The term Denial of Service, in short DoS, is a kind of cyber threat or attack that makes systems on a computer network temporarily unusable. The attacks attempt to render a machine or network resource inaccessible to its intended users by momentarily or indefinitely disrupting services of a host connected to the Internet.
DoS attacks exploit various weaknesses in computer network technologies. They may target servers, network routers, or network communication links. They can cause computers and routers to crash and links to bog down. Competition, blackmail, and activism can motivate these attacks.
Now let’s discuss in-depth how a DoS attack works and the common types of DoS attacks that you can encounter.
What do you mean by Denial of Service?
A Denial-of-Service (DoS) attack is an attack that hampers a machine or network, making it inaccessible to its intended users.
We will try to understand Denial of Service with the help of an analogy of a shop. Suppose, you went to a shop, but a group of people is crowding the entry door.
What will happen then?
You and other legitimate customers won’t be able to enter, Isn’t it? That is, the shop will become unavailable for you and on the other hand, it will also disrupt the ongoing trade.
In the same way, DoS attacks typically function by flooding the network or server with traffic. Sometimes, it also sends useless and invalid authentication requests which eventually bring the whole network down, resulting in no connectivity.
As a result of this, users are unable to use a service.
To launch a DoS attack, an attacker employs only a single computer/machine.
How does a DoS Attack work?
The ultimate focus of a DoS attack is to over saturate the capacity of a targeted machine, resulting in denial-of-service to additional requests.
In a DoS attack, the attacker usually transmits excessive and superfluous messages requesting the network or server to authenticate requests that include invalid return addresses.
When the network or server is unable to find the return address of the attacker for sending authentication approval, wait for a long time and gets stuck before the connection closes.
When the server closes the link, the attacker once again starts sending more messages with invalid return addresses. Hence, the process of authentication begins again.
The network or server gets stuck and remains busy, causing the service interruption for other users.
What are the indicators of a DoS Attack?
According to the United States Computer Emergency Readiness Team (US-CERT), below symptoms are the typical indicators of a denial of service attack.
- unusually slow network performance, especially when opening files or accessing websites
- unavailability of a particular website
- inability to access any site
- An inexorable rise in the number of spam emails received.
Other symptoms may involve:
- Disconnection of wireless or wired internet connectivity.
- No access to the web or any internet services for a more extended period.
What is the motive behind a DoS Attack?
DoS attacks usually do not aim at the breach of security, unlike other cyber attacks. Instead, they are focused on making websites and services unavailable to genuine users resulting in loss of time and money.
Sometimes, DoS attackers may blackmail victims for payment to end the attacks but money is not generally their motive.
In many cases, the attackers want to cause harm to the organization or individual targeted in the attack. The motive of these attacks usually can be extortion, personal rivalry, cyber warfare, business competition, etc.
DoS attackers often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations.
Types of Dos Attacks
DoS attacks can be of several types depending on the outcomes. Here, we will discuss some common ones.
Buffer overflow attacks
It is an attack type in which a memory buffer overflow can result in the consumption of all accessible hard disk space, memory, or CPU time.
This form of exploit often leads to unresponsiveness, system crashes, or other adverse server behaviors, resulting in denial-of-service.
Buffers can only store a specific amount of data. So, when that capacity reaches to the maximum level, the data has to flow to some other location. Typically, it flows into another buffer, which can corrupt data that is already present in that buffer.
In an SYN attack, a sender transmits a volume of connections that ultimately they do not want to complete. It causes the connection queues to fill up, thereby denying service to legitimate TCP users.
It abuses TCP’s handshake protocol by which a client establishes a TCP connection with a server.
The attacker sends a high-volume stream of requests to create TCP connections with the victim server, with no intention of actually completing it.
Hence, the target gets overwhelmed by the SYN requests, and either it goes down, or its performance reduces severely.
The expense of generating the stream of SYN requests is relatively low, but responding to such requests can be resource-intensive for the victim.
Volumetric DoS attacks focus on interfering with legitimate access to network resources by consuming up the entire bandwidth of a network available.
Volumetric DoS attacks flood victim’s network devices like hubs or switches with numerous UDP or ICMP echo request/reply packets.
Thus, resulting in the consumption of the entire bandwidth, and no other clients can connect with the target network.
For this, it uses the User Datagram Protocol (UDP) or the Internet Control Message Protocol (ICMP), as these protocols require relatively less overhead to generate large volumes of traffic.
A Teardrop refers to a DoS attack where fragmented packets are replicated to overlap each other when the receiving host attempts to reassemble them.
To understand this, one must know the TCP/IP protocol. For transmitting data across networks, IP packets are broken down into smaller packets. This process is called fragmentation.
When these packets ultimately arrive at their destination, reassembling is done to get the original data. In this process, some fields are joined to the fragmented packets so that it becomes easier to track them at the destination while reassembling.
Consequently, the operating system at the end point gets confused about how to reassemble the packets and hence it crashes.
Ping of Death
Perhaps the most famous DoS technique is Ping of Death.
Here, the attacker transmits a ping request that is greater than 65,536 bytes, the maximum size that IP allows.
As a ping larger than 65,536 bytes is too lengthy to send in one packet, TCP/IP provides packet fragmentation. It means splitting the packet into smaller segments that and then reassembling them eventually.
Attackers try to benefit from this defect by fragmenting packets that when accepted would total more than the assigned number of bytes. Thus, causing a buffer overload on the operating system at the receiving end. Ultimately, the system crashes.
We can say that Ping of Death is one kind of buffer overflow attack.
What is DDoS?
An additional variant of DoS attack is the Distributed Denial of Service (DDoS) attack. The significant difference is that instead of attacking from one location, the perpetrator attacks the target from many places at once.
The trigger point of traditional denial of service attacks is just one person or computer. In comparison, a DDoS attack involves multiple distributed sources. It makes it impossible to stop the attack by merely blocking a single source.
The distributed sources that define a DDoS provide the attacker with multiple advantages:
- He can leverage the higher volume of a machine to perform a highly disruptive attack.
- The place of the attack is trying to track due to the random distribution of attacking systems.
- It is more challenging to shut down multiple machines than one
- The real attacking party is also challenging to identify, as they disguise themselves behind many systems.
What can you do to prevent DoS Attacks?
You cannot do much to stop DoS attacks. However, you can take some necessary prevention steps that include observing the traffic for abnormalities, keeping security mechanisms up-to-date, and being aware of the latest threats.
- Use up to date antivirus and Intrusion detection tools.
- Do a network analysis to find out the possibility of a DoS Attack,
- Implement router filters. It will lessen your exposure to certain denial-of-service attacks.
- Add extra load balancers to absorb traffic and set up throttle logic to control traffic.
- If you already have router filters, install patches to guard against TCP SYN Flooding.
- Disable any unused or unnecessary network services.
- Observe your system performance and establish benchmarks for ordinary activity. Use this baseline to gauge unprecedented levels of disk activity, CPU usage, or network traffic.
- Employ tools to detect changes in configuration information or other files.
- Spend in redundant and fault-tolerant network configurations.
- Maintain frequent backup schedules and policies, especially for important configuration information.
- Establish and maintain relevant password policies and use strong encryption mechanisms
- Perform proper activity profiling and ingress/egress filtering to filter out unwanted traffic.
Final thoughts on Denial of Service
Denial of service attacks can be problematic, mainly when they cause large websites to be unavailable during high-traffic times. It can occur inadvertently as the result of actions taken by network users or administrators, but often they are malicious DoS attacks.
These attacks last for several days. Thus, jeopardizing the goodwill of an organization and resulting in huge revenue loss.
Fortunately, many security softwares have been developed to detect DoS attacks and limit their effectiveness. However, due to the unique characteristics of DDoS, it is still regarded as a high threat and is of top concern to organizations that fear being targeted by such an attack.