24 JUL 2018

Dos and DDoS attacks: what are they?

DoS attacks: what are they

A DoS (Denial of Service) is an attack that aims to impede the supply or use of a service, making it unavailable or unusable to legitimate users.

There are various types of DoS attacks:

  • Some hacker attacks exploit a known vulnerability of a system, to crash it and make it unusable (Ping of Death is an attack of this type).
  • DoS attacks are more widespread and aim to saturate available resources (for example: space on the file system, bandwidth and memory). They are volumetric attacks: the attacker tries to generate a lot of  data to saturate the data structures of the target. To increase its effectiveness and power, attackers exploit multiple machines at the same time (for example, a botnet). In this way the DDoS (Distributed Denial of Service) attack was born.
  • The most common attacks can be directed to applications or to the network layer.
  • Today the so-called Multivector DDoS are very dangerous. They alternate different types of attacks in a scheme designed specifically to maximize the negative effects.


How to avoid and block a DDoS attack?

Sore spot. It depends on the type of attack. It is not always possible or easy to defend themselves or mitigate a DDoS attack. For some types, technical defenses (SYN COOKIES for example) or tools such as firewalls and IPS are possible. If the attack is volumetric and directed to the bandwidth, QoS techniques are often used to try to mitigate it or make it less effective. Vendors such as Imperva, Akamai or Cloudflare make available many services to protect web resources from DDoS attacks thanks to their specialization.


DoS and DDoS attacks: short story

The first DoS attack of history happened in 1974 by David Dennis, an adolescent student who had discovered a command to run on PLATO terminals (a sort of first network, of first multi-user platform) of CERL. The command discovered by Dennis (called “external” or “ext”) allowed interaction with external devices connected to the terminals, but if the terminal did not provide connected devices, the result was the terminal block that had to be turned off and on again to restore its functionality.

One of the first DDoS attacks, however, happened in August 1999. In this case, a hacker turned off the computer network of the University of Minnesota for 2 days using a tool called “Trinoo”. Trinoo was a network of compromised machines (called “Masters” and “Daemons”): the hacker sent a DoS instruction to some Masters which, in turn, transmitted the instructions to the hundreds of Daemons machines to initiate an UDP flood against the destination IP addresses.

DDoS attacks began to be more consistent in the 2000s when they involved many businesses activities, financial institutions and government agencies.

A few years later attacks on DNS servers started. DNS is the acronym of Domain Name Service, the service that translates the names of network nodes (hosts) in IP addresses.


Famous DoS and DDoS attacks

Many famous DoS and DDoS attacks have been registered. Reporting them all in this article is impossible, but we will mention some of them:


Morris worm

It was November 1988 when the university student Robert Tappan Morris, in order to measure Internet size, launched a worm that infected 60,000 nodes of the Arpanet network. However the launch of this worm was a mistake, in fact in the code there was an error that was not able to understand if the system was cleaned or infected and in doing so the virus was copied repeatedly on thousands of systems.

Robert Tappan Morris was the first person to be convicted of piracy in the United States of America.


Code Red

Code Red is a virus from July 2001. In just 14 hours it infected 359,104 servers. Code Red was even able to attack the White House website, but there was not a lot of damage because the IP address of the site was momentarily moved at the last moment.

Code Red attacked the computers that used the Microsoft IIS web server system. When a user arrived on a website hosted on a server victim of Code Red, he read the message: “Welcome to http://www.worm.com! Hacked by Chinese “.

Code Red used a Microsoft programming error in the Microsoft Internet Information Server (which contributed to indexing of web pages).


SQL Slammer

Even this attack exploited a vulnerability of Microsoft systems even though Microsoft had released the patch to correct this bug 6 months before, an update that was not done by users who underestimated the risks.

SQL Slammer was launched in January 2003 and in just 15 minutes infected thousands of servers worldwide. South Korea remained without Internet and mobile communications for several hours. Bank of America was a victim of the worm: users could not use its ATM machines for many hours. SQL Slammer was also responsible for canceled flights and interference with calls to 911.



Among the most recent DDoS attacks there is GitHub, a hosting service for software projects. It is one of the most recent – it occurred at the end of February 2018 – and, maybe, it is the biggest DDoS attack ever. The attack on GitHub exploited a security flaw in the memcached servers. The attack lasted 8 minutes and reached a peak of 1.35 Tbps of traffic by sending 126.9 million packets per second.



Another famous DDoS attack happened on October 2016 when the DynDNS provider (it connects the user to the requested site, like Amazon, Skype, Spotify, Netflix and Twitter) was brought to its knees by a DDoS attack. Initially the attack involved users on the east coast of United States, but two successive attacks involved multiple zones, leaving thousands of users without the possibility of connecting for a dozen hours to their favorite sites. The protagonist of the attack was the Mirai malware which infected various devices of the Internet of Things, in particular video recorders and cameras with components of the Chinese company “XiongMai Technology”. Thanks to an open source software, Mirai malware is able to find unsafe devices on the network and to connect to them by taking control of it using one of the 68 default credentials of the producers. Mirai can also count on the Universal Plug and Play (UPnP) protocol which for the most recent products is set by default without authentication, in this way a hacker can introduce himself without problems and without the need of IP addresses to the local network to which devices are connected.

Elaborated by Lucia D’Adamo, in collaboration with Alberto Fiore, supervised by Marco Pirrone