Monday, November 2, 2009

DoS and DDoS Attacks

When studying for the CompTIA Security+ (SY0-201) exam, you should know the difference between DoS and DDoS attaacks.

Both a Denial of Service attacks.  The difference is that a Denial of Service (DoS) attack comes from a single attacker, while a Distributed Denial of Service attack comes from multiple attacks.

As an example, the SYN Flood attack is a DoS attack that attacks a single system by flooding it witth only two parts of the TCP three way handshake.  Normally, the TCP handshake is three packets. The client sends a SYN packet, the server replies with a SYN / ACK packet, and the client should reply with the ACK flag to complete the handshake. 

However, the client instead withholds the third packet and leaves the server hanging. If the client is able to do this enough times, the server's resources become consumed as it has perhaps hundres of unfinished sessions.  A SYN Flood attack can actually take servers down if not detected and stopped.

A DDoS attack often starts with malware taking control multiple computers.  These computers act as clones or zombies in a malware controlled botnet.  When the contoller sends the order, the zombies then launch a distributed attack.

Good luck with your studies.


Check out chapter 6 of this book (Predicting and Mitigating Threats) for more details on the different threats you may see covered on the Security+ exam, including over 375 practice questions.

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide