How DoS Attacks Work and How to Defend Against Them

In today's digital era, network security is a critical concern for enterprises and individuals, and denial‑of‑service (DoS) attacks remain a classic yet highly damaging threat.

1. What is a Denial‑of‑Service Attack (DoS)?

DoS attacks involve

sending a massive number of invalid requests or packets to the target server or network, exhausting its resources (e.g., bandwidth, memory, CPU) so it cannot respond to legitimate users

. Attackers often use compromised machines (“zombie hosts”) to launch attacks, forming distributed denial‑of‑service attacks (DDoS).

Attack Principle

The core principle of DoS attacks is resource exhaustion. Attackers achieve this by:

Traffic Flood : sending huge volumes of invalid requests (e.g., HTTP, TCP connection requests) to consume bandwidth and processing capacity.

Protocol Vulnerabilities : exploiting design flaws in protocols (e.g., TCP three‑handshake weakness) to drain resources.

Logic Vulnerabilities : crafting special requests that trigger abnormal server handling logic, leading to resource depletion.

2. Common DoS Attack Methods

1. SYN Flood

SYN Flood exploits a flaw in the TCP three‑handshake. Attackers forge source IPs and send massive SYN packets; the server replies with SYN‑ACK, but the attacker never completes the handshake,

causing the server's connection queue to fill up, preventing it from handling legitimate requests

.

Attack Flow Diagram:

[Attacker] -> SYN -> [Target Server]
[Target Server] -> SYN‑ACK -> [Attacker]
[Attacker] does not send ACK, server waits and times out

2. UDP Flood

UDP is a connection‑less protocol; attackers send large numbers of UDP packets to random ports on the target. The server attempts to locate an application to handle each packet, but because the ports are closed it must generate error responses (e.g., ICMP Port Unreachable), consuming resources.

3. ICMP Flood

Attackers send massive ICMP Echo Request (Ping) packets; the target must reply with Echo Reply for each, eventually exhausting bandwidth and processing capacity.

4. HTTP Flood

Attackers mimic legitimate user behavior, sending huge numbers of HTTP requests (GET/POST) to the target website, draining web server connections and processing power, often targeting application‑layer functions such as login or payment.

3. Defense Strategies

1. Firewalls and Intrusion Detection Systems (IDS)

Firewalls : filter abnormal traffic (e.g., high SYN rate, IP blacklists) via rule sets.

IDS : monitor network traffic in real time, detect attack patterns, and trigger alerts or automatic blocking.

Firewall Defense Diagram:

[Attack Traffic] -> [Firewall] -> [Filtering Rules] -> [Legitimate Traffic] -> [Target Server]

2. CDN and Reverse Proxy

Content Delivery Network (CDN) : caches static resources on distributed nodes, reducing direct exposure of the origin server.

Reverse Proxy : routes traffic through a proxy that filters malicious requests before forwarding to the backend.

CDN Defense Architecture:

[Attack Traffic] -> [CDN Nodes] -> [Traffic Scrubbing] -> [Target Server]

3. Multi‑Active Architecture and Traffic Switching

Active‑Active Deployment : deploy servers in multiple geographic locations and switch traffic to standby nodes during an attack.

Load Balancing : distribute traffic via load balancers to avoid single‑point overload.

4. SYN Cookie Technique

SYN Cookie : an enhanced TCP implementation that embeds encrypted verification data in the SYN‑ACK, preventing resource consumption; the server validates the cookie when the ACK arrives before establishing the connection.

5. Rate Limiting and Blacklists

Rate Limiting : limit request frequency per IP (e.g., 100 requests per second).

Blacklist : dynamically block sources exhibiting malicious characteristics.

6. Cloud Services and Professional Protection

Cloud DDoS Protection : services such as Cloudflare, AWS Shield provide global mitigation by dispersing attack traffic.

Traffic Scrubbing Centers : redirect traffic to dedicated centers that filter malicious flows before returning clean traffic to the target.

4. Case Study: GitHub’s 1.35 Tbps Attack

In February 2018, GitHub faced a DDoS attack peaking at 1.35 Tbps, exploiting a Memcached protocol vulnerability for amplification. The attack was mitigated using Cloudflare’s protection service, demonstrating that modern attacks can reach terabit scales and that professional cloud defenses are essential.

5. Summary and Recommendations

1. Enterprise Recommendations

Basic Protection : deploy firewalls, IDS/IPS, and configure SYN cookies.

Architecture Optimization : use CDN and active‑active deployments to disperse risk.

Cloud Services : purchase professional DDoS mitigation (e.g., Cloudflare, Alibaba Cloud).

Incident Response : develop and regularly drill emergency response plans.

2. Personal Recommendations

Avoid Exposing Services : close unnecessary ports and protocols.

Update Systems : promptly patch vulnerabilities to prevent machines from becoming zombie hosts.

Monitor Traffic : use tools like Wireshark or Nagios to detect abnormal traffic.

Conclusion

DoS attacks remain a persistent problem in network security, and their impact never diminishes. As attack techniques evolve, defenses must continuously improve. By combining technical measures, architectural enhancements, and professional services, both enterprises and individuals can significantly reduce the risk posed by DoS attacks.