Service Denied - What Are DoS Attacks?
A denial-of-service attack (DoS), happens when legitimate users are unable to use network services because the host has crashed or been flooded with illegitimate requests by a malicious party, with the intent to disrupt normal service. A DoS attack comes from one computer, but a DDos (distributed denial-of service) attack comes from multiple computers.
Let’s say you own a pizza place and normally it works like:
- Customer places order by phone
- Team prepares pizza
- Customer pays for and collects pizza
- Job done - money made
In a DoS attack, a prankster decides to call you multiple times, placing fake orders that are never intended to be collected. By the time you realize what’s happening, you’ve wasted time and unrecoverable resources. To make it stop, you call your phone company and get the prankster’s number blocked.
In a DDoS attack, this prankster decides to launch a large-scale ordering prank attack and gets all of his friends involved. You start receiving fake calls from multiple numbers, so it appears legitimate at first. Then, pizzas are piling up, but you don’t know which callers are real clients or pranksters. Eventually your perfect pizza ordering system is overwhelmed, and you’re forced to take the phone off the hook. You’ve wasted time and money and lost real customers. While it’s possible to block out the new pranksters, it’s going to take more time to weed them out.
DoS Attack Types
DoS attacks either flood or crash a service. Flooding is more common and occurs when a system is overwhelmed by traffic and stops working because it is unable to handle the volume of requests. Attacks can be divided into volume-based attacks, protocol attacks, and application layer attacks. There are over 35 different DoS attacks, here are some common examples:
- Volume-Based Attacks: The goal is to overload the bandwidth of the site using packets. User Datagram Protocol (UDP) flooding overwhelms random ports on a remote host. This causes the host to repeatedly check the activity at the port, and when no activity is found, the host replies with a “Destination Unreachable” packet. This uses up resources, floods the system, and usually leads to inaccessibility of the site. ICMP or Ping flooding, is similar to a UDP flood, except a request is sent over and over, as fast as possible without waiting for a reply from the host. This leads to a general slowdown of the system.
- Protocol Attacks A SYN flood sends spoofed packets to the server. By exploiting a weakness in a Transmission Control Protocol (TCP), the SYN flood can send an incomplete request to the server. The server cannot respond because it only has half a request, and while it waits for the request to be completed, the port remains occupied and unavailable. As more requests are received, the system is overwhelmed and shuts down.
- Application Layer Attacks Sometimes called a layer 7 DDoS attack, this is an attack on the application itself. The Open Systems Interconnection (OSI) model is a conceptual model that describes and standardizes the internal functions of a communication system by dividing it into layers. It is what’s happening behind the end-user clicking on a button. This type of attack targets this final layer of the user interface, disrupting the service received on the website. In the pizza analogy, it’s the equivalent of the caller receiving a busy signal while trying to contact the pizza place. These attacks usually seem legitimate and innocent, but their goal is to crash the system by sending too many requests per second (Rps).
How DoS Attacks Succeed
A DoS attack relies on a weak link in the way networks communicate. When you, as a consumer access a website, your computer sends a small packet of information to the site you want to reach. This packet essentially says, “Hi! Can I come in?” The server of the website you are trying to reach replies with another packet of information which says, “Are you real?” Your computer responds with an enthusiastic “Yes!” and so your connection is established, and you can access the site.
A DoS attack is the same “Hi! Can I come in?” The server asks if it is real and after a minute of not receiving a response, closes the connection. Thousands of illegitimate requests later, the server becomes overwhelmed and slows down or crashes.
How to Prevent a DoS Attack
There is no sure-fire way to prevent becoming a target, but proactive steps can be taken to reduce the effects.
- Software: DoS protection software can detect unusual traffic flow. This software redirects the traffic away from your network, filters out the DoS traffic and allows the real traffic through.
- Install and maintain antivirus software and firewalls on all devices connected to the internet. Ensure firewalls and routers are configured to restrict traffic to and from your computers.
- Services: Anti-DDoS services can be used to help identify the difference between a real spike in traffic or a DDoS attack. Black hole routing can be used to direct excess traffic into a null route - the downside being that all excess traffic is directed away and not just the illegitimate traffic.
- Hardware: Front-end application hardware that is part of the network can help analyze and screen packets before they reach the server.
If you experience an attack, be sure to keep a close eye on other parts of your network. This attack could be a distraction technique from another secondary target.
Remember, the earlier that an attack can be identified, the quicker damage to your infrastructure can be mitigated.