Types of DoS Attacks

DoS attacks come in many flavors, each of which is critical to your understanding of the nature of the DoS attack class.

Service Request Floods

In this form of DoS attack, a service such as a web server or web application is flooded with requests until all resources are used up. This would be the equivalent of calling someone’s phone over and over again so they could not answer any other calls due to their being occupied. When a single system is attacking another, it is tough to overwhelm the victim, but it can be done on smaller targets or unprepared environments.

Service request floods are typically carried out by setting up repeated TCP connections to a system. The repeated TCP connections consume resources on the victim’s system to the point of exhaustion.

SYN Attack/Flood

This type of attack exploits the three-way handshake with the intention of tying up a system. For this attack to occur, the attacker will forge SYN packets with a bogus source address. When the victim system responds with a SYN-ACK, it goes to this bogus address, and since the address doesn’t exist, it causes the victim system to wait for a response that will never come. This waiting period ties up a connection to the system as the system will not receive an ACK.

ICMP Flood Attack
An ICMP request requires the server to process the request and respond, thus consuming
CPU resources. Attacks on the ICMP protocol include smurf attacks, ICMP floods, and
ping floods, all of which take advantage of this by flooding the server with ICMP requests
without waiting for the response.

Ping of Death

A true classic indeed; originating in the mid- to late-1990s, the Ping of Death was a ping packet that was larger than the allowable 64 K. Although not much of a significant threat today due to ping blocking, OS patching, and general awareness, back in its heyday the Ping of Death was a formidable and extremely easy-to-use DoS exploit.


A teardrop attack occurs when an attacker sends custom-crafted fragmented packets with offset values that overlap during the attempted rebuild. This causes the target machine to become unstable when attempting to rebuild the fragmented packets.


A smurf attack spoofs the IP address of the target machine and sends numerous ICMP echo request packets to the broadcast addresses of intermediary sites. The intermediary sites amplify the ICMP traffic back to the source IP, thereby saturating the network segment of the target machine.


A fraggle attack is a variation of a smurf attack that uses UDP echo requests instead of ICMP. It still uses an intermediary for amplification. Commonly a fraggle attack targets the UDP echo requests to the chargen (character generator) port of the intermediary systems via a broadcast request. Just as in a smurf attack, the attacker spoofs the victim’s IP address as the source. Each client that receives the echo to the chargen port will in turn generate a character to be sent to the victim. Once it’s received, the victim machine will echo back to the intermediary’s chargen port, thus restarting the cycle.


A land attack sends traffic to the target machine with the source spoofed as the target machine itself. The victim attempts to acknowledge the request repeatedly with no end.

Permanent DoS Attacks

Most DoS attacks are temporary and only need to be stopped and any mess they created cleaned up to put everything back the way it was. However, some types of DoS attacks destroy a system and cause it to become permanently offline.

Phlashing is a form of permanent DoS that involves pushing bogus or incorrect updates to a system’s firmware to a victim’s system. When this is done, the hardware becomes unus- able in many cases without being replaced. When a system is attacked in such a manner, it is said to be bricked. In other words, it is worthless as a computer and now is a brick.

Application-level Attacks

Application-level attacks are those that result in a loss or degradation of a service to the point it is unusable. These attacks can even result in the corruption or loss of data on a system. Typically these types of attacks take the form of one of the following:

Flood This attack overwhelms the target with traffic to make it difficult or impossible to respond to legitimate requests.

Disrupt This attack usually involves attacking a system with the intention of locking out or blocking a user or users for example, attempting to log into a system several times to lock up the account so that the legitimate user cannot use it.

Jam In this attack, typically the attacker is crafting SQL queries to lock up or corrupt a database