Denial-of-Service (DoS) attacks threaten the availability of a system. If you’re at all involved in the tech world, you’ve probably heard of DDoS attacks. DDoS attacks are a sub-set of DoS attacks.

DoS attacks can also include reflection attacks, DHCP exhaustion, and others.


A common DoS attack. The TCP three-way handshake involves a SYN message to be sent from one node, a SYN-ACK response, and a final ACK to establish the connection. In a TCP SYN flood the attacker sends a very large number of SYN messages to initiate TCP connections with the target device(s), which all then reply with SYN-ACK messages. But the attacker never sends the final ACK message. The resulting incomplete connections completely fill up the target’s TCP connection table.

These bogus connections will time-out and be removed from the table after a while, but the attacker continues sending SYN messages. If the attack is maintained the target will no longer be able to make legitimate TCP connections.


Wouldn’t the SYN-ACK response messages sent back to the attacker also crowd out their TCP connections table? Probably not. The attacker is likely spoofing their IP address, so they’ll never receive the messages. Even if they aren’t, the attacker would know the messages are coming and can take other preemptive measures.

Distributed Denial of Service (DDoS)

DDoS attacks are essentially any kind of DoS attack that is initiated from a large number of attacking computers. Commonly, these devices are infected with malware and their owners are unaware that their computers are being used in this way. This gives attackers a much greater number of devices to attack with without leaving a paper trail or needing the funds to buy/rent them.

This group of infected computers, all of which can be remotely directed to attack a single target, is called a botnet