Malware-Driven DoS, SYN Flood, Reflection & Botnet Mechanics Explained

Name: mod01lec04 - Malcious Software - Part 2
Uploaded: 2026-03-27T09:29:38.770154+00:00
Duration: 31 min 20 s
Channel: NPTEL-NOC IITM
Description: Summary and key takeaways on mod01lec04 - Malcious Software - Part 2: Summary & Key Takeaways, covering Malware Capabilities Malware such as viruses and worms

NPTEL-NOC IITM

Mar 27, 2026

•

31 min video

•

2 min read

YouTube video ID: zbU-mYqHbSg

Source: YouTube video by NPTEL-NOC IITM — Watch original video

PDF

Malware such as viruses and worms can copy themselves to other applications and computers, delete files silently, generate network traffic without the user’s knowledge, harvest passwords via keyloggers, and encrypt data before deleting the original files. These actions can occur entirely in the background, making the victim unaware of the ongoing damage. Because the malicious program can also produce traffic, it can be a source of denial‑of‑service (DoS) or distributed denial‑of‑service (DDoS) attacks.

Denial of Service and Distributed Denial of Service

DoS and DDoS attacks target the “availability” pillar of security by overwhelming a server’s bandwidth or processing capacity. Infected machines, or bots, send a flood of packets that exceed the server’s limits, preventing legitimate users from accessing the service. The traffic is generated by malware under external control, so the victim’s computer may never see the attack originate from it.

SYN Flood Attack

A SYN flood exploits the TCP three‑way handshake (SYN, SYN‑ACK, ACK). When a SYN packet arrives, the server allocates a Transmission Control Block (TCB) – typically 250 to 1,000 bytes – to store the connection’s IP address and port. The attacker sends many SYN packets but never completes the handshake with the final ACK, causing the server to fill its TCB pool (e.g., 1,000 entries). Once the memory is exhausted, the server cannot accept new legitimate connections, resulting in a denial of service. This can be achieved with a single machine that can generate enough SYN packets.

Reflection and Amplification Attacks

In reflection attacks, malware sends spoofed requests to intermediate servers such as DNS or NTP, using the victim’s IP address as the source. Those servers, unaware of the spoofing, reply directly to the victim, reflecting the traffic. Amplification occurs when the reply is much larger than the request; for example, a 100‑byte request can trigger a 1,000‑byte response. This magnifies the attack volume while hiding the attacker’s identity and reducing the bandwidth each compromised host must provide.

Botnets and Command‑and‑Control

A botnet is a network of automated programs (bots) coordinated to perform malicious activities. While a bot itself is merely an automated task runner, a botnet can launch DDoS attacks, send spam, or steal data under the direction of a botmaster. Coordination is achieved through a Command‑and‑Control (C&C) infrastructure, which may be centralized (client‑server model) or distributed via peer‑to‑peer propagation. Robust C&C must handle churn—bots going offline or rebooting—and keep reaction time minimal. Common communication protocols include IRC and HTTP/Web traffic.

Takeaways

Malware can silently copy itself, delete files, generate traffic, harvest passwords, and encrypt data without the user’s awareness.
DoS and DDoS attacks overwhelm a server’s bandwidth or processing capacity, targeting the availability aspect of security.
A SYN flood exhausts a server’s memory by filling its Transmission Control Block pool with incomplete TCP handshakes.
Reflection attacks spoof the victim’s IP to intermediate servers, while amplification multiplies the response size, hiding the attacker’s source.
Botnets use centralized or peer‑to‑peer command‑and‑control infrastructures, often communicating via IRC or HTTP, to coordinate large‑scale malicious actions.

Frequently Asked Questions

How does a SYN flood exhaust a server’s memory?

A SYN flood sends many TCP SYN packets without completing the handshake, causing the server to allocate a Transmission Control Block for each request. Each TCB consumes 250‑1000 bytes of memory, and when the server’s TCB limit (e.g., 1,000 entries) is reached, no new connections can be accepted, resulting in a denial of service.

What distinguishes reflection from amplification attacks?

Reflection attacks involve sending spoofed requests to intermediate servers that reply to the victim’s IP, redirecting traffic toward the target. Amplification adds a size increase, where a small request (e.g., 100 bytes) triggers a much larger response (e.g., 1,000 bytes), magnifying the attack’s impact while obscuring the attacker’s origin.

Who is NPTEL-NOC IITM on YouTube?

NPTEL-NOC IITM is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Network Security Books For Beginners Recommended

Provides foundational knowledge on malware, DoS, and botnets, helping users understand the concepts discussed in the video.

Amazon →

Computer Forensics Tools Kit

Useful for investigating malware and understanding how it operates, which is a core theme of the video.

Amazon →

Ethical Hacking And Penetration Testing

Explains the techniques used in attacks like DoS and botnets, providing practical context to the video's theoretical explanations.

Amazon →

Cybersecurity Awareness Training Materials

Helps users understand the risks associated with malware and network attacks, aligning with the video's focus on damaging malware capabilities.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

[Music]
so both virus and worm being the
equaliser software they do some damage
let's ask the question what exactly they
can what kind of the damage they can do
on to the
system
so first thing is
they can send copies of itself to the
other
applications and other computers so
that is the first thing
both of them can do
and second thing is they can take some
accents without user knowledge so
sitting in the background deleting
silently deleting a file is an action
or it could be
generating some network traffic without
the user's knowledge usually when does
the
topic generate let's say i open a
browser and type let's say google.com or
any other website name that time when i
click on the button then i'm accessing
the some content
that time the network traffic should
originate from my computer to the
server and then
prompt server to be my computer but
the malicious software if it is sitting
the virus and worm is sitting in my
computer
although i may not be browsing anything
i'm not doing anything even then in the
background it can generate some topic
that is the
uh an action which is not you
user
behavior driven so this is not under the
control of the user
so normally a type of attacks called as
the denial of service attacks are
distributed dynamic service attack these
are also called some flooding attacks
we'll discuss them in the next
few minutes
so such attacks are generated by these
uh malicious software
and the other things that they can do is
they can silently sitting harvest the
password to generate the example they
gave
the spywares and keel loggers actually
take the monitor your keystrokes and
then collect the password those are the
another action
the malware can take
encrypt the files and data and delete
the then data so these things can they
can do
so
without
going into the details of
how the the malware can harvest the
passwords and encrypt the files and
delete the files let's take one
particular example which in this case is
the
how the malware can actually generate
the
denial service attacks and distributed
data service attacks we'll see that in
little more detail so
here is the
uh in example of
a denial of service attack the knowledge
service attack is that attack which
actually targets the
availability of the service remember if
you recollect the previous class
discussion or the
security itself is defined under three
terms one is the confidentiality
integrity and the availability
and
this
attack general service and distributed
and then service attack target the
availability of the service
so what kind of
action
can take
so i have
a
server here which is
named it as the victim server and on the
left hand side there are a bunch of
systems so on each of the system think
of these are cool computers
uh a malware cup is sitting so a malware
is sitting it is these are all infected
possible infected machines so a malware
is here and this computer and this
computer everywhere smaller a bunch of
let's say n of them and such computers
are there
and they can collectively do something
to the victim so what
they can do
they can send a large set of the packets
so go to the in server so usually the
servers got a limited
bandwidth
bandwidth maybe let's say one
gbps 2gb use whatever the
connectivity bandwidth available at the
server
if the
all the systems uh collectively generate
traffic which exceeds the capacity the
bandwidth available at the server then
that can cause the damage to the server
so any legitimate user who is
here if he is actually trying to access
maybe let's say web server is that this
victim server is having
some web application so i have any jenny
user comes up and then he tried to
access that
server they may not be able to so why
they may not be able to do so because
these programs sitting on all these
computers are generating so much of
traffic that that exceeds the capacity
of the link that is attached to this
victim server so such things are called
distribution of service attacks so the
malware the worm that is sitting inside
those computers is doing nothing more
without the user knowledge
probably under someone else control
is generally just generating the packet
nothing more than that send packet to
this particular computer this particular
server maybe let's say the
some
web server may be irctc web server with
really ticking booking web server to
that server it is continuously all of
them together at the same time sending
the traffic so irctct web server is
having some limited bandwidth processing
capacity as long as that capacity either
the bandwidth or the processing capacity
is exceeded then the any legitimate is a
reply tomorrow i go and then when this
attack is going on if i am trying to
access the web server and then trying to
book a ticket i may not be able to do so
so such that's called caller does it
limited enough service attacks so this
software can actually do such kind of
thick accents
so
one of the special type of
this kind of flooding attack
which was
discovered in the it is something called
as the
syn flood
attack
uh so what this sin blood attack
actually does is
it abuses the tcp's three-way handshake
communication
behavior and then generate the attack so
let me write what exactly
do
so if you record your networking
objective let's say i have a client and
server let me denote with the
letter c and yes he is the client and
this is the server client is the one
usually you just request for connection
so a sim packet goes from the client to
the server
and then
the server sends
