Home Store Project Ideas Project Guide Ask An Expert Blog Careers Teachers Parents Students

Facilitator/Educator Guide: Cybersecurity: Denial-of-Service Attack Activity

On average, how often do your students access the Internet? They might check their email or social media pages, watch a YouTube video, do research, or play games; but is it safe? Cyber-attacks increasingly make it into the news. Help your students examine "denial-of-service" (DoS) cyber-attacks, find ways to protect the system, and gain insight into what cybersecurity is about.
Activity's uses: Small group exploration
Area(s) of science: Math & Computer Science
Difficulty level:
Prep time: 10-20 minutes
Activity time: 30-45 minutes
Key terms: Cybersecurity, Internet Use, Information Technology, Problem Solving
Downloads and Links: Facilitator / Educator Guide PDF.
Student Guide web page or PDF.

In order to print these activities you need a free Science Buddies account. Please or create a free account.

Background Information

A denial-of-service (DoS) cyber-attack is exactly what it sounds like, a cyber-attack that results in the service being unable to function normally. Its only goal is to bring the target down or limit its services, not to steal confidential information. The result is the target (the attacked network or computer system) being unable to respond efficiently or appearing slow to its user. DoS can damage the targeted system; just think of how you feel if a site is slow or down. Do you wait, or go somewhere else?

Before you can explore how DoS cyber-attacks happen, here is a high-level overview of how requests travel from the requester (also called client) to a server (the machine that processes the request). In essence, a posted request passes firewalls, routers, and switches as it travels through the Internet. On the receiving end, a router sends the request to the correct server, potentially with a priority tag. There, it is placed in a queue to be processed when the server has a chance. For this activity, the process will be further simplified to the process shown in Figure 1.

Client-Server architecture used in this DoS-attack activity
Figure 1. In its simplest form, requests posted by a client travel over the Internet to a server, which then processes the request.

In DoS attacks, a malicious user typically floods a targeted system with useless traffic or processes. Most aim to render the part processing the requests so busy that it becomes useless. One way to do this is to send the target server many (bogus) requests in a short time span so the server is flooded with requests and is unable to process them in a timely way. This type of DoS attack is well-suited to convey the idea of DoS attacks because it is simple, identifying it is easy (requests from a particular client come at an abnormally high rate), and intercepting it is straightforward (disregard all requests from the attacking client). Once this is understood, more sophisticated DoS attacks, which might be harder to detect, can be explored.

Cybersecurity's task is to safeguard information technology (IT) systems against loss due to failure of the system. This includes protecting services against DoS attacks. DoS attack prevention can be divided into two main components: attack detection (how you know an attack is being executed) and classification of traffic (how you can distinguish legitimate from illegitimate traffic). The ideal defense mechanisms let all legitimate traffic through, while blocking illegitimate requests without slowing down the process. In real life, compromises are often necessary.

Several protection mechanisms are used. Implementing a good firewall, which can identify and disregard illegitimate requests, is often the first step. Another tactic is to increase the capacity of the system to handle requests. Although this might not intercept attacks, it makes the service less vulnerable, as it is able to handle the additional load of illegitimate requests.

Although this activity greatly simplifies the process, this basic model can reveal several ways in which a successful DoS attack can be launched, and ways cybersecurity can counter the attack. Let your students be the detectives, identify cyber-attacks, and find creative ways to protect the service against the attacks.

For Discussion

This science activity can serve as a starting point for a variety of cybersecurity discussions. Here are a few examples of questions to start a discussion:

  • Does anyone remember a cybersecurity breach leading to massive losses that made the news? Do you see these breaches as major problems?
  • How does receiving a slow response from a site (like YouTube), or no response at all, make you feel? Does it influence your use of the service?
  • Has anyone heard of a denial of service (DoS) in the world of computers and cybersecurity? What is a DoS attack?
  • How do you think organizations protect themselves against denial-of-service attacks?

Materials

Needed for preparing ahead:

Needed for each small group of 9–12 students:

  • Colored construction paper, 9 by 12 inches (5–8 distinctly different colors; 10 sheets of one color, 4 sheets of all other colors. )
  • Scissors or paper cutter
  • Server queue printout (at least one, some groups might need an additional one)
  • Processing paper printout (3)
  • Clear tape or glue
  • Small boxes (2) to collect cards of size 1 ½ by 2 inches. (Note: Some groups might need an additional set of 2 boxes)
  • Permanent marker

Needed at the time of the science activity:

  • Timer

Needed for each small group at the time of the science activity:

  • Student desks (6–9)
  • Pen or pencil (one per participant)
  • Stack of cards in 5–8 colors; a stack of at least 350 cards for one color, and at least 140 cards per stack for all other colors.
  • "Drop" box and "Processed" box
  • Assembled server queue (at least 1, some groups might need an additional 1)
  • Student worksheet (1 per participant)
This Cyber-attack activity uses easy to find simple materials.
Figure 2. You need only a few simple materials per group to prepare (figure on the left) and do (figure on the right) this fun science activity.

