The DDoS Education Series Part 1/4: You’re Going to Need a Bigger Boat: Staying Afloat Against TOS Flood Attacks

Welcome to the first in a series of four blog posts that examine the most significant types of DDoS attacks, why they pose threats, how to identify them and how to mitigate them. In this blog post, we turn the spotlight on TOS Flood attacks.

The threat of DDoS attacks is a growing one, with Cisco reporting that the size of these types of cyber-attacks are steadily increasing year over year, already approaching 1.2 Gbps. An attack of this magnitude could take most service providers offline completely, not to mention destroy their customers QoS. (Quality of Service)

As well as scope, these kinds of attacks are also growing in frequency. In 2016 the number of DDoS attacks grew by 172%, and is expected to reach 3.1 million globally by 2021. It was under a year ago that the Mirai source code was unleashed, a malicious botnet which offers configurable attack features, able to be utilized by anyone with harmful intent. Mirai can specify and randomize packet size, forge TOS/IDNT/TTL in customers IP header, force the source and destination ports and use TCP flags to control the establishment and maintenance of a user’s connection.

Perhaps worst of all, Mirai has been used to great effect in coalition with other malware, serving up blended attacks which are harder to identify and more complex to combat. The bottom line is clear. Far from being yesterday’s problem, attacks like TOS floods are very much back on the battlefield, with a whole host of new weapons in their arsenal.

Understanding TOS Floods

A DDoS attack is defined by one or many systems attacking a target with a ‘flood’ of incoming messages. The system becomes overwhelmed, and can become highly congested or even shut down completely. TOS Flood attacks come underneath this umbrella. The attackers will use the ‘TOS’ field of your IP header, and can launch one of two types of attacks.

  1. By spoofing ECN (Explicit Congestion Notification) packets, the ability of individual connections are reduced or totally limited. The server may then appear to be unresponsive or out of service. Legitimate users are unable to connect to their server.
  2. DiffServ class flags are manipulated, to increase priority for malicious traffic over the usual traffic. This second method increases the effectiveness of another attack, rather than being in itself a DDoS attack.


TOS flood

The risk with this kind of attack is that your server will become totally unusable for your customers, and at the very least, applications which need a strong connection will become unreliable. Think about any VoIP software such as Skype, online meetings or video streaming.

Protecting your Customers

With the size of these threats growing, companies need to choose a solution which can handle large-scale threats and volumetric attacks. It goes without saying that you also need immediate emergency response services in the case of a malicious event or a threat to your consumers.

Effective solutions must have real-time detection and an in-line advantage, which can detect even fragmented DDoS attacks, and can even zero in on an attack which has never been seen before.

To be fully protected, an organization is advised to have both inbound and outbound protection from DDoS, an extra safeguard that can stop your resources being exhausted from within the network, with a multilayer defence strategy that effectively future-proofs your service.

TOS and other types of DDoS attacks cause damage to your network infrastructure, disrupt service continuity and sink your business reputation beyond repair. With the growth in infected IoT devices and more complex blended attacks like Mirai, reactive solutions once problems have arisen just aren’t good enough. Your customers are expecting supreme QoS, and will be quick to jump ship if they experience service interruption. The only way to guarantee their QoS is with a robust preventative solution which checks all the boxes.

Our next blog post in the series will discuss Syn Flood attacks. Subscribe by email or by RSS feed to make sure you don’t miss out!


Making IoT Secure: A Holistic Approach
The DDoS Education Series Part 2/4. Are You SYN-fully Unprotected Against the Latest DDoS Threats?

Leave a Comment

Your email address will not be published. Required fields are marked *