Learning Library

← Back to Library

Exploring Denial of Service Attacks

9mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • A denial‑of‑service (DoS) attack targets the “availability” pillar of the CIA triad, aiming to make a system unusable.
  • Not all DoS attacks rely on sheer traffic volume; a “ninja” or surgical strike uses a single, specially crafted packet (e.g., a buffer‑overflow exploit) to crash the target instantly.
  • The more familiar “death by a thousand cuts” approach overwhelms a system with many small requests that exhaust resources, exemplified by classic SYN‑flood attacks.
  • In a SYN flood, the attacker sends forged SYN packets that force the server to allocate connection state and wait for acknowledgments that never arrive, eventually exhausting its capacity.
  • Recognizing these distinct DoS categories helps defenders implement tailored mitigation strategies rather than only preparing for high‑volume floods.

Sections

Full Transcript

# Exploring Denial of Service Attacks **Source:** [https://www.youtube.com/watch?v=bDAY-oUP0DQ](https://www.youtube.com/watch?v=bDAY-oUP0DQ) **Duration:** 00:09:38 ## Summary - A denial‑of‑service (DoS) attack targets the “availability” pillar of the CIA triad, aiming to make a system unusable. - Not all DoS attacks rely on sheer traffic volume; a “ninja” or surgical strike uses a single, specially crafted packet (e.g., a buffer‑overflow exploit) to crash the target instantly. - The more familiar “death by a thousand cuts” approach overwhelms a system with many small requests that exhaust resources, exemplified by classic SYN‑flood attacks. - In a SYN flood, the attacker sends forged SYN packets that force the server to allocate connection state and wait for acknowledgments that never arrive, eventually exhausting its capacity. - Recognizing these distinct DoS categories helps defenders implement tailored mitigation strategies rather than only preparing for high‑volume floods. ## Sections - [00:00:00](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=0s) **Ninja-Style Targeted DoS Attack** - The speaker explains denial‑of‑service attacks as threats to system availability and then details a “ninja” attack—a precise, crafted packet that exploits protocol violations or buffer overflows to crash a specific system. - [00:03:35](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=215s) **Understanding DoS Attack Variants** - The speaker outlines several denial‑of‑service methods—SYN flood, reflection/amplification attacks such as Smurf, and botnet‑driven “thousand‑cut” attacks—explaining how they consume resources, how they have been mitigated, and the lessons they teach for future security. - [00:07:54](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=474s) **System Hardening and Monitoring Practices** - The speaker outlines essential security steps—hardening systems by eliminating unnecessary services and default credentials, keeping software patched, continuously monitoring with SIEM/XDR, and employing incident response/SOAR—to detect and mitigate attacks. ## Full Transcript
0:00your systems are up in smoke. Or at 0:02least it seems like that. Nothing is 0:04working. The CPU is at 100% and you 0:07don't know why. You can't get anything 0:09done. Well, what's happened is you've 0:12been dosed. That's a denial of service 0:14attack. In a previous video, I talked 0:16about the CIA triad. In particular, one 0:19of those aspects was this business of 0:22availability. A DOS attack or denial of 0:25service is an attack on the availability 0:27of the system. Let's drill into that in 0:29a little bit more detail and find out 0:31what could be. Well, it turns out not 0:34all DOSs attacks are the same. Most 0:35people tend to think about one 0:37particular type, which I will talk about 0:39toward the end, but in fact there are 0:41different classes of denial of service 0:43attacks. So, the first one I'm going to 0:45talk about is sort of uh I'll refer to 0:47it as a ninja attack. It's a surgical 0:50strike. It's a magic bullet, whatever 0:52analogy you'd like to use, but it's a 0:54very targeted strike. And in this case, 0:57what we do is we have a particular 0:59system here that's operational and the 1:02bad guy comes along and sends a 1:05specially crafted message. So he's 1:08taking advantage of some rule that he's 1:11going to violate uh in the protocol or 1:14he's using a buffer overflow which is 1:16he's allocating uh he's sending more 