By Edwin Gonzalez
A Distributed Denial of Service (DDoS) is an
attack on a network which is designed to bring
it to a halt. This is done by sending useless
traffic to a specific service/port on a server.
The amount of traffic sent would overwhelm
the service, so that legitimate traffic would be
dropped or ignored.
DDoS attacks have developed from the
wild 1997 basic DoS attacks. These attacks
originate from one source and can emerge
from 100’s of locations around the world. The
most visible attacks were those in February
2000, where high traffic sites (eBay/Amazon/
faced with the task of handling huge amounts
of spoofed traffic. In recent days, there have
been attacks on Cisco which resulted in
considerable downtime. Some public blacklists
have also been targeted by spammers and
taken out of business.
The following are different types of attacks.
Smurfing: The culprit sends a large
amount of ICMP echo traffic at IP Broadcast addresses,
all of it having a spoofed source address of a victim.
This multiplies the traffic by the number of hosts.
Fraggle: This is the cousin of the
smurf attack. This attack uses UDP echo packets in the
same was as the ICMP echo traffic.
Ping Flood: The culprit attempts
to disrupt service by sending ping requests directly
to the victim.
Syn Flood: Exploiting the flaw in
the TCP threeway handshake, the culprit will create
connection requests aimed at the victim. These requests
are made with packets of unreachable source addresses.
The server/device is not able to complete the connection
and as a result the server ends up using the majority
of its network resources trying to acknowledge each
Land: The culprit sends a forged packet
with the same source and destination IP address. The
victims system will get confused and crash or reboot.
Teardrop: The culprit sends two fragments
that cannot be reassembled properly by manipulating
the offset value of the packet and cause a reboot or
halt of the victim’s system.
Bonk: This attack usually affects
Windows OS machines. The culprit sends corrupted UDP
Packets to the DNS port, 53. The system gets confused
Boink: This is similar to the Bonk
attack; accept that it targets multiple ports instead
of only 53.
Worming: The worm sends a large amount
of data to remote servers. It then verifies that a connection
is active by attempting to contact a website outside
the network. If successful, an attack is initiated.
This would be in conjunction with a mass-mailing of
With the current TCP/IP implementation, there is very
that companies can do to prevent their network from
being DDoSed. Some companies can be proactive
and make sure all their systems are patched and are
only running services they need. Also implementing,
Egress/Ingress filtering and enable logging on all routers
will disable some DDoS attacks.
“Egress filtering is the process of examining
headers leaving a subnet for address validity. If the
packet’s source IP address originates inside the
that the router serves, then the packet is forwarded.
If the packet has an illegal source address, then the
packet is simply dropped. There is very little overhead
involved, therefore there is no degradation to network
Below you will find a simple SYN attack detection script
that could be set to run every 5 minutes via a cronjob.
In case of an attack you would receive and email with
IP information; remember the IP information is usually
#Simple Script to monitor syn attacks.
$num_of_syn=`netstat -an | grep -c SYN`;
if($num_of_syn > $syn_alert)
`netstat -an | grep SYN | mail -s
“SYN ATTACK DETECTED ON
Conclusion: DDoS attacks are very difficult to trace
and stop. New hardware appliances are being
manufactured specifically for these types of attacks.
Many dedicated server providers simply unplug the
server that is being attacked until the attack has stopped.
This is not a solution this is a careless and temporary
The culprit will still exist and is not held accountable
their actions. Once an attack is detected hosts should
immediately engage their upstream providers.
Edwin Gonzalez is the founder of Datums Internet Solutions,
based out of New York. In addition to dealing with day-to-day
operations, he works on building his library of shell
one-liners. Datums Internet Solutions, LLC | SunsetHost.Com