Learning Library

← Back to Library

Exploring Denial of Service Attacks

9m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

A denial‑of‑service (DoS) attack targets the “availability” pillar of the CIA triad, aiming to make a system unusable.
Not all DoS attacks rely on sheer traffic volume; a “ninja” or surgical strike uses a single, specially crafted packet (e.g., a buffer‑overflow exploit) to crash the target instantly.
The more familiar “death by a thousand cuts” approach overwhelms a system with many small requests that exhaust resources, exemplified by classic SYN‑flood attacks.
In a SYN flood, the attacker sends forged SYN packets that force the server to allocate connection state and wait for acknowledgments that never arrive, eventually exhausting its capacity.
Recognizing these distinct DoS categories helps defenders implement tailored mitigation strategies rather than only preparing for high‑volume floods.

Sections

Full Transcript

# Exploring Denial of Service Attacks **Source:** [https://www.youtube.com/watch?v=bDAY-oUP0DQ](https://www.youtube.com/watch?v=bDAY-oUP0DQ) **Duration:** 00:09:38 ## Summary - A denial‑of‑service (DoS) attack targets the “availability” pillar of the CIA triad, aiming to make a system unusable. - Not all DoS attacks rely on sheer traffic volume; a “ninja” or surgical strike uses a single, specially crafted packet (e.g., a buffer‑overflow exploit) to crash the target instantly. - The more familiar “death by a thousand cuts” approach overwhelms a system with many small requests that exhaust resources, exemplified by classic SYN‑flood attacks. - In a SYN flood, the attacker sends forged SYN packets that force the server to allocate connection state and wait for acknowledgments that never arrive, eventually exhausting its capacity. - Recognizing these distinct DoS categories helps defenders implement tailored mitigation strategies rather than only preparing for high‑volume floods. ## Sections - [00:00:00](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=0s) **Ninja-Style Targeted DoS Attack** - The speaker explains denial‑of‑service attacks as threats to system availability and then details a “ninja” attack—a precise, crafted packet that exploits protocol violations or buffer overflows to crash a specific system. - [00:03:35](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=215s) **Understanding DoS Attack Variants** - The speaker outlines several denial‑of‑service methods—SYN flood, reflection/amplification attacks such as Smurf, and botnet‑driven “thousand‑cut” attacks—explaining how they consume resources, how they have been mitigated, and the lessons they teach for future security. - [00:07:54](https://www.youtube.com/watch?v=bDAY-oUP0DQ&t=474s) **System Hardening and Monitoring Practices** - The speaker outlines essential security steps—hardening systems by eliminating unnecessary services and default credentials, keeping software patched, continuously monitoring with SIEM/XDR, and employing incident response/SOAR—to detect and mitigate attacks. ## Full Transcript