1:18information than was expected in the 1:20particular buffer where it was going to 1:21be received. In some way, this packet 1:25has been specially configured and 1:27specially manufactured so that when it 1:29is sent to the target system, the target 1:32system goes up in smoke. It's one strike 1:36and the system is down. That's a type of 1:38denial of service that not a lot of 1:40people think about. They generally think 1:42about overwhelming with more volume. And 1:45we'll talk about that. That's the next 1:47type I'll refer to which is what I'll 1:50call the death by a thousand cuts type 1:52of attack in these attacks and there's a 1:55number of different types that can 1:56happen here. Uh but for instance if here 1:59is our system that's operational. Uh 2:02I'll give you an example of an attack 2:04that dates back to about 1996 which was 2:07one of the early versions of this kind 2:09of attack. Um and it's called a sinac or 2:13a sin flood. Uh what happens is a bad 2:16guy wants to take over this system. So 2:19what he's going to do is start by 2:21sending a packet. It's called a send. In 2:24TCP terminology, this is starting what 2:27is a three-way handshake to begin a 2:29session. He sends the SIN message. And 2:32what's supposed to happen in a normal 2:34case is he puts in his address so that 2:37the server responds with what's known as 2:40a SIN act, a sin acknowledgement. But in 2:43fact, what he does instead of having it 2:44come back to him, he sends the sin 2:46acknowledgement to someplace else. He 2:50fakes out 2:52an address and says, "Don't send it to 2:54me. Send it to someplace else." So, he's 2:56lying about who he is. Now, in the 2:58meantime, what happens is this system 3:00starts a timer and it allocates some 3:04resources for this new session that it's 3:06starting and it waits now on an 3:08acknowledgement to come back from this 3:10place. Well, this place down here is 3:13unsuspecting. It doesn't know anything 3:15about this. It just got a random SIN act 3:17message that it's going to discard. So, 3:19it will never respond. In the meantime, 3:21this system is holding resources. The 3:24bad guy sends another sin and another 3:26sin and another sin. Doesn't have to 3:29send a ton of these, but enough of these 3:31where it's a death by a thousand cuts. 3:33No single one of these took the system 3:35down, but collectively each one of them 3:37is reserving resources on this system 3:40until finally it's out. Again, this was 3:43called a sin flood attack. And we have 3:44fixes for this now. People have have 3:46adjusted, but the original TCP protocol 3:49did not take into account that someone 3:50might try to do something like this. 3:53There are other versions of this type of 3:55attack. Things that do reflection, 3:57things that do amplification. uh you can 4:00look up if you're interested in 4:01something called a smurf attack which 4:02was of similar era. Uh again we have 4:05ways to defend against these things now 4:07but there are lessons to be learned as 4:08we look forward. So these are two 4:11different types of DOSs attacks. How 4:14about the third major type of attack 4:16that a lot of people are pretty familiar 4:18with. And with this one what we have is 4:22uh we start with uh this is basically a 4:25death by a thousand cuts times n where n 4:28is the number of users that are involved 4:30in the attack and in this case it's 4:33going to be unsuspecting users. So we 4:35start off with one regular user who 4:37comes along and they would access a 4:39system and everything's fine. In the 4:42meantime, a bad guy over here though is 4:46starting to take over systems. He has 4:50sent out some malware or he's hacked 4:52into a bunch of systems and he's 4:54building what is now effectively an army 4:57of unsuspecting users that he's going to 4:59later use in his attack. We call this a 5:03botnet or they were called zombies at 5:05one point. But these are basically 5:07systems that are sitting here that the 5:10user has no awareness that they have 5:12latent code that could be exploited. 