What to Do

Prepare Ahead (10-20 minutes)

  1. Divide the number of students into groups of 9–12.
  2. For each group:
    1. Write "Dropped" on one box and "Processed" on the other box.
    2. Cut the construction paper in cards of 1 ½ by 2 inches so you have at least 140 cards per color of most colors and at least 350 of one color. This template can help you cut faster. To find the number of colors you need for a group, subtract 4 from the number of students in the group.
    3. Tape or glue the three pages of the Server Queue printout(s) together.
    4. Cut one paper card of each color into small pieces and tape or glue one piece at the top of a column on each processing paper.
    5. The results should look like Figure 2 (figure on the right).
  3. For each small group, do the following:
    1. Arrange the desks so the server is within easy reach of the clients. A setup as depicted in Figure 3 works well. Note: Three students in each group (the guard and the two internet volunteers) do not need a desk for the activity, but might still like to use a desk to fill in their worksheet.
    2. Arrange the materials on the desks, as listed in Table 1.
    3. Keep the additional server queue (if you chose to print one) and processing papers to yourself; they will be needed later in the activity.
    4. You can place a worksheet on each desk or pass out the worksheets later.
This classroom setup works well to do the DoS attack activity.
Figure 3. Small-group setup diagram.

Role  
 Clients 
( 5–8 )
DoS cyber-security client desk setup
Each client has:
  • A stack of cards (350 for one client and 140 for all other clients), a different color for each client.
  • A pen or pencil
Server
( 1 )
DoS cyber-security server desk setup
The server has:
  • An assembled server queue
  • Empty "Dropped" box next to the queue
  • Processing paper
  • "Processed" box next to the processing paper
  • Pen or Pencil
Table 1. Cybersecurity DoS activity setup checklist for each small group of students.

Science Activity (30-45 minutes)

  1. Divide the students into small groups of 9–12 students. Each small group should have the items listed in Table 1 ready.
  2. Briefly introduce DoS attack and cybersecurity to the students.
  3. Explain the activity, and its Information Technology (IT) analogy: Clients issue requests that travel via the Internet to a server that processes the requests. Once a request is processed, a response generally finds its way back to the client. This activity does not model the response back. Figure 4 shows how requests move around in the activity.
In this DoS-attack activity, two students representing the internet move requests from the clients to the server.
Figure 4. This figure illustrates how the Internet moves requests (colored cards) issued by a client to the server, where they can be processed.
  1. Go over the tasks assigned to each role in the activity, as listed in Table 2.
Role  Tasks
 Clients 
( 5–8 )
DoS activity client action
  • Takes a card from their stack, writes their full name on the card, and places the card on the corner of their desk where the Internet person will pick them up.
 Internet 
( 2 )
The internet picks up requests from the client.

The internet delivers requests.
  • Picks up request cards from the clients (top picture in this row); picks up all cards that a client has ready and picks up from a maximum of three clients before delivering.
  • Delivers request cards to the server by placing them on the next free slot(s) in the server queue (bottom picture in this row).
  • When all slots are full, counts to 10, places request cards in slots that became available while counting, and drops the remaining request cards in the "Dropped" box.
  • Returns to pick up new requests.
Note: Second Internet person starts when the first Internet person arrives at the server queue.
 Guard 
( 1 )
 
  • Observes how the activity is going.
  • Stops the activity when the teacher indicates it is time to stop, and does the following:
    1. Instantly stops the Internet from delivering any more requests.
    2. Asks the clients to stop writing requests.
    3. Counts to 10.
    4. Asks the server to stop processing requests.
 Server 
( 1 )
The server processes g requests.
  • Takes requests, one by one, in order, from the server queue.
  • Writes a checkmark in the column corresponding to the color of the request card on the processing paper. Starting from the top line, one checkmark per line.
  • Places the card in the "Processed" box.
Table 2. The roles and tasks in the DoS cyber-attack activity.