another packet which is the syn plus
acknowledgement
and the third one from the client to the
server is the acknowledgement so this is
called three-way handshake a sim sin
plus acknowledgement and then the third
acknowledgement
so this three-way handshake the
tcp three-way handshake
is looking like this
so uh something uh interesting happens
every time uh
this
synthesis
plus act
is exchanged between the client and the
server particularly at this point of
time when the first syn
packet comes from the client to the
server the server need to know
packet came from which client
particularly the ip address and the port
number source port number and from which
the client raised the request
all those details are stored in
a
data structure called as the
transmission control block in short this
is also called as a tcb tcp standard
transmission control block and this
transmission control block occupies some
memory so every time a connection
request comes one tcp is created so the
amount of the memory taken varies on
different system at the minimum maybe
from 250 bytes to some up to 1000 bytes
of the data is consumed for storing this
tcp
so what i mean to say is every time
a syn packet comes from the client to
the server the server
uh
reserves some
to at the minimum 250 bytes or up to the
thousand bytes of the data
for storing the details of that
connection so so from this computer
using this ipad this port number at the
time so for the connection request
scheme and this is the sequence number
initial sequence number also goes with
that it's in brackets so all these
details are stored in this pcb
so
is this simple attack actually abuses
the behavior of this one so particularly
it's actually
uh
want to consume the memory available at
the server and then
create the damage so what the simpler
attack does is
uh
the three-way handshake i still have the
client to see and he here is an attacker
the client will be an attacker
and then the server is there he client
sends one syn packet
and then the server
sends
back hypothetically to the same
client synonym acknowledgement
but the third acknowledgement was
supposed to go from the client to the
server or the attacker to the server is
not sent so this one the third one
is not going
and instead of that what the client does
is he sends another
syn
packet to the server
and the server again thinks that this is
another request
using a may be using
for first time it is using a port number
let's say some hypothetical port number
uh
2300 port number you made a request now
use another port number maybe
2301
and then the server sends another sin
plus
acknowledgement packet back to
you and a tcp is created at this point
of time it because this is appearing to
be a new connection a tcp is created at
this point of time
and if i continue to do so another syn
packet and then another tcp and so forth
so
one point will come where
the server
memory is filled with only these tcps
there is no more memory left on the
server that time what will happen the
server
may not be able to process or create
more number of the tcps
and then
store or serve the
so that time what the server typically
does is it's actually does not take the
new request new scene packets that are
coming or not honored it does not reply
to those accounts so by doing so so if
the attacker himself create let's say
the server has got some capacity to
create 1000 pcbs
and
if the client machine itself is able to
create 1000 tcps and then the
1001 request coming from probably from a
legitimate user
is not
honored by the server so in that case
the 1001 request coming from a
legitimate user
is
that his connection is because refused
by the server there is a denial of
service that is going on
so that is what attracts
the point i am trying to say is the
malicious software the worm or the wires
sitting on your computer can generate
kind of attacks so unlike the
the previous attack that i showed on the
twitter
you may not be requiring a large setup
the computer to generate the attract
because i know only 1000 tcps can be
created so as long as i am able to
generate 1000 uh
different legitimate looking connections
and don't complete the three-way
handshake the memory is exhausted and
then the server is actually not able to
take new request or process the new
request that is the message so the
warrant sitting in the computer can are
the malicious software degenerate can
sit and do such kind of internet so in
this case you don't require the
uh bunch of
system together
something called as the reflection
and amplification based ddos attacks
so
what this
in this case happens is
the malicious programs sitting
on these computers
don't send the
traffic to directly to the victim which
was there in the previous case
but to an intermediate
server
and they get reflected back to the
vict client so
the
one the valence computer one sends the
packet to this server usually there are
a
bunch of application particularly the
dns and ntp are known to then such uh
are the usual the targets so such
servers are used at the intermediary or
stepping stone to generate the attack so
you send the packet to this intermediate
server and they get reflected and come
to the
get accumulated at the endpoint in the
process what will happen is the these
replies that are going from these
intermediate server to that computer
will be magnified
so in the sense uh when this
computer one sent the request it might
send let's say 100 bytes of the data
and the something happens in this
intermediate node with the reflector and
the reply is
quite large
and because that reply may be
1000 bytes uh the original program sent
100 bytes here the reply become 1000
bytes 1000 byte instead of going to the
sender but it is going to the victim why
did this happen
the
sender can spoof the identity of the
victim so the ip address of the victim
is used and the packet is sent to the
intermediate server and then because the
the server the dns server or the ntp
server the intermediate server does not
know
so it is actually the iq address is boot
it genuinely sends one reply and because
the ip address of the server is used the
