Why does a (D)DoS attack slow down the CPU and crash a server?

How does one crash a server using (D)DoS?

To specifically answer your question, to crash a server using only DDoS you need to target the Application Layer (detailed explanation below). These types of attacks specifically attempt to use up as much of the target servers resources a possible and bring it down, rather than just hammer it with network traffic.

However, to put this into context alongside other types of DDoS attacks, lets explore their major categories and their uses.

This article covers the 3 major attack types for DDoS. From the article:

DDoS attacks can be broadly divided into three types:

Volume Based Attacks

Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second [sic] "(Bps)" [sic].

Protocol Attacks

Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

Application Layer Attacks

Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.

TL;DR - there are multiple types of DDoS attacks depending on what the attacker wants to achieve. Sometimes an attacker will just want to take up all the available bandwidth, other times they will try overwhelm the CPU.

It's worth noting that DDoS is just a distributed type of the generic 'Denial of Service' - it does not imply crashing a server at all, only preventing the server from doing whatever it's intended for, whether thats preventing actual business from taking place by using all bandwidth or otherwise.

A SYN flood isn't about exhausting CPU, it's about exhausting memory.

A TCP connection is established through what is known as a "three-way handshake". Traditionally, it works as follows:

1. Client sends a SYN packet. Server receives the packet and allocates resources for tracking the connection.
2. Server replies with a SYN/ACK packet.
3. Client replies with an ACK packet, establishing the connection.

In a SYN flood, the attacker sends a continuous stream of SYN packets, while ignoring the SYN/ACK responses. This leaves the server with large numbers of halfway-opened connections that will stick around for a while; if the attacker can send packets fast enough, the server will be unable to respond to genuine requests. A poorly-written server might even run out of memory and crash.

The standard defense against SYN flooding is SYN cookies:

1. Client sends a SYN packet.
2. Server responds with a SYN/ACK packet with carefully-selected values for some TCP parameters that let it identify the responding ACK.
3. Client responds with an ACK packet based on those parameters, establishing the connection. The server now allocates resources to track the connection.

By delaying the allocation of resources until the connection is fully established, there's no longer the asymmetry of effort that makes the flooding attack practical.

A DDoS usually doesn't crash a server. It overloads it, making it unavaible for normal use. The "best" way to achieve this depends on the function of the server and the way it's configured. There are plenty of ways to do this, to name a few:

• overload the network interface with traffic so it's filled up with garbage and legit traffic isn't reaching the server
• exhaust the firewall by creating a large number of sessions, so many it cannot keep track of the session state and will not accept new sessions
• rapidly fire request (e.g. open web pages on a webserver) which require a lot resources to generate (for example complex computations or database lookups). This reduces the availability of the server process and increases the load on the CPU.
• filling up disks, for example by creating a lot of log entries or uploading data