0:00your systems are up in smoke. Or at 0:02least it seems like that. Nothing is 0:04working. The CPU is at 100% and you 0:07don't know why. You can't get anything 0:09done. Well, what's happened is you've 0:12been dosed. That's a denial of service 0:14attack. In a previous video, I talked 0:16about the CIA triad. In particular, one 0:19of those aspects was this business of 0:22availability. A DOS attack or denial of 0:25service is an attack on the availability 0:27of the system. Let's drill into that in 0:29a little bit more detail and find out 0:31what could be. Well, it turns out not 0:34all DOSs attacks are the same. Most 0:35people tend to think about one 0:37particular type, which I will talk about 0:39toward the end, but in fact there are 0:41different classes of denial of service 0:43attacks. So, the first one I'm going to 0:45talk about is sort of uh I'll refer to 0:47it as a ninja attack. It's a surgical 0:50strike. It's a magic bullet, whatever 0:52analogy you'd like to use, but it's a 0:54very targeted strike. And in this case, 0:57what we do is we have a particular 0:59system here that's operational and the 1:02bad guy comes along and sends a 1:05specially crafted message. So he's 1:08taking advantage of some rule that he's 1:11going to violate uh in the protocol or 1:14he's using a buffer overflow which is 1:16he's allocating uh he's sending more 1:18information than was expected in the 1:20particular buffer where it was going to 1:21be received. In some way, this packet 1:25has been specially configured and 1:27specially manufactured so that when it 1:29is sent to the target system, the target 1:32system goes up in smoke. It's one strike 1:36and the system is down. That's a type of 1:38denial of service that not a lot of 1:40people think about. They generally think 1:42about overwhelming with more volume. And 1:45we'll talk about that. That's the next 1:47type I'll refer to which is what I'll 1:50call the death by a thousand cuts type 1:52of attack in these attacks and there's a 1:55number of different types that can 1:56happen here. Uh but for instance if here 1:59is our system that's operational. Uh 2:02I'll give you an example of an attack 2:04that dates back to about 1996 which was 2:07one of the early versions of this kind 2:09of attack. Um and it's called a sinac or 2:13a sin flood. Uh what happens is a bad 2:16guy wants to take over this system. So 2:19what he's going to do is start by 2:21sending a packet. It's called a send. In 2:24TCP terminology, this is starting what 2:27is a three-way handshake to begin a 2:29session. He sends the SIN message. And 2:32what's supposed to happen in a normal 2:34case is he puts in his address so that 2:37the server responds with what's known as 2:40a SIN act, a sin acknowledgement. But in 2:43fact, what he does instead of having it 2:44come back to him, he sends the sin 2:46acknowledgement to someplace else. He 2:50fakes out 2:52an address and says, "Don't send it to 2:54me. Send it to someplace else." So, he's 2:56lying about who he is. Now, in the 2:58meantime, what happens is this system 3:00starts a timer and it allocates some 3:04resources for this new session that it's 3:06starting and it waits now on an 3:08acknowledgement to come back from this 3:10place. Well, this place down here is 3:13unsuspecting. It doesn't know anything 3:15about this. It just got a random SIN act 3:17message that it's going to discard. So, 3:19it will never respond. In the meantime, 3:21this system is holding resources. The 3:24bad guy sends another sin and another 3:26sin and another sin. Doesn't have to 3:29send a ton of these, but enough of these 3:31where it's a death by a thousand cuts. 3:33No single one of these took the system 3:35down, but collectively each one of them 3:37is reserving resources on this system 3:40until finally it's out. Again, this was 3:43called a sin flood attack. And we have 3:44fixes for this now. People have have 3:46adjusted, but the original TCP protocol 3:49did not take into account that someone 3:50might try to do something like this. 3:53There are other versions of this type of 3:55attack. Things that do reflection, 3:57things that do amplification. uh you can 4:00look up if you're interested in 4:01something called a smurf attack which 4:02was of similar era. Uh again we have 4:05ways to defend against these things now 4:07but there are lessons to be learned as 4:08we look forward. So these are two 4:11different types of DOSs attacks. How 4:14about the third major type of attack 4:16that a lot of people are pretty familiar 4:18with. And with this one what we have is 4:22uh we start with uh this is basically a 4:25death by a thousand cuts times n where n 4:28is the number of users that are involved 4:30in the attack and in this case it's 4:33going to be unsuspecting users. So we 4:35start off with one regular user who 4:37comes along and they would access a 4:39system and everything's fine. In the 4:42meantime, a bad guy over here though is 4:46starting to take over systems. He has 4:50sent out some malware or he's hacked 4:52into a bunch of systems and he's 4:54building what is now effectively an army 4:57of unsuspecting users that he's going to 4:59later use in his attack. We call this a 5:03botnet or they were called zombies at 5:05one point. But these are basically 5:07systems that are sitting here that the 5:10user has no awareness that they have 5:12latent code that could be exploited. 