This site uses cookies! Learn More

This site uses cookies!

For providing our services, we do use cookies.
But get used, this is what most of modern web do!
However we have to warn you since we are obligated to so due to EU laws.

By continuing to use this site, you agree to allow us to store cookies on your computer. :)
And no, we will not eat your computer nor you will be able to eat those cookies :P

Sign in to follow this  
Followers 0

DDoS/DoS Attack Prevention, tracking and stopping

3 posts in this topic

First read this post, then continue reading --> LINK

Prevention and response


Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Routers may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Some stateful firewalls, like OpenBSD's pF, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called "synproxy".


Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.

These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.


Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevent flooding, i.e. example settings.

Application front end hardware

Application front end hardware is an intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management.

IPS based prevention

Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.

An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

Prevention via proactive testing

Test platforms such as Mu Dynamics' Service Analyzer are available to perform simulated denial-of-service attacks that can be used to evaluate defensive mechanisms such IPS, RBIPS, as well as the popular denial-of-service mitigation products from Arbor Networks. An example of proactive testing of denial-of-service throttling capabilities in a switch was performed in 2008: The Juniper EX 4200 switch with integrated denial-of-service throttling was tested by Network Test and the resulting review was published in Network World.

Blackholing and sinkholing

With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface, non-existent server, ...). To be more efficient and avoid affecting your network connectivity, it can be managed by the ISP.

Sinkholing routes to a valid IP address which analyzes traffic and reject bad ones. Sinkholing is not efficient for most severe attacks.

Clean pipes

All traffic is passed through a "cleaning center" via a proxy, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service.

Prolexic and Verisign are examples of providers of this service.

Side effects of DoS attacks


In computer network security, backscatter is a side-effect of a spoofed denial of service (DoS) attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine can not distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter.

If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as indirect evidence of such attacks.

The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.

An educational animation describing such backscatter can be found on the animations page maintained by the Cooperative Association for Internet Data Analysis.

How to stop DDOS attacks and their variants.

1. SYN Floods

You should know that when a client and a server want to transmit data over the TCP protocol, a three-way handshake occurs:

The client asks for a connection with a SYN (synchronize) package

The server replies to the client with a SYN-ACK (syn-acknowledgments)

The client sends a third package as an ACK and the transmission of the data starts.

The SYN flood works by sending SYN packets from false IP addresses (IP spoofing). The server replies to that false IP address with an SYN-ACK and then waits for ACK. Doing this many times will cause the server to end up in the impossibility of opening a new connection, creating a network congestion.

Another SYN flood attack involves sending a packet to the server, spoofed with the server's address (let's say the server's IP is then you send a SYN packet from to Repeating this many times will make the server sending SYN-ACK and ACK to itself, blocking it.

Patches to this kind of attack used a connection number limit from the same source/timeframe. SYN cookies also hold down the handling of the packets until the sender's IP address is verified.

2. SMURF attacks

In this kind of attacks a massive amount of ping traffic (ICMP echos) is sent to the broadcast address of the network. The source IP address is spoofed to look like the target's. If this traffic is forwarded to the network, all hosts will reply with an echo to the target, believing that they receive an echo request (PING) from it. In a large networks, a targeted server for example can be flooded by hundreds of replies at once. By sending the spoofed packet several times, the server will be flooded until it crashes from the overload.

This kind of attacks were mostly patched by making the routers not forwarding broadcast directed traffic to the network.

3. LAND attacks

LAND attacks take advantage of opened network services on the target. By using a port sniffer, opened ports and services are found out. Then spoofed packages are sent with IP address source the same as IP address destination (server's address) to make it reply to itself. Let's say for example that it uses SNMP (simple network management protocol - service used to report network and system's usage). By making a SNMP service to reply to itself continuously it finally crashes.

4. Ping of death

This type of DoS attack takes advantage of a known issue with Windows 9x and older NT stations, as well as Linux prior to 2.0.32. Many routers and printers older then 1998 are vulnerable to this too.

It works by sending a malformed format of a ping packet. Usually, ping packets are small-sized (like 32bytes or 64bytes by default). Older Operating Systems and other devices could not handle ping larger than the maximum IP packet size of 65535 bytes (defined by RFC 791). By sending a large packet or a malformed one, any system that doesn't know how to handle it crashes (eg. in Windows 9x a blue screen of death was generated).

Patches are available on the web for any old operating systems or devices.

5. Ping flooding

This is probably the simplest DoS attack that exists. It is also the most used. It works by overwhelming the target with echo requests (pings) having large packets. The target has it's bandwidth occupied by these requests already and floods itself by starting to reply back. Of course, the attacker must have a larger bandwidth than the target (for example flooding a dial-up user from a 1Mbps connection).

With the increase of the servers' bandwidth, this type of attacks became useless for an ADSL user for instance.