The Activity: Stage 1

  1. Assign roles to the students. For each small group, assign one student to the server role, one student to the guard, two students to the Internet role, and the remaining students to the client role. Be sure the student with the server role is not color-blind. If needed, switch roles with a non-color-blind person.
  2. Let the Internet people agree who will start instantly and who will wait until the first Internet person arrives at the server queue.
  3. Start the activity and the timer.
  4. Notify the guard to stop the activity after 2 minutes.
  5. Once the guard stops the activity, lead a short discussion on how the system runs under normal conditions.
    1. Ask students to count the number of requests in the "Processed" box (alternatively, a student can calculate the number of requests indicated on the processing paper), the number of requests in the "Dropped" box and the number of requests still waiting in the server queue.
    2. Point out that almost all, if not all, of the requests have been processed. As an option, let the students calculate what fraction of requests arriving at the server have been processed. You can do this by dividing the number of processed requests by the total number of legitimate requests that made it to the server (the number of processed, dropped and waiting requests added together).
    3. Point out that no or few requests were dropped, indicating the system was always available to the clients.
    4. Point out that few requests are left in the server queue, indicating the handling of requests was timely.
    5. Point out that clients had their requests picked up in a timely manner (there was no accumulation of requests on their desks).
    All these observations characterize an efficient system.
  6. Allow the students to write down their observations.

The Activity: Stage 2

  1. Introduce the second part of the activity where the group will simulate a DoS attack by making the following changes to the activity:
    1. One client (the attacker) can deliver up to 10 requests at a time to the Internet. The attacker does not need to write his or her full name on the requests. (Note: This is different from IT systems, where requests from attackers do come with valid addresses; they look just the same as other requests.)
  2. Give the students a few minutes to hypothesize what will happen.
  3. Assign the students new roles (switching roles keeps students engaged and lets them experience the different aspects of the process). Identify the "attacking" client as the client with the biggest stack of request cards. Ensure the student in the server role is not color blind.
  4. Empty the "Processed" and "Dropped" boxes, then hand out a new processing paper to the server.
  5. Let the Internet people agree who will start instantly and who will wait until the first Internet person arrives at the server queue.
  6. Start the activity and the timer.
  7. Notify the guard to stop the activity after 2 minutes.
  8. Once the guard stops the activity, lead a short discussion on how the DoS attack affected the process.
    1. Ask students to count the number of legitimate requests in the "Processed" box (alternatively, a student can calculate the number of legitimate requests indicated on the processing paper ), the number of legitimate requests in the "Dropped" box and the number of legitimate requests still waiting in the server queue. Note: You are not interested in the requests issued by the attacker; they are not counted in the evaluation of the system's efficiency.
    2. Point out that only a fraction of legitimate requests have been processed. As an option, let the students calculate this fraction.
    3. Point out that several legitimate requests were dropped. In a computer system, this is seen as a server not being available to the client; in other words, the attack was successful at hampering the service.
    4. Point out that requests are left in the server queue, and less legitimate requests (compared to activity Stage 1) have been processed in a similar time period, indicating the server responded slowly.
    5. Requests might have accumulated on clients' desks, indicating their requests were not picked up in a timely manner. If so, point this out to the students.
    All these observations show the system is under stress, it is not able to serve the clients efficiently.
  9. Allow the students to write down their observations.

The Activity: Stage 3

  1. Let students play the role of cybersecurity personnel. What would they observe indicating an attack is being executed? When do these observations become a problem? Remind students to be specific in their formulation. Some sample answers you might get are listed in Table 3.
ObservationProblem
Server queue never empties; it is always quite full The server is overloaded with work. Clients need to wait for the server to respond.
Requests stack up on clients' desks. The handling of requests is slow because the system is busy handling the attacker's requests. Clients need to wait.
Requests land in the "Dropped" box. The server is unavailable.
Table 3. Table listing observations and problems that might occur when a system is under attack.
  1. Note these "problems" become puzzles for cybersecurity and system managers to resolve. Brainstorm solutions for the problems listed. Guide them into being specific in their solutions. Table 4 shows some possibilities.
Possible SolutionsHow Does It Protect the System?Computer Analogy
Add a second server to handle requests. An increased capacity makes a system less vulnerable to suffer under an attack, as it can handle larger loads. Add an additional server to increase the capacity of the system.
Ask the guard to systematically sift through the incoming requests and remove any that seem suspicious based on an algorithm.

Example: If an internet delivery contains more than five requests of the same client, remove them.
Removing illegitimate requests allows the system to focus on serving clients. Implement a firewall, which removes requests based on the outcome of tests. The tests range from a basic logical test to sophisticated engineered techniques.

