Single Source Attack
Origin: One attacking system
Bandwidth: Limited to attacker's connection
Mitigation: Relatively easier to block
Detection: Single IP pattern
Example: Single server sending SYN floods
Volume-Based Attacks: Consume bandwidth through sheer packet volume (measured in Gbps/Tbps)
Protocol Attacks: Exploit protocol vulnerabilities to exhaust server resources (measured in packets/second)
Application Layer Attacks: Target web applications with seemingly legitimate requests (measured in requests/second)
Attack Objectives
Service Disruption: Make legitimate services unavailable to users
Resource Exhaustion: Consume bandwidth, CPU, memory, or connections
Distraction: Hide other malicious activities during chaos
Extortion: Demand ransom to stop the attack
Competitive Sabotage: Damage business rivals
Political Statement: Hacktivism and protest
Volumetric Attacks
Overwhelm network bandwidth with massive traffic volume
UDP Flood
Sends massive UDP packets to random ports, forcing ICMP "destination unreachable" responses
ICMP Flood (Ping Flood)
Overwhelms target with ICMP Echo Request packets faster than it can respond
Ping of Death
Sends malformed or oversized ping packets exceeding maximum IP packet size (65,535 bytes)
Smurf Attack
Spoofs victim's IP and broadcasts ICMP to network, causing all hosts to reply to victim
Pulse Wave
Alternating bursts of high-volume traffic to evade detection thresholds
DNS/NTP Amplification
Exploits public servers to amplify attack traffic 50-200x using spoofed requests
Protocol Attacks
Exploit weaknesses in network protocol stack to exhaust server resources
SYN Flood
Sends TCP SYN packets without completing handshake, exhausting connection table
ACK Flood
Sends ACK packets to overwhelm firewall state tables and processing
Fragmentation Attack
Sends fragmented packets that consume resources during reassembly
RST Attack
Injects RST packets to terminate legitimate TCP connections
Application Layer Attacks
Target web applications with seemingly legitimate but resource-intensive requests
Slowloris
Opens many HTTP connections and sends partial requests very slowly to exhaust connection pool
HTTP Flood
Sends legitimate-looking HTTP GET/POST requests at high rate to overwhelm web server
Slow Read Attack
Reads server responses extremely slowly to keep connections open indefinitely
Hash Collision
Exploits hash table algorithms with crafted input causing CPU exhaustion
Advanced Attack Techniques
Multi-Vector Attacks
Combines volumetric, protocol, and application layer attacks simultaneously to overwhelm multiple defense layers. Example: SYN flood + HTTP flood + DNS amplification occurring concurrently makes mitigation extremely difficult.
Permanent DoS (PDoS/Phlashing)
Damages hardware so severely it requires replacement. Exploits firmware vulnerabilities to "brick" devices (routers, IoT devices). Also called "phlashing" - corrupting firmware beyond repair.
Reflected/DRDoS Attacks
Uses third-party servers as reflectors to hide attack source. Attacker spoofs victim's IP and sends requests to public servers (DNS, NTP, SNMP) which respond to victim. Provides anonymity and amplification.
Interactive Attack Simulator
Visualize different DDoS attack patterns and their impact on network infrastructure
Bandwidth Usage
0 Gbps
Packets Per Second
0K
Server CPU
0%
Active Connections
0
Botnet Architecture & Command Structure
Understanding zombie networks and distributed attack coordination
Botnet Components
Bot Master
Attacker controlling the entire botnet through command and control infrastructure
C&C Server (Command & Control)
Server distributing commands to zombies, often using IRC, HTTP, or P2P protocols
Zombie/Bot
Compromised computer infected with malware, awaiting attack instructions
Target
Victim server/network receiving coordinated traffic from all zombies simultaneously
C&C Communication Models
Centralized (IRC/HTTP)
Pros: Simple, fast command distribution Cons: Single point of failure, easy to detect and shutdown Example: Traditional IRC-based botnets
Peer-to-Peer (P2P)
Pros: Resilient, no central server to takedown Cons: Slower propagation, complex to maintain Example: Storm botnet, Mirai variants
Domain Generation Algorithm (DGA)
Pros: Constantly changing C&C domains, hard to block Cons: Predictable patterns can be detected Example: Conficker, Cryptolocker
Famous Botnets
Mirai (2016): IoT botnet with 600K+ devices, attacked Dyn DNS causing widespread internet outage. Source code publicly released.