reply is going back to the
server
so now by doing this
what will happen is the
first of all there are not one pro
program is generating the one software
is doing the
attack a bunch of them collectively and
second thing is in the process they are
actually hiding the identity by scooping
the
ip address so who actually did the as if
the victim himself sent the request to
the
server the reply is going back then but
actually they are coming from the these
analysis software on the left hand side
and the second thing in the process they
are actually getting magnified instead
of 100 bytes going directly from the
vote one to the victim
now both one is sending only hundred
bytes but the
at the end when they are received there
the victim is receiving the 1000 bytes
so
these applications are commonly dns and
ntp this is called amplification the
reflection is going from one
computer and then
coming from one computer going to
another computer and amplification is in
the process uh the data gets magnified
instead of 100 bytes now the thousand
bytes are going that's amplification so
if you imply this there are two things
the attacker can achieve one is
the amount of the bandwidth required by
each of these individual computers is
also going to be small and thereby they
become steel
so
i don't have to for support if let's say
1gbps is the total bandwidth required at
the victim side
so
1 gbps
divided by everyone let's say 1000 watts
are there 1gbps all these thousand
boards together need to generate one
1gbps more than 1 gbps of the data
so now by doing this i know that
is
magnified by 10 times each request that
i send is each quantum the data that i
send is magnificent times i need to send
10 times lesser data from each of these
computers so that is the
simple trick
so by doing that
so the bandwidth consumption at the
source itself
becomes small thereby you avoid the
detection so although the
programs are the malware sitting on
those computers are sending the data but
they are sending it a very
small
rate so that the
the detection becomes quite
typical task
[Music]
this is one
variant of those code ddos attack that
the malware can actually
do
so
remember in the previous slide we saw
that not one computer is generating the
total topic but
a bunch of them now the question is
how these bunch of computers are coming
together how all of them are coordinated
and they generate the topic
either directly or through an
intermediate server
simultaneously
the synchronization sort of
synchronization is required how this is
actually synchronized so that is done
with
an organization structure called as the
botnet remember we did use the name
bought here so what is a name for a
malicious software
so how exactly the coordination is done
so that is what we will try to
understand here
so boat net
has got two turns in it one is the bot
bot means anything that is automated
robot is excellent okay a device is
actually doing some kind of automated
task you tell what it is supposed to do
it is actually do that so what is
actually that program anything that is
automated which is actually doing the
task automatically is called the vote
so boat itself is not a
bad
thing to have so it can do some useful
stuff anything that you want to do
repeatedly you can assign data to board
and it can do that
for you but if you use that to do the
illegitimate things malicious things
that becomes a harmful activity so that
is what we are interested in so remember
the previous case the ddos attacks and
general service attack that the boards
were generating are a harmful thing they
were targeting a particular server and
taking it down
so
net is a collection so if you
i have a lot of bots and all of them
come together and then they execute some
activity
here in this case generating the topic
is the activity that's the malicious
activity
a network of such systems coordinated
and then then doing the equity
is called as a both net so you have
a collection of the systems and all of
them are doing so they are potent
probably
under the control of one master
application which can tell each of these
malicious software sitting in different
computers to do the
certain action
at some starting at some particular
point of time
uh so
usually these botnets
are also
done for some monetary benefits maybe
these botnets by taking down this
server or
by stealing some data i might get some
incentive that's the
goal of the
tracker if they want to do that then
they actually control that to
all those
softwares and then
so usually the companies like
advertisement companies they want to
push a particular kind of the
advertisements and then they can use
such botnets to
propagate their own
content or if you want to take down
just like in the ddos case you can
actually do that
spam me sending these primal sitting all
of these programs are in different
computers
sending the spam emails to a particular
target set of people or group of people
so that is another one is not one
computer is actually doing the
generating the spam email but a
collection of them together because if
one computer starts sending thousands or
lacks of emails then that is noticeable
instead of that if you employ a bunch of
them then the detection becomes quite
true yes
so this boat net
requires some kind of the coordination
between them there is a master there is
a
there are large number of the slave
programs and then
at what point of time what accent they
should do when they should sit silently
these instructions need to be tore to
those
slave programs
so typically this is done through
something called as the command and
control infrastructure command and
controlling processor is the when you
insert the command is the instruction
that is given to those slave programs
and
to do the to push those instructions you
need to have a kind of thick background
connectivity this is also sometimes
called as a overlay structure they are
not the slave programs the malware
sitting on one computer to another
computer they these two computers not
physically uh
connected they are located in the
different places maybe
