Denial-of-Service Attacks

What are DoS attacks and how to prevent them

At a Glance:

Denial-of-service (DoS) attacks focus on disrupting or preventing legitimate users from accessing websites, applications, or other resources. These attacks have been used by criminal organizations to extort money, by activist groups to ‘make a statement,’ and by state actors to punish their adversaries.

 The impact and costs associated with DoS attacks can be wide-ranging; sending a text bomb to trigger an unexpected reboot of a target’s smartphone might be considered a minor inconvenience, while a large-scale attack to prevent an online business from serving its customers may cost millions of dollars. And with today’s hyperconnectivity of networked systems, DoS attacks, like other common security attacks, are a threat to many businesses, organizations, and governments around the world.

Types of DoS Attacks

Over the years, denial-of-service attacks have evolved to encompass a number of attack vectors and mechanisms.

Distributed Denial-of-Service (DDoS)

Originally, DoS attacks involved one single system attacking another. While a DoS attack could be carried out in similar fashion today, the majority of present-day DoS attacks involve a number of systems (even into the hundreds of thousands) under the attacker’s control, all simultaneously attacking the target. This coordination of attacking systems is referred to as a “distributed denial-of-service” (DDoS) and is often the mechanism of choice when carrying out the other attack types listed below. There are even “stresser” (a.k.a. “booter”) services, ostensibly for-hire to test one’s own systems, which could easily be used to DDoS an unsuspecting target.

Network-Targeted Denial-of-Service

Referred to as a “bandwidth consumption attack,” the attacker will attempt to use up all available network bandwidth (“flooding”) such that legitimate traffic can no longer pass to/from targeted systems. Additionally, attackers may use “distributed reflection denial-of-service” (DRDoS) to trick other, unwitting systems into aiding in the attack by flooding the target with network traffic. During this attack, legitimate users and systems are denied access they normally have to other systems on the attacked network. A variant of this attack, with similar results, involves altering (or bringing down) the network itself by targeting network infrastructure devices (e.g. switches, routers, wireless access points, etc.) such that they no longer allow network traffic to flow to/from targeted systems as usual, leading to similar denial-of-service results without the need for flooding.

System-Targeted Denial-of-Service

These attacks focus on undermining the usability of targeted systems. Resource depletion is a common attack vector, where limited system resources (e.g. memory, CPU, disk space) are intentionally “used up” by the attacker in order to cripple the target’s normal operations. For example, SYN flooding is a system-targeted attack which will use up all available incoming network connections on a target, preventing legitimate users and systems from making new network connections. Outcomes from a system-targeted attack can range from a minor disruption or slowdown to outright system crashes. While not common, a permanent denial-of-service (PDoS) attack can even damage a target to the point that it must be physically repaired or replaced.

Application-Targeted Denial-of-Service

Targeting the application is a popular vector for DoS attacks. Some of these attacks use the existing, usual behavior of the application to create a denial-of-service situation. Examples of this include locking users out of their accounts or making requests that stress an integral component of the application (such as a central database) to the point where other users cannot access or use the application as intended or expected. Other application-targeted attacks rely on vulnerabilities in the application, such as triggering an error condition that crashes the application, or using an exploit that facilitates direct system access for bolstering the DoS attack further.

How to Subdue DoS Attacks

The following suggestions may help reduce the attack surface of an organization and temper the potential havoc of a DoS attack:

Review application architecture and implementation: Don’t allow user actions to deplete a system’s resources, don’t allow user actions to over-consume application components, and be sure to seek out resources available on the internet that have best-practice suggestions.

Monitor and alert:

  • Network traffic for alerting on unexpected increases in network traffic/load can raise awareness of network-targeted DoS attacks. Analysis of traffic origin and type can provide additional insight.
  • System health and responsiveness with frequent health checks of each system and its responsiveness to help identify system-targeted DoS attacks.
  • Application health and responsiveness with frequent health checks of application components and their ability to perform their designed “task” within an expected timeframe. This can help catch application-targeted DoS attacks.

Many providers (both cloud and datacenter) already have monitoring solutions they can offer. Check with your provider and consider if their monitoring+alerting solutions may be a good fit for your needs.

Have a mitigation plan (and capability) in place: Different attack types require different capabilities and strategies to mitigate. Denial-of-service attacks are a large enough issue that many providers now offer mitigation mechanisms and strategies. Consider if those offered by your provider may be a good fit for your needs.

While denial-of-service attacks remain an ongoing threat, their impact can be reduced through thoughtful review, planning, and monitoring.