5.1 Denial of Service and DDoS Attacks

DoS vs. DDoS and the Botnet Model

A Denial-of-Service (DoS) attack makes a system, service, or network resource unavailable to its legitimate users by overwhelming it with traffic or by exploiting a flaw that crashes or hangs it. A single attacking machine performs a classic DoS, which is easy to trace and block by its source IP. A Distributed Denial-of-Service (DDoS) attack multiplies that effect by using a botnet — a large collection of compromised hosts ("bots" or "zombies") infected with malware and steered by a command-and-control (C2) server.

Because traffic arrives from thousands of geographically dispersed, often legitimate-looking IP addresses, DDoS is far harder to filter than single-source DoS.

Modern botnets frequently recruit poorly secured IoT devices (the 2016 Mirai botnet enslaved IP cameras and DVRs to launch terabit-scale floods). The attacker rarely sources packets directly; instead the handler/C2 tier issues commands, the agent/zombie tier generates the flood, and the victim absorbs it. Recognizing this three-tier handler–agent–victim structure is a recurring CEH exam point.

The Three DDoS Categories

CEH classifies DDoS attacks by the resource they exhaust. Memorize the unit of measurement for each — it is a frequent distractor on the exam.

Volumetric attacks simply fill the pipe so no legitimate packet gets through. Protocol attacks are sneakier: a server handling 10 Gbps of normal traffic can be downed by a 500 Mbps SYN flood because its connection (backlog) table fills long before bandwidth is the bottleneck. Application-layer attacks mimic real users — a slow trickle of valid-looking HTTP requests (Slowloris holds connections open with partial headers) — making them the hardest to distinguish from legitimate load.

SYN Flood and Other Protocol Attacks

The SYN flood is the canonical protocol attack and exploits the TCP three-way handshake (SYN → SYN/ACK → ACK). The attacker sends a stream of SYN packets, usually with spoofed source IPs, but never returns the final ACK. Each SYN forces the server to allocate a half-open connection and reply with SYN/ACK, filling the backlog queue until it can accept no new legitimate connections. The primary defense is SYN cookies: the server encodes connection state into the initial sequence number it returns, allocating no memory until a valid ACK arrives — defeating the resource exhaustion.

Other protocol-layer classics tested by CEH:

• Ping of Death — an oversized/malformed ICMP packet (>65,535 bytes once reassembled) crashes legacy stacks.
• Smurf attack — ICMP echo requests with the victim's spoofed source sent to a network broadcast address, so every host replies to the victim (a reflection technique).
• Fraggle attack — the UDP equivalent of Smurf, targeting echo/chargen ports.
• Teardrop — overlapping IP fragments with bad offsets that crash reassembly on old systems.

Reflection and Amplification

Reflection attacks spoof the victim's IP as the source of requests sent to third-party servers, so the replies land on the victim. Amplification adds leverage: the attacker picks UDP services whose responses are far larger than the request, multiplying their firepower. Because UDP is connectionless, no handshake validates the spoofed source. The Bandwidth Amplification Factor (BAF) is the response-to-request size ratio.

A tiny spoofed request thus yields a massive flood. The 2018 GitHub attack (1.35 Tbps at the time) used memcached reflection.

Tools and Countermeasures

CEH-tested DoS/DDoS tools include hping3 (crafts custom TCP/UDP/ICMP packets, --flood mode for SYN floods and spoofed sources), LOIC and HOIC (point-and-click flooders used by hacktivists), Slowloris (Layer-7 low-and-slow), and HULK/GoldenEye (HTTP floods that randomize requests to defeat caching). Stress tools like R-U-Dead-Yet (R.U.D.Y.) perform slow POST attacks.

Detection relies on traffic-anomaly baselining: sudden spikes in pps/bps, abnormal SYN-to-ACK ratios, or many half-open connections (netstat showing SYN_RECV). Countermeasures, mapped to the attack type:

• SYN floods → SYN cookies, reduce SYN-RECEIVED timeout, increase backlog.
• Spoofing/reflection → ingress/egress filtering (BCP 38 / RFC 2827) so packets with forged source addresses are dropped at the network edge; disable open DNS resolvers and NTP monlist.
• Volumetric → upstream scrubbing/anycast services (Cloudflare, Akamai, AWS Shield) absorb and clean traffic before it reaches the origin.
• Application-layer → WAF rate limiting, CAPTCHA challenges, connection timeouts.
• General → rate limiting, blackhole/sinkhole routing, and load balancing.

Defense-in-depth combines these; no single control stops all three DDoS categories.