Zeus (2007-2014): Banking trojan botnet, millions of infections, focused on financial fraud but capable of DDoS.
Emotet (2014-2021): Polymorphic malware, evolved from banking trojan to botnet-as-a-service, taken down by global law enforcement.
Defense Mechanisms & Countermeasures
Interactive Defense Visualization
Network-Level Defenses
Rate Limiting
Restricts number of requests from single IP within time window (e.g., 100 req/min)
SYN Cookies
Prevents SYN flood by encoding connection state in sequence number, avoiding state storage
Ingress Filtering
Blocks packets with spoofed source IPs at network edge (BCP 38)
Blackhole Routing
Drops attack traffic at ISP level before reaching target network
Infrastructure Defenses
CDN (Content Delivery Network)
Distributes traffic across global edge servers (Cloudflare, Akamai, AWS CloudFront)
Scrubbing Centers
Specialized facilities that filter attack traffic and forward clean traffic to origin
Anycast Routing
Multiple servers share same IP, routing distributes attack across geographic locations
Overprovisioning
Maintain excess bandwidth capacity (2-3x normal) to absorb attack spikes
Application Defenses
WAF (Web Application Firewall)
Filters HTTP traffic based on rules, signatures, and behavioral analysis
CAPTCHA Challenges
Distinguishes humans from bots during suspected attack traffic
Connection Limits
Restricts concurrent connections per IP (defense against Slowloris)
JavaScript Challenges
Requires browser to execute JS before accessing site (filters simple bots)
Mitigation Flowchart
Best Practice: Defense in depth - layer multiple countermeasures (firewall + rate limiting + CDN + WAF) to ensure redundancy if one layer fails.
DDoS Attack Tools (Educational Awareness)
WARNING: These tools are for educational understanding only. Unauthorized use against systems you don't own is illegal and punishable under CFAA and international cybercrime laws.
LOIC (Low Orbit Ion Cannon)
Open-source stress testing tool, TCP/UDP/HTTP floods, GUI-based, used by Anonymous
HOIC (High Orbit Ion Cannon)
LOIC successor, HTTP floods with booster scripts, harder to detect
hping3
Command-line packet crafting tool, can perform SYN, ACK, UDP floods with spoofing
Slowloris
Python script for slow HTTP attacks, keeps connections open with minimal bandwidth
Metasploit Auxiliary
Contains DoS modules for testing (synflood, udpflood, slowloris)
GoldenEye
Python HTTP DoS tool, keeps connections alive, randomizes URL parameters
Historical DDoS Attacks
Major incidents that shaped cybersecurity landscape
February 2018
GitHub - Record-Breaking 1.35 Tbps
Memcached amplification attack exploiting UDP port 11211. Attack peaked at 1.35 Tbps and 126.9 million packets per second. Lasted only 20 minutes but set new record. GitHub used Akamai Prolexic to mitigate within 10 minutes.
October 2016
Dyn DNS - Mirai Botnet Attack
Massive IoT botnet (cameras, DVRs, routers) attacked Dyn DNS infrastructure. Caused outages for Twitter, Netflix, Reddit, Airbnb, and major sites across US East Coast. Peak traffic exceeded 1.2 Tbps. Demonstrated IoT vulnerability at scale.
March 2013
Spamhaus - DNS Amplification 300 Gbps
Attack against anti-spam organization reached 300 Gbps using DNS amplification. So large it caused congestion on London Internet Exchange. Highlighted DNS resolver vulnerability and need for response rate limiting (RRL).
February 2000
MafiaBoy - Yahoo, eBay, Amazon
15-year-old Canadian launched SYN flood attacks against major websites. Yahoo offline for hours, eBay, Amazon, CNN affected. First major demonstration of DDoS impact on e-commerce. Led to increased cybercrime legislation.
2007-2008
Estonia Cyberattacks
First nation-state level DDoS campaign. Government, banking, media sites targeted after Soviet war memorial relocation. Sustained attacks over weeks. Considered first cyberwar incident, led to NATO cyber defense initiatives.
September 2016
Krebs on Security - 620 Gbps
Security journalist Brian Krebs's site hit with 620 Gbps attack via IoT botnet after exposing DDoS-for-hire services. Akamai dropped free protection due to cost. Moved to Google Project Shield. Highlighted economics of DDoS mitigation.