As its name indicates, Denial of Service (DoS) is any cyberattack that renders the target service inaccessible to legitimate users and information systems. That is, you're trying to access a web page or web service and it's just down, not working. The most common way attackers achieve this is by flooding the host servers and network with excessive traffic, such that the host server crashes or fails to respond in an acceptable duration.
The denial-of-service style of attack is a common one. It’s neither new, nor going away anytime soon. In fact, research indicates that DoS attacks are expected to increase 300% in the year 2023 alone. Over 57,000 DDoS attacks were reported in Kaspersky’s recent quarterly report.
This article takes a look at how different DoS attacks work, how they’ve evolved over time — and your best ways to prevent them.
How DoS attacks work
The first ever case of a DoS attack dates back to 1974 when a 13 year old student ran a program that simultaneously accessed all terminals of a shared learning platform located at a nearby computer lab. This caused all machines to crash, requiring manual restarts for all before another user could access the learning platform.
It took over two decades for this to scale into an intentional attack. The first documented case of a large-scale DoS attack was in 1996. The ISP provider Panix was flooded by DoS traffic that rendered the service inaccessible for a week!
Techniques in DoS attacks
In the Panix case, the attacker employed the SYN flood attack that starts a connection with the server and keeps it open. The server allocates resources on the half-opened connection. The process is repeated by multiple server requests to the point where all server resources are dedicated to the half-open connections, leaving it inaccessible for the legitimate traffic.
Other DoS attacks use different schemes to achieve the same goal.
A teardrop attack exploits a vulnerability in the TCP/IP Internet protocol suite that prevents the server from reassembling fragmented data packets. The server is flooded with fragmented packets, which overlap each other and make it difficult for the server to recompile the original data. This causes the server to crash.
ICMP flood attack
The ICMP protocol is used to communicate diagnostic information between the client and the server. By sending an excessive number of ICMP pings, the target server fails to respond to all requests with the available resources. This ultimately causes the server to be unresponsive, resulting in a denial-of-service condition.
Buffer overflow attack
The buffer overflow attack exploits vulnerability in the data error correction mechanism — sequential data buffers that hold data temporarily.
The attack attempts to store more data than the allocated memory buffer, which overwrites the adjacent memory buffer locations. This causes the memory stack to store corrupted and overwritten error data, which leads the server to crash or failure to prevent execution of malicious code. Repeated attempts to corrupt these buffers causes a Denial of Service condition on the server.
Unintended DoS Attack
Not all DoS attacks emerge as a malicious activity. A web service that cannot adequately handle a temporary surge in organic web traffic, like on Black Friday in the U.S., can also crash and run into a state similar to the Denial of Service.
Dos vs DDoS attacks: what’s the difference?
And what about DDoS? All DDoS are a form of Denial of Service attack, but not all DoS are DDoS attacks.
Let’s explain how DDoS is a subset of DoS: In recent years, the term DDoS — Distributed Denial of Service — has gained popularity by bringing down large-scale Internet services that have impacted millions of users globally. In 2017, Google Cloud was the victim of a DDoS attack launched using 180,000 Web servers to flood Google data centers with traffic at 2.54 Terabits per second (Tbps). In 2020, AWS saw an attack at 2.3 Tbps.
The key difference between DoS and DDoS is this:
- DoS relies on sequential requests to a target server by a system. This is called a system-on-system attack.
- DDoS relies on parallelized traffic requests from multiple distributed systems simultaneously flooding the target server.
DoS may come from a single location, whereas the DDoS attack may be a coordinated activity — typically using bots on compromised machines used as attack nodes — launched at scale and high speed, which makes it more difficult to detect and prevent. And how can attackers run DoS bots on thousands of compromised machines to launch a DDoS attack at scale? It turns out, cybercriminals use DDoS for hire bots, also known as DDoS-as-a-Service.
Preventing DoS attacks
What steps can you take to prevent your web services and websites from falling prey to a Denial of Service Attack? The following best practices can help reduce the risk of a DoS attack on your servers:
- Architect your applications and services to restrict Web traffic at a single node or distribute the service from multiple nodes located at disparate locations. Using Content Distribution Networks (CDNs) and Load Balancers for cloud services can help achieve these goals.
- Use a strong Identity and Access Management (IAM) mechanism to ensure that only the authorized and legitimate traffic can access your websites – consider Policy Based Access Controls such as ABAC for services that require logging in to the portal, and ACLs for networking devices.
- Use a cloud computing service to anticipate, plan and provision server resources at scale to accommodate traffic spikes.
- Use firewalls to prevent attacks such as SQL injection and cross-site forgery. Keep your network updated with patches that fix known vulnerabilities.
- Architect your application and IT infrastructure to meet scalable Web traffic demands.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.