Security.com

denial-of-service attack

By Kevin Ferguson

What is a denial-of-service attack?

A denial-of-service (DoS) attack is a security threat that occurs when an attacker makes it impossible for legitimate users to access computer systems, network, services or other information technology (IT) resources. Attackers in these types of attacks typically flood web servers, systems or networks with traffic that overwhelms the victim's resources and makes it difficult or impossible for anyone else to access them.

Restarting a system will usually fix an attack that crashes a server, but flooding attacks are more difficult to recover from. Recovering from a distributed DoS (DDoS) attack in which attack traffic comes from a large number of sources is even more difficult.

DoS and DDoS attacks often take advantage of vulnerabilities in networking protocols and how they handle network traffic. For example, an attacker might overwhelm the service by transmitting many packets to a vulnerable network service from different Internet Protocol (IP) addresses.

How does a DoS attack work?

DoS and DDoS attacks target one or more of the seven layers of the Open Systems Interconnection (OSI) model. The most common OSI targets include Layer 3 (network), Layer 4 (transport), Layer 6 (presentation) and Layer 7 (application).

Malicious actors have different ways of attacking the OSI layers. Using User Datagram Protocol (UDP) packets is one common way. UDP speeds transmission transferring data before the receiving party sends its agreement. Another common attack method is SYN (synchronization) packet attacks. In these attacks, packets are sent to all open ports on a server, using spoofed, or fake, IP addresses. UDP and SYN attacks typically target OSI Layers 3 and 4.

Protocol handshakes launched from internet of things (IoT) devices are now commonly used to launch attacks on Layers 6 and 7. These attacks can be difficult to identify and preempt because IoT devices are everywhere and each is a discrete intelligent client.

Signs of a DoS attack

The United States Computer Emergency Readiness Team, also known as US-CERT, provides guidelines to determine when a DoS attack may be in progress. According to US-CERT, the following may indicate an attack is underway:

Preventing a DoS attack

Experts recommend several strategies to defend against DoS and DDoS attacks, starting with preparing an incident response plan well in advance.

An enterprise that suspects a DoS attack is underway should contact its internet service provider (ISP) to determine whether slow performance or other indications are from an attack or some other factor. The ISP can reroute the malicious traffic to counter the attack. It can also use load balancers to mitigate the severity of the attack.

ISPs also have products that detect DoS attacks, as do some intrusion detection systems (IDSes), intrusion prevention systems (IPSes) and firewalls. Other strategies include contracting with a backup ISP and using cloud-based anti-DoS measures.

There have been instances where attackers have demanded payment from victims to end DoS or DDoS attacks, but financial profit is not usually the motive behind these attacks. In many cases, the attackers wish to harm the business or reputation of the organization or individual targeted in the attack.

Types of DoS attacks

DoS and DDoS attacks have a variety of methods of attack. Common types of denial-of-service attacks include the following:

More on distributed denial-of-service attacks

Want to know more about DDoS attacks, where bad actors flood systems and networks from multiple sources? Check out the following articles:

DDoS mitigation strategies needed to maintain availability during pandemic

How an IoT botnet attacks with DDoS and infects devices

3 ways to prevent DDoS attacks on networks

How traffic scrubbing can guard against DDoS attacks

What is DDoS and how does it compare to DoS?

Many high-profile DoS attacks are actually distributed attacks, where the attack traffic comes from multiple attack systems. DoS attacks originating from one source or IP address can be easier to counter because defenders can block network traffic from the offending source. Attacks from multiple attacking systems are far more difficult to detect and defend against. It can be difficult to differentiate legitimate traffic from malicious traffic and filter out malicious packets when they are being sent from IP addresses seemingly located all over the internet.

In a distributed denial-of-service attack, the attacker may use computers or other network-connected devices that have been infected by malware and made part of a botnet. DDoS attacks use command-and-control servers (C&C servers) to control the botnets that are part of the attack. The C&C servers dictate what kind of attack to launch, what types of data to transmit, and what systems or network connectivity resources to target with the attack.

History of denial-of-service attacks

DoS attacks on internet-connected systems have a long history that arguably started with the Robert Morris worm attack in 1988. In that attack, Morris, a graduate student at Massuchusetts Institute of Technology (MIT), released a self-reproducing piece of malware -- a worm -- that quickly spread through the internet and triggered buffer overflows and DoS attacks on the affected systems.

Those connected to the internet at the time were mostly research and academic institutions, but it was estimated that as many as 10