Editing Denial-of-service attack (section)

===Distributed DoS attack===
If an attacker mounts an attack from a single host, it would be classified as a DoS attack. Any attack against availability would be classed as a denial-of-service attack. On the other hand, if an attacker uses many systems to simultaneously launch attacks against a remote host, this would be classified as a DDoS attack. [[Malware]] can carry DDoS attack mechanisms; one of the better-known examples of this was [[MyDoom]]. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target [[IP address]] before releasing the malware and no further interaction was necessary to launch the attack. A system may also be compromised with a [[Trojan horse (computing)|trojan]] containing a [[Zombie computer|zombie agent]]. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. [[Stacheldraht]] is a classic example of a DDoS tool. It uses a layered structure where the attacker uses a [[Client (computing)|client program]] to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker. Each handler can control up to a thousand agents.<ref name="Dittrich">{{cite web |url=http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt |title=The "stacheldraht" distributed denial of service attack tool |first=David |last=Dittrich |publisher=University of Washington |date=December 31, 1999 |access-date=2013-12-11 |archive-date=2000-08-16 |archive-url=https://web.archive.org/web/20000816021357/http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt |url-status=dead }}</ref> In some cases a machine may become part of a DDoS attack with the owner's consent, for example, in [[Operation Payback]], organized by the group [[Anonymous (hacker group)|Anonymous]]. These attacks can use different types of internet packets such as TCP, UDP, ICMP, etc.

These collections of compromised systems are known as [[botnet]]s. DDoS tools like [[Stacheldraht]] still use classic DoS attack methods centered on [[IP spoofing]] and amplification like [[smurf attack]]s and [[fraggle attack]]s (types of bandwidth consumption attacks). [[SYN flood]]s (a resource starvation attack) may also be used. Newer tools can use DNS servers for DoS purposes. Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. [[Script kiddie]]s use them to deny the availability of well known websites to legitimate users.<ref name="SANS">{{cite web|url=http://www.sans.org/resources/idfaq/trinoo.php|title=SANS Institute – Intrusion Detection FAQ: Distributed Denial of Service Attack Tools: n/a|access-date=2008-05-02|publisher=SANS Institute|year=2000|first=Phillip|last=Boyle|archive-url=https://web.archive.org/web/20080515025103/http://www.sans.org/resources/idfaq/trinoo.php|archive-date=2008-05-15|url-status=dead}}</ref> More sophisticated attackers use DDoS tools for the purposes of [[extortion]]{{spaced ndash}}including against their business rivals.<ref>{{cite web|last=Leyden |first=John |url=https://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/ |title=US credit card firm fights DDoS attack |work=The Register |date=2004-09-23 |access-date=2011-12-02}}</ref> It has been reported that there are new attacks from [[internet of things]] (IoT) devices that have been involved in denial of service attacks.<ref>{{cite web|url=http://thehackernews.com/2015/10/cctv-camera-hacking.html|title=Hacking CCTV Cameras to Launch DDoS Attacks|author=Swati Khandelwal|date=23 October 2015|work=The Hacker News}}</ref> In one noted attack that was made peaked at around 20,000 requests per second which came from around 900 CCTV cameras.<ref>{{cite web|url=https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html|title=CCTV DDoS Botnet In Our Own Back Yard|first1=Igal|last1=Zeifman|first2=Ofer|last2=Gayer|first3=Or|last3=Wilder|website=incapsula.com|date=21 October 2015}}</ref> UK's [[GCHQ]] has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER.<ref name="firstlook.org">{{cite web |date=2014-07-15 |author= Glenn Greenwald |url=https://theintercept.com/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet/ |title=HACKING ONLINE POLLS AND OTHER WAYS BRITISH SPIES SEEK TO CONTROL THE INTERNET |website=The Intercept_ |access-date=2015-12-25}}</ref>

Simple attacks such as SYN floods may appear with a wide range of source IP addresses, giving the appearance of a distributed DoS. These flood attacks do not require completion of the TCP [[three-way handshake]] and attempt to exhaust the destination SYN queue or the server bandwidth. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host. Stack enhancements such as [[SYN cookies]] may be effective mitigation against SYN queue flooding but do not address bandwidth exhaustion. In 2022, TCP attacks were the leading method in DDoS incidents, accounting for 63% of all DDoS activity. This includes tactics like [[TCP SYN]], TCP ACK, and TCP floods. With TCP being the most widespread networking protocol, its attacks are expected to remain prevalent in the DDoS threat scene.<ref name=":2" />