one computer here
in one place maybe mumbai second
computer might be in some other country
in some other state so all of them need
to coordinate because they are all
infected they are under control
so they build a kind of
infrastructure to co do this
coordination that
command and control infrastructure this
command and control infrastructure are
of two types one is called a centralized
command and control where a centralized
server setting is actually doing the
or taking actions or giving instruction
to all of these save programs
that uses the client server model
because there is a server involved and
second model is called distributed this
is also called as sometimes peer to peer
portnet you don't have a centralized
server which is actually doing or
sending the instruction to all these
slave programs but
somebody
the both master injects some kind of the
instruction into one of the
problem and they actually propagate the
i know who is my fear and then
the i send the instruction pass on that
information to the my peer and then
he himself again pass on that
information to his peers and this like
this the information propagates that is
called as the peer-to-peer
structure so the command and control
infrastructure is maintained either
in a centralized person or in this
distributed fashion we will see
the diagrams for both of them in the
next slide
so this structure
either
even if it is centralized or distributed
doesn't matter you need to have a kind
of stable connectivity so a lot of times
what will happen is if let's say i have
1000 to sleep program or computers
and which are infected malware is
sitting in them
and
then one of the program one of the
computer might shut down and then
it might to reboot then you need to
identify which system is actually
shutting down which system is actually
up and joining the network so you need
some kind of maintenance activity that
is required
so
that need to be robust enough who is
actually going on
if let's say
my machine is impacted and if i
erase all the content and i reinstall
the operating system of fresh then the
malware sitting on my computer might
also go so in that case
you have one less
number of the computer to contribute to
the program so the master program which
is sitting which actually in the
instruction need to know who is actually
alive at this point of time who is
actually
moving out of the network
and then the changes whatever is
happening so the reaction time the
moment the instruction is given and
and then the action starts maybe the
ddos attack itself start the tropic
generation starts the when that
instruction is given when that activity
actually start this is called the
reaction time and
the time should be minimal so if you are
able to maintain all these things so i
am able to identify the churn who is
leaving the network
who is presently up and running and the
connectivity itself and then the if the
voltage structure has got the
small reaction time then it can quickly
start get started and then just start
generating the
traffic
so in order to maintain this
structure and then
do the image the the board
actually uses a communication protocol
usually the communication protocol
are up to two types one is if we called
the
irc internet relay chart this is
actually charting application so the
master and the slave can communicate
within this protocol and the latest
variants can also use the
web communication or the http
protocol as a means to
communicate between
from either from the boat motors master
to the slave or between the
uh
one
malware to the one boat to the another
boat so they use either of these two
communication protocols
so if you have a centralized
botnet structure it might look something
like this
so a centralized server is sitting here
and all of these are slaves yes one
needs s2 s3 s4 s5
s6 all these are slaves
and the instruction what need to be done
is told by this server a an
administrator the vote master
sitting here
or
initiate by maybe
sitting at a command prompt strike
something and then
the
action get triggered and all of them
together can start generating the topic
maybe if you go back to the
previous gddos attack if
another
server is targeted
and then
they can generate the traffic to
this
victim server
simultaneously so under whose
instruction this admin or the bot
masters instruction so this kind of a
structure is called centralized
so of course this com goes within
implicit drawback what is that so if
this
server is actually down for some
for some reason
a single point of valuer
is there in this
case
if the server
who is at the central
the central hub of this entire entire
infrastructure if this server goes down
then the whole in-person bot
infrastructure can be
may not run properly because now they
are
they don't have
nobody to
receive the instruction from
so you might do some things like having
a backup server and so forth so for paul
tollens reason that's a different story
but
the centralized bot infrastructure might
look something like this
so if you have a go for the
decentralized infrastructure so as i
said you don't have any
server sitting
who is in charge of
disseminating the instruction to all the
c programs
a
the administrator or the board master
actually pushes the instruction to one
of the
computer maybe s1 here
and then they are
connected in some fashion
so from s1 to s1 can send that
instruction pass on that information or
in section 2 s2 and s4 and s4 to
s5 you and s2 can send it to s3 and so
forth depending upon the connectivity it
might take a while to
disseminate this instruction or the
whatever the
command is coming from the admin because
it has to go reach to all the sleeves
and then only they can
doing the activity
but nevertheless
if the connectivity is dense so if the
number of ops it has to the information
has to cross
is less than in
short span of time it's actually all of
the slaves can actually receive that
instruction they then they can start
doing the
damage or whatever the
things the malware is supposed to do
so this is the decentralized this is
also called as i said peer to peer