Example: If the rate of incoming requests from a single client exceeds a threshold, all requests from that client are dropped for a specified time interval.
Add a second server queue An increased buffer capacity makes a system less vulnerable to go down under an attack. Increase the buffer size of servers.
Table 4. Table listing interventions that can protect a system against a DoS attack.
  1. For each small group, select one proposed solution to be acted out. Make changes to the setup, as needed, to implement the solution. Note that you might need to reduce the number of clients by one to find a volunteer to act out the additional server.
  2. Perform the activity as indicated in Stage 2, steps 3–7.
  3. Once the guard stops the activity, lead a short discussion on how the implemented solution affected the process.
    1. Ask the server to calculate the number of legitimate requests processed, ask the guard to count the number of legitimate requests dropped, and ask an Internet person to count the number of legitimate requests still waiting in the server queue.
    2. Let the students share their count with their group.
    3. Evaluate if any legitimate requests were dropped, revealing whether or not the system was inaccessible to the clients at particular times during the activity.
    4. Evaluate how fast requests were processed by looking at the number of requests left in the server queue and the total number of legitimate requests processed.
    5. Evaluate the efficiency of the system, defined as the fraction of legitimate requests processed over the number of legitimate requests reaching the server.
    6. Compare the efficiency of the system now to the efficiency in Stage 2 of this activity. Did the implemented protection increase the performance of the system?
  4. Allow the students to write down their observations.
  5. If time allows, implement other ways to attack the system, as suggested in the For Further Exploration section.

The Activity: Closing

  1. Lead a closing discussion. Some questions you might ask are:
    1. Why do they think cybersecurity cares about DoS attacks? How can DoS attacks create damage?
    2. Based on this activity, how would you describe the task of cybersecurity with respect to DoS attacks?
    3. Talk about how students can help fight DoS attacks by protecting their personal computers from illegitimate use. This makes it harder for attackers to use their machines in an attack.

Expected Results

The following observations will likely occur:
  • Stage 1 - Running under normal conditions:
    The process is likely to run smoothly.
    The counts should look as follows:

     CountImplications
    Number of processed requests High Requests are processed in a timely manner.
    Number of dropped requests 0 or very few The system is always available to the clients.
    Number of requests in the queue Few The system processes the requests in a timely manner.
    Efficiency Close to 100% The efficiency of the system in processing legitimate requests in a timely manner is high.
    Number of requests in stacks on clients' desks Few Requests are picked up in a timely manner.
    Table 5. Expected results for the activity run under normal conditions.

    The system runs efficiently and clients are highly satisfied.

  • Stage 2 - Running when a DoS attack is being executed:
    The process is likely to be under stress and fail at times.
    The counts should look as follows:

     CountImplications
    Number of processed legitimate requests Much lower than in Stage 1. The efficiency of the system in processing legitimate requests in a timely manner is low.
    Number of legitimate requests dropped Higher than in Stage 1. The system is unavailable at times.
    Number of requests in the queue Close to 36, the maximum the server queue can hold. The system processes the requests slowly.
    Efficiency Well below 100%. The system fails to process legitimate requests in a timely manner.
    Number of requests in stacks on clients' desks Might be fairly high. The handling of requests is slow and clients need to wait.
    Table 6. Expected results for the activity running when a DoS attack is being executed.

    The system runs inefficiently and clients are dissatisfied.

  • Stage 3 - Running with added defense when a DoS attack is being executed:
    The degree of improvement on the previous scenario will largely depend on the chosen defense mechanism and how well it was implemented.

For Further Exploration

This science activity can be expanded or modified in a number of ways. Here are a few options:
  • Students can act out several defense mechanisms, as well as combined mechanisms, and study their influence on the efficiency of the system.
  • Different attack scenarios can be introduced. Some suggestions are listed in Table 7. As indicated in the last column of the table, these scenarios are simplified versions of attack strategies used in the real world.
NameActivityInternet World
Distributed denial-of-service attack The attacker can use all colors of requests used in the group, making it harder to filter out attacker requests. The attacker illegitimately communicates with a large number of compromised clients to launch the attack.
Fake clients Introduce one or more new card colors that are unknown to the server. The server can examine their list and toss what is not known. Attackers change the format of requests or introduce fake client addresses to launch their attacks.
Flooding with ping requests Add ping requests (or cards with the sender's name and the word "Ping") where the server returns the request card to the internet to be returned to the sender.

Flooding a service with ping requests will keep the server and the Internet unavailable to handle legitimate requests.
A ping request asks a server to return an empty message. It is commonly used as a way to know if a service is there.

In the internet world, all requests generally return a response. Because a ping request is the minimal request followed by the minimal response, flooding the system with ping requests can overload the message-handling part of the IT system.
Ping to death Add a color that is unknown to the server and the Internet to the "Flooding with ping requests" scenario, so the Internet does not know where to return the ping request to.

This confuses the system, resulting in a loss of efficiency.
Attacking a system using malformed ping requests.
Table 7. Suggested alternative attack scenarios, and their relationship to the real world.

Credits

Sabine De Brabandere, PhD, Science Buddies
Sponsored by a generous grant from EMC