Home / Blog / DoS Attacks: Infrastructure Layer

DoS Attacks: Infrastructure Layer

Posted on 04/09/2015, by David Cantón (INCIBE)
DoS Attacks

As we have already mentioned previously, infrastructure attacks are those that focus mainly on layers three and four of the OSI model (ISO/IEC 7498-1) and application layer protocols that support communications, such as DNS or NTP. This is the most frequent type of attack and, as illustrated in the following graphic, makes up 90% of the DDoS attacks detected by Akamai in the fourth quarter of 2014.

Types of DDoS attacks and their relative distribution in Q4 2014

-Types of DDoS attacks and their relative distribution in Q4 2014 (Source: Akamai) -

This proportion could be down to the fact that this category encompasses protocols such as IP, TCP or UDP, which could be used to attack any system as they are the base of Internet. Another factor worth noting is the existence of "big button tools" which make it easier for them to be used by anyone.

Network (Layers 3&4) DDoS Attacks Volume

- Network (Layers 3&4) DDoS Attacks Volume (Source: threatpost) -


Following we will see what the main attacks of this type consist of.

SYN Flood

We could say that an SYN Flood is one of the most characteristic types of DDoS attacks. The objective of this attack is to exhaust or saturate the system’s resources, making the most of the manner in which the TCP connection is established: a 3-way handshake.

Let’s briefly recall the steps in a "typical" TCP client-server connection that uses a 3-way handshake:

  1. The server opens a socket in a particular TCP port, where it will listen to the client’s incoming connections. This step is also known as passive open.
  2. The client that wishes to start a connection with the server sends a TCP package with a random sequence number and activates the SYN bit (S bit in TCP Flags). This is considered the first step in the negotiation.
  3. The server responds with a package with its own random sequence number and the client’s number incremented in one, along with the activated SYN and ACK flags. At this stage the server must reserve resources to store the data relating to the connection, such as the system’s connection table.
  4. This third step is made up of a package from the client to the server, confirming the establishment. This package contains the corresponding sequence numbers and the activated ACK flag. At this stage it is assumed that the connection is established.

TCP Header

-TCP Header-

The SYN Flood attack takes advantage of the characteristics of the TCP’s 3-way handshake and the limited resources at the disposal of the servers to maintain the TCP connections open. An SYN Flood attack manages without the last ACK sent by the client, and therefore the negotiation of the connection isn’t finalized. The attacker can simply not send the awaited ACK or spoof the origin IP address in the SYN, which results in the server sending the SYN-ACK to a fake IP address.

ACK SYN DoS Attack

- TCP connection establishment: 3-way handshake -

The server will wait for the ACK for a period of time and as long as it doesn’t receive the ACK or the maximum wait time doesn’t expire it won’t free resources that are reserved for the connection (memory, connection tables), and are normally used to store and process the incoming packages. If the average amount of open connections is low the server won’t encounter any problems. However, if the number of connection requests increase, all the available resources could run out and the server will be incapable of accepting new legitimate connections, provoking a denial-of-service. A well planned SYN flooding could dodge a package’s thorough inspection techniques.

planned SYN


A TCP SYN+ACK attack consists in sending false SYN+ACK packages at a high tempo. The server has to use part of its processing capacity to attend these requests that are beyond the nature of the TCP three-way handshake. This flooding could wear out the system’s resources (memory, CPU, etc.) which are used to process this irregularity, which could result in a deterioration of its performance.



The aim of ACK and PUSH-ACK packages is to confirm the correct reception of packages sent both ways. During an ACK Flood attack the target system receives false ACK packages at a high rate. These packages, that don’t belong to any of the sessions on the connections list, aim to exhaust the system’s resources (memory, CPU, etc.) as they have to process them, generating a deterioration of the service or even an interruption.



TCP FIN or RST packages indicate the closing of communication sessions. The attack is the same as in the previous case (TCP ACK & PUSH-ACK), but uses another type of package with a specific objective.



It is a variation of the ACK & PUSH ACK Flood which basically consists in sending 1500-byte ACK packages with the aim of consuming the attacked system’s bandwidth. To avoid detection the package generation rate tends to be moderate. Besides, many defence systems don’t filter/detect on top of the IP layer, this attack can go through routers, ACLs, firewalls and IDS/IPS. The data used in the packages to fill them up tends to be irrelevant.


SSDP (Simple Service Discovery Protocol), used by UPnP (Universal Plug and Play), is used as a reflection and amplification system for DDoS attacks. SSDP is a network protocol based on the Internet Protocol Suite used to publish and discover network services and presence information. Besides, this service is used without servers, unlike DHCP or DNS, and without special static configuration.

SSDP is enabled in millions of domestic and office devices, including routers, webcams, Smart TVs and printers, and it aims is to allow these devices to interact and coordinate activities.

The modus operandi is the following:

1. The attacker sends an SSDP M-SEARCH request (a text-based protocol in HTTPU). This message is sent under UDP to an IP multicast address at port number 1900; on IPv4 the address reserved for SSDP is and on IPv6 it is ff0X::c.

2. Devices with UPnP activated respond with multiple data, including the device’s HTTP address. With these responses the attacker obtains a list of vulnerable systems that it can use to perform DDoS attacks.

3. With the obtainedlist the attacker sends malicious requests, spoofing the originating IP address, which will generate larger response messages against the target systems. The amplification factor will be determined by the content in the device’s description file.

DDoS SSDP attack scheme

- DDoS SSDP attack scheme -


It consists in sending DNS requests using the victim’s originating IP address. It’s one of the most frequently used attacks and we explain it in depth in the blog entry "DNS, open resolvers and DNS amplification denial-of-service attacks".

DNS Amplification Attacks for Operation Global Blackout

- DNS Amplification Attacks for Operation Global Blackout (Fuente: securityaffairs.co) -


Similar attack to DNS but using the Network Time Protocol (NTP). We’ve also published an in-depth article on this type of attack: "NTP based denial-of-service attacks".

Amplification DoS and NTP reflection responses

- Amplification DoS and NTP reflection responses -

UDP Flood

The aim of this attack is to consume the victim’s bandwidth through the mass delivery of UDP packages, avoiding legitimate users from connecting. Many network infrastructure units, such as routers, load balancers, firewalls or IPS don’t inspect data on top of the IP layer, meaning that they don’t filter this type of traffic. Units that perform a depth inspection of packages (DPI) can detect this type of attacks. This technique frequently uses ports used by widespread protocols such as DNS or VoIP. Due to the design of the UDP protocol, which is n connection-oriented or the possibility of spoofing the originating IP addresses of packages, the rules design to filter this type of attack are complicated.

UDP Fragments

A variation of the previous attack which, using the fragmentation of IP messages, achieves a greater consumption of bandwidth and CPU with a smaller amount of packages. This effect is achieved using larger IP datagrams than the permitted MTU, which is normally 1500 bytes. This fragmentation forces the receiver to store all of the datagram’s fragments to restore them before ruling them out, thereby consuming the memory of the reception buffers and CPU time.

ICMP Flood

It is similar to a UDP Flood attack, but it uses ICMP packages in order to consume the bandwidth and the server’s CPU time. A classic example is Ping of Death and Smurf attack.

Although the quickest solution to avoid this type of attack is filtering all of the ICMP traffic, this could result in certain problems: while ICMP is optional on IPv4 (at the expense of the system being less efficient and slower), on IPv6 is it obligatory for it to function normally. For more information on this topic: ICMP and Security in IPv6.