rise of artificial intelligence (AI), it is expected
that it can be further leveraged to increase the capability of DDoS mitigation and detection.
 7

R EFERENCES
[1] BitNinja. https://bitninja.io/.
[2] Bogaerts, Philippe (2003). HPING Tutorial. Version 1.5 24-08-2003. http://www.radarhack.com.
[3] Cloudflare Ddos Protection amp; Mitigation. Cloudflare. (n.d.). https://www.cloudflare.com/ddos/
[4] Cloudflare. (n.d.-a). Famous ddos attacks — biggest ddos attacks — cloudflare. (n.d.).
https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/
[5] Cloudflare. (n.d.-a). What Is The Low Orbit Ion Cannon (LOIC)? https://www.cloudflare.com/learning/ddos/ddos-attack-
tools/low-orbit-ion-cannon-loic.
[6] Criscuolo, P.J. Rathbun, T. Distributed System Intruder Tools, Trinoo and Tribe Flood Network, report, December 21,
1999; California. (https://digital.library.unt.edu/ark:/67531/metadc742619/: accessed April 29, 2023), University of North Texas
Libraries, UNT Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.
[7] DDoS (distributed denial-of-service) attack protection — akamai. (n.d.). https://www.akamai.com/solutions/security/ddos-
protection
[8] Gupta, B., Joshi, R., Misra, M,. (2010). Distributed Denial of Service Prevention Techniques. International Journal of Computer
and Electrical Engineering, Vol. 2, No. 2. http://www.ijcee.org/show-31-125-1.html.
[9] Holl, Patrick (2015). Exploring DDoS Defense Mechanisms. Proceedings of the Seminars Future Internet (FI) and Innovative
Internet Technologies and Mobile Communications (IITM), pp. 25-32.
[10] Hussain, A., Schwab, S., Fahmy, S., Mirkovic, J. (2006). DDoS Experiment Methodology.
https://www.researchgate.net/publication/277296698.
[11] Jaszcz, A., Połap, D. (2022). AIMM: Artificial Intelligence merged methods for flood ddos attacks detection. Journal of King
Saud University - Computer and Information Sciences, 34(10), 8090–8101. https://doi.org/10.1016/j.jksuci.2022.07.021
[12] Karim, A., Salleh, R. B., Shiraz, M., Shah, S. A., Awan, I., amp; Anuar, N. B. (2014). Botnet detection techniques: Review,
future trends, and issues. Journal of Zhejiang University SCIENCE C, 15(11), 943–983. https://doi.org/10.1631/jzus.c1300242
[13] Kumar, S., G. Sastry, H., Marriboyina, V., Alshazly, H., Ahmed Idris, S., Verma, M., amp; Kaur, M. (2022).
DDoS detection in SDN using Machine Learning Techniques. Computers, Materials amp; Continua, 71(1), 771–789.
https://doi.org/10.32604/cmc.2022.021669
[14] Liu, J., Xiao, Y., Ghaboosi, K., Deng, H., amp; Zhang, J. (2009). Botnet: Classification, attacks, detection, tracing, and preven-
tive measures. EURASIP Journal on Wireless Communications and Networking, 2009(1). https://doi.org/10.1155/2009/692654
[15] Mahjabin, T., Xiao, Y., Sun, G., Jiang, W. (2017). A survey of distributed denial-of-service attack, preven-
tion, and mitigation techniques. International Journal of Distributed Sensor Networks, 13(12), 155014771774146.
https://doi.org/10.1177/1550147717741463.
[16] Mazebolt: Ddos protection cyber security. MazeBolt Technologies. (2023, March 19). Retrieved May 1, 2023, from
https://mazebolt.com/
[17] Microsoft 365. (2023, February 17). Top 5 most famous ddos attacks. Microsoft 365. https://www.microsoft.com/en-
us/microsoft-365-life-hacks/privacy-and-safety/top-5-most-famous-ddos-attacks
[18] Mirkovic, J., Reiher, P. (2004). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer
Communication Review, 34(2), 39–53. https://doi.org/10.1145/997150.997156.
[19] nginx. https://nginx.org/en/.
[20] Penetration testing and ethical hacking linux distribution. Kali Linux. (2023, April 7).
[21] Sagoglu, G. (2016, December 3). How to Perform DDoS Test as a Pentester.
[22] Sanfilippo, S. (2006). Hping. http://www.hping.org.
[23] Whalen, K. (2018, March 14). The consequences of ddos attacks are rising. NETSCOUT.
https://www.netscout.com/blog/consequences-ddos-attacks-are-rising
[24] What is slowloris?: Ddos tools: Imperva. Learning Center. (2020, September 30).
https://www.imperva.com/learn/ddos/slowloris/