5:15Then when the bad guy wants to start his 5:17attack, he sends a message out to all of 5:20the systems in his bot army and then 5:23they all start bombarding this system 5:27with traffic until it is way too much 5:30for anyone to deal with. This is what's 5:32called a distributed denial of service 5:33attack, a DDoS attack. It's distributed 5:36in that unlike these, the attack was in 5:40one coming from one place. In this case, 5:42this guy is just sending the command to 5:44start the attack, but the attack is 5:46really emanating from a lot of different 5:48places. So that's why we call it a DOS 5:51attack. And there are botnet armies that 5:53sit out there right now today that can 5:56be used by a bad guy. All he has to do 5:58is wake them up and send them on their 6:00task for a particular target. Okay, 6:03that's the scope of the problem. And 6:05there are many other types, but that 6:06gives you a general sense. What can you 6:08do about it? Well, it turns out there's 6:10a number of things. So, let's look at 6:11some defenses here. First of all, the 6:14number one defense for any sort of 6:16denial of service attack, and I'm going 6:18to say this facitiously, is infinite 6:20capacity. Unfortunately, nobody can 6:22afford that. So, if you had infinitely 6:25capable systems, then you could throw as 6:27much as you wanted to at them and they 6:29would be able to withstand the attack. 6:30But that's too expensive. What's the 6:32next best thing? redundancy. If you have 6:35only one system, then one system is a 6:38single point of failure. If you have 6:40multiple systems, for instance, in most 6:42cases, we use what's referred to there 6:44as a rule of three, where you want to 6:46have at least three of everything. So, 6:48if one goes down, you're not at 50% 6:50capacity. You still have what is a 6:53usable system. So, redundancy is another 6:56important part to have here. Adds to 6:58expense, but it's necessary. pacing that 7:01is looking at the traffic as it's coming 7:03in and limiting how much we will accept 7:06over a specific interval of time or a 7:09traffic going out which also comes to 7:11the point of filtering. Now in some 7:14cases we want to filter traffic coming 7:16in from certain locations from certain 7:18IP addresses we want to be able to turn 7:20these filters on when we know we're 7:21under attack and we and it's very 7:24difficult to do that in a DOS attack 7:26because the attack seems to be coming 7:27from everywhere. We should also as 7:30responsible citizens be looking at doing 7:32egress filtering or filtering the data 7:34that's going out of our systems. For 7:37instance, if the ISP for this guy was 7:39looking and seeing that he was sending 7:41lots of sins that were referring to an 7:43address that's not him, they could have 7:45blocked that at the source. So the right 7:48kind of filtering of the egress helps 7:50everyone if we do that kind of thing. 7:53Other things you could do would be 7:54harden systems. That means remove 7:56unnecessary services, remove ids that 7:59are not needed, remove capabilities that 8:01are not going to be used. Every one of 8:03those is something that a bad guy could 8:04ultimately exploit later. So we don't 8:06want to have anything that's not 8:08absolutely necessary on the system. We 8:10also want to change default passwords 8:12and user IDs if at all possible. 8:15Patching is another making sure that all 8:18the systems have the latest software on 8:20them. It's software fixes that took care 8:23of a lot of these earlier DOSs attack 8:25scenarios. So there there will the 8:28vendors will continue to find ways to 8:30fix their products and we need to keep 8:33our capabilities up to the level of 8:36where those fixes are. Monitoring being 8:39able to look over the whole system and 8:41understand when this is happening and 8:43when it's not. Understand is our system 8:46really under a load because we're being 8:48ultra successful right now. Maybe we 8:50just put some new product on sale and 8:52everybody's there or is it because a bad 8:55guy has decided to try to take the 8:57system down. We need to be able to 8:58understand the difference between the 9:00two. So monitoring and the technologies 9:02I've talked about in other videos, the 9:04the SIM security information event 9:06management uh XDR extended detection and 9:09response give us that kind of monitoring 9:11capability. And then finally it's 9:13incident response uh or also called 9:16soore security orchestration automation 9:18and response. It's the ability to once 9:20we realize we have a problem, what are 9:22we going to do? We need dynamic 9:24playbooks that guide what our responses 9:26should be so that we can respond 9:28quickly. The organizations that don't 9:30have that in place are the ones that 9:32suffer the most from denial of service 9:34attacks. Don't be one of those victims.