If A DDOS Attack Occurs Computer Science

Essay add: 14-11-2017, 11:14   /   Views: 60

DDoS is an attack in which a multitude of compromised systems attack a single target, thereby causing DoS for users of the targeted system. There have been a lot of methodologies and tools devised to detect DDoS attacks and reduce the damage they cause. In this journal, I am going to explain how the DDoS attack is established and the possible ways of tracing the attacker and the types of connections between various levels of DDoS attack.


Consider an attacker using a network of zombie computers to attack a specific website. In this case the attacker tells all the computers on his botnet to contact the specific server or website that he wants to attack very repeatedly. Thus suddenly increases the traffic towards the specific website causing the site to load very slowly for the users. Sometimes the traffic can cause the site to shut down completely. This type of attack is called Distributed Denial of Service (DDoS) attack. The services that got attacked are called the "primary victim", while the compromised systems used to attack are often called the "secondary victims." In performing the DDoS attack, the secondary victims provides the attacker with the ability to wage a much larger and more disruptive attack, while making it more difficult to track down the original attacker.

Attackers modify their tools very frequently to bypass the security systems of the researchers. Meanwhile researchers also modify their approaches to handle new attacks. The DDoS field is quickly becoming more and more complex and it is one of those attacks that is difficult to establish but equally very dangerous when it is established, and has reached the point where it is difficult to see the forest for the trees.

Fig: DDoS Attack

The figure describes a DDoS network where the attacker manages one or more masters of which several more zombies can be controlled by each.. This in turn says more pathways that need to be blocked, along with a sudden increase in the amount of resources being consumed by the target.

In this case many different computers are gained access by the attacker and the attacker sets each up to launch an independent DOS attack on command. Notice that, unlike the simple DOS attack, the DDoS attacker takes control of many computers, which then become the sources ("zombies") for the actual attack.

How to Detect a DDoS Attack

If a company or network experiences a DDoS attack it may notice the following indications:

• A perversion of services on the network.

• Accounts are locked up due to failed attempts to access certain services.

• Inability to access services over the Internet, often illustrated by "HTTP Error 404", when a page cannot be found, although it is due to a server that is too overwhelmed to respond to your request, or network unable to pass request.

What can be done if a DDoS attack occurs?

There are two phases for solving the problem: The first phase is to get the site back up by filtering traffic directed at the target hosts and the second phase is to locate and stop the compromised machines sourcing the attack. In some cases, source addresses are spoofed, complicating the location of the compromised source machines.

How can DDoS Attacks be Prevented?

Measures can be taken to prevent DDoS attack but there is no guaranteed assurance against it. The risk can be limited by securing more servers and bandwidth of their websites that required meeting typical demand, and by blocking those typical attacks. These efforts are taken by the web hosting company to find what measures they have to place in. To prevent individual computers from ending up in a botnet end users secure their systems with the latest operating system updates and antivirus software.

Types of DDoS Attacks

There are two main categories in DDoS attack:


Continuous flow of traffic overwhelms a remote system which is designed to consume resources at the targeted server in the network. These attacks result complete site shutdown. 


A small number of Twisted packets are designed on the target system to exploit known software errors. These attacks through the installation of software patches are relatively easy to counter and eliminate the vulnerabilities to take out distorted packets before they reach the target system by adding specialized firewall rules.

Flood attacks

TCP SYN Flood Attack: An attacker makes connection requests to the victim server by sending packets with unreachable source addresses by taking the weakness of TCP three-way handshaking behavior as an advantage. When the server is not able to complete the requests sent for connection, the victim wastes all its network resources. A relatively small flood of fake packets will tie up memory, applications and CPU resulting the server to shut down.  

Smurf IP Attack: forged ICMP echo packets were received by the broadcast addresses of vulnerable networks by an attacker. Each and every systems on networks reply with ICMP echo replies. This slowly drains of the available bandwidth to the target, effectively denying its services to the legitimate users. 

UDP Flood Attack:  To transfer the data it does not require any connection setup as it is a connectionless protocol. The attack to a random port on the victim system is possible when an attacker sends a UDP packet. When the victim system receives a UDP packet it will determine which application is waiting on the destination port. It will generate an ICMP packet of destination when it realizes that there is no application waiting on the port which is not reachable to the spurious source address. The system will go down if enough UDP packets are delivered to ports on victim. 

ICMP Flood Attack: This may attack in many forms. The 2 main kinds are Floods and Nukes.

Flood attack is accomplished by broadcasting a bundle of pings or UDP packets. The idea behind it is to send more data to the system, that it slows down so much that it is disconnected from IRC due to a ping timeout.

Nukes handles errors in certain Operating systems like Windows NT and Windows 95. The idea is to send a packet information so that the OS cannot handle. Usually, they cause system to lock up. 

Logic or Software Attacks

Ping of Death ICMP ECHO request packet which is much larger than the maximum size of IP packet was sent by an attacker to the victim. The victim cannot reassemble the packet since the received packet is larger than the size of normal IP packet. As a result the operating system may be rebooted or crashed. 

Teardrop:  Two fragments are sent by the attacker that cannot be reassembled properly and cause reboot of victim system by changing the offset value of packet.

Land: Here the victim system will be confused with the packet sent by the attacker as it is with the same source and destination IP address. Then it may be crashed or rebooted.

Tracing the Attackers

Tracing the attacker is one of the most common reactions. However, a DDoS, unlike a traditional DoS, comes from multiple sources. Using this method, the best way to mitigate the attack is to determine the routers and several hops from the network that handle the most packets. For this to happen, the cooperation from several sources is required because the examination of packets on upstream router is not possible. Each participant in the process (mostly ISPs) will, however, follow very similar steps.The offending traffic type being identified using the techniques above, a new, specific access list will be built to match it. Appended to the rules, which are applied to the interface sending traffic to the target, will again be the "log-input" keyword. Why? The logs will keep the record details about the source interface and MAC address - which is valid information. That data can be used to determine the IP address of the router forwarding the malicious traffic. The process is then repeated on the next router up the chain. After several iterations, the source (or one of them) will be located. At that time, the proper filter can be put in place to block the attacker. The drawback of tracing a DDoS attack is time and difficulty. Rooting out several sources could require working with multiple parties and even law enforcement.


DDoS attack tools are readily available and any internet host is targetable as either a zombie or the ultimate DDoS focus. These attacks can be costly and frustrating and are difficult, if not impossible to eradicate. The best defence to DDoS attack is to interrupt attackers through vigilant system administration. System monitoring, applying patches, updating anti-malicious software programs, and reporting incidents go further than retarding DDoS attacks - these also protect against other attacks. 

Article name: If A DDOS Attack Occurs Computer Science essay, research paper, dissertation