5:15Then when the bad guy wants to start his 5:17attack, he sends a message out to all of 5:20the systems in his bot army and then 5:23they all start bombarding this system 5:27with traffic until it is way too much 5:30for anyone to deal with. This is what's 5:32called a distributed denial of service 5:33attack, a DDoS attack. It's distributed 5:36in that unlike these, the attack was in 5:40one coming from one place. In this case, 5:42this guy is just sending the command to 5:44start the attack, but the attack is 5:46really emanating from a lot of different 5:48places. So that's why we call it a DOS 5:51attack. And there are botnet armies that 5:53sit out there right now today that can 5:56be used by a bad guy. All he has to do 5:58is wake them up and send them on their 6:00task for a particular target. Okay, 6:03that's the scope of the problem. And 6:05there are many other types, but that 6:06gives you a general sense. What can you 6:08do about it? Well, it turns out there's 6:10a number of things. So, let's look at 6:11some defenses here. First of all, the 6:14number one defense for any sort of 6:16denial of service attack, and I'm going 6:18to say this facitiously, is infinite 6:20capacity. Unfortunately, nobody can 6:22afford that. So, if you had infinitely 6:25capable systems, then you could throw as 6:27much as you wanted to at them and they 6:29would be able to withstand the attack. 6:30But that's too expensive. What's the 6:32next best thing? redundancy. If you have 6:35only one system, then one system is a 6:38single point of failure. If you have 6:40multiple systems, for instance, in most 6:42cases, we use what's referred to there 6:44as a rule of three, where you want to 6:46have at least three of everything. So, 6:48if one goes down, you're not at 50% 6:50capacity. You still have what is a 6:53usable system. So, redundancy is another 6:56important part to have here. Adds to 6:58expense, but it's necessary. pacing that 7:01is looking at the traffic as it's coming 7:03in and limiting how much we will accept 7:06over a specific interval of time or a 7:09traffic going out which also comes to 7:11the point of filtering. Now in some 7:14cases we want to filter traffic coming 7:16in from certain locations from certain 7:18IP addresses we want to be able to turn 7:20these filters on when we know we're 7:21under attack and we and it's very 7:24difficult to do that in a DOS attack 7:26because the attack seems to be coming 7:27from everywhere. We should also as 7:30responsible citizens be looking at doing 7:32egress filtering or filtering the data 7:34that's going out of our systems. For 7:37instance, if the ISP for this guy was 7:39looking and seeing that he was sending 7:41lots of sins that were referring to an 7:43address that's not him, they could have 7:45blocked that at the source. So the right 7:48kind of filtering of the egress helps 7:50everyone if we do that kind of thing. 7:53Other things you could do would be 7:54harden systems. That means remove 7:56unnecessary services, remove ids that 7:59are not needed, remove capabilities that 8:01are not going to be used. Every one of 8:03those is something that a bad guy could 8:04ultimately exploit later. So we don't 8:06want to have anything that's not 8:08absolutely necessary on the system. We 8:10also want to change default passwords 8:12and user IDs if at all possible. 8:15Patching is another making sure that all 8:18the systems have the latest software on 8:20them. It's software fixes that took care 8:23of a lot of these earlier DOSs attack 8:25scenarios. So there there will the 8:28vendors will continue to find ways to 8:30fix their products and we need to keep 8:33our capabilities up to the level of 8:36where those fixes are. Monitoring being 8:39able to look over the whole system and 8:41understand when this is happening and 8:43when it's not. Understand is our system 8:46really under a load because we're being 8:48ultra successful right now. Maybe we 8:50just put some new product on sale and 8:52everybody's there or is it because a bad 8:55guy has decided to try to take the 8:57system down. We need to be able to 8:58understand the difference between the 9:00two. So monitoring and the technologies 9:02I've talked about in other videos, the 9:04the SIM security information event 9:06management uh XDR extended detection and 9:09response give us that kind of monitoring 9:11capability. And then finally it's 9:13incident response uh or also called 9:16soore security orchestration automation 9:18and response. It's the ability to once 9:20we realize we have a problem, what are 9:22we going to do? We need dynamic 9:24playbooks that guide what our responses 9:26should be so that we can respond 9:28quickly. The organizations that don't 9:30have that in place are the ones that 9:32suffer the most from denial of service 9:34attacks. Don't be one of those victims.