The "problem" was solved by using multiple hosts, creating the first DDoS attacks (distributed denial of service).

DDoS attacks work by owning let's say 50 boxes each with 1Mbps bandwidth. Then the attacker uses all of them to ping flood the target, creating a great amount of traffic on the host.

Stacheldraht for example is a console that connects to owned boxes running Stacheldraht server. It then coordinates the attacks from a single point.

The solution to this type of attacks is the firewall, which filters any echo replies from being sent. Of course, firewalls can be crashed as well.

6. Fraggle attacks

A fraggle attack takes place when an attacker send massive amount of UDP echo data to network broadcast addresses, using a the target's IP as the packet's source. All hosts reply to the target, flooding it. It usually uses UDP PORT 7 (echo). This code was written by the same person who written the smurf attack.

7. Teardrop attacks

This attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol

stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.

8. Other type of attacks

Another type of attacks involves application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.

How to stop a DDoS attack?

- Dynamic IP (home users, some servers, etc)

The easiest way is to reset your router and/or internet connection so your IP should automatically change so attacker would not be able to touch you until he finds out your new IP address.

If you are not able to stop DDoS attack using this way (unable to change IP, etc), contact your ISP.

- Static IP (most servers, relays etc)

The truth of the matter is that unfortunately, there isn't a damn thing you can do that will stop a serious distributed denial of service (DDoS) attack. There are though some ways to try to deal with them.

Imagine a shopping mall. By definition, anybody can enter the mall and then browse the shops. It is public. The shops are expecting people to come by, look at the displays, maybe enter and then buy things.

In the mall, there is a shopkeeper, who sells, say, computers. Let's call him Jim. He wants people to come by and see the computers and be enticed into buying them. Jim is the nice guy in our story.

Let there be Bob. Bob is a disgruntled nihilist who hates Jim. Bob would go to great lengths to make Jim unhappy, e.g. disrupting Jim's business. Bob does not have many friends, but he is smart, in his own twisted way. One day, Bob spends some money to make the local newspaper publish an ad; the ad states, in big fonts and vivid colours, that Jim runs a great promotion at the occasion of his shop's tenth birthday: the first one hundred customers who enter the shop will receive a free iPad. In order to cover his tracks, Bob performs his dealings with the newspaper under the pseudonym of "bob" (which is his name, but spelled backwards).

The next day, of course, the poor Jim is submerged by people who want a free iPad. The crowd clogs Jim's shop but also a substantial part of the mall, which becomes full of disappointed persons who begin to understand that there is no such thing as a free iPad. Their negativeness makes them unlikely to buy anything else, and in any way they cannot move because of the press of the crowd, so business in the mall stops altogether. Jim becomes highly unpopular, with the ex-iPad-cravers, but also with his shopkeeper colleagues. Bob sniggers.

At this point, Jim contacts the mall manager Sarah. Sarah decides to handle the emergency by calling the firemen. The firemen come with their shining helmets, flashing trucks, screaming sirens and sharp axes, and soon convince the crowd to disperse. Then, Sarah calls her friend Gunther. Gunther is a son of German immigrants, a pure product of the US Melting Pot, but more importantly he is a FBI agent, in charge of the issue. Gunther is smart, in his own twisted way. He contacts the newspaper, and is first puzzled, but then has an intuitive revelation: ah-HA! "bob" is just "Bob" spelled backwards ! Gunther promptly proceeds to arrest Bob and send him meet his grim but legal fate before the county Judge.

Finally, in order to avoid further issues with other nihilists who would not be sufficiently deterred by the vision of Bob's dismembered corpse put on display in front of the mall, Sarah devises a mitigation measure: she hires Henry and Herbert, two mean-looking muscular young men, and posts them at the mall entries. Henry and Herbert are responsible for blocking access should a large number of people try to come in, beyond a given threshold. If a proto-Bob strikes again, this will allow the management of the problem on the outside, in the parking lot, where space is not lacking and crowd control much easier.

Morality: a DDoS cannot be prevented, but its consequences can be mitigated by putting proactive measures, and perpetrators might be deterred through the usual, historically-approved display of muscle from law enforcement agencies. If botnets become too easy to rent, predictable consequences include increased police involvement, proactive authentication of users at infrastructure level, shutting off of the most disreputable parts of the network (in particular Internet access for the less cooperative countries), and a heavy dose of disgruntlement and sadness at the loss of a past, more civilized age.


Stopping DDoS attack is possible only if it comes from one or few IP addresses because you can identify junk and high load from those IP-s, and then you can black list them, so their request will be ignored.

If DDoS attacks come from many IP-s, which is in case of LOIC and botnet, you can't do almost nothing to stop it by yourself.

You can give a try to (D)DoS Deflate, a small program which in most cases can detect and stop attacks.

Also you can try downloading those firewalls:

1st. Zonealarm firewall

2nd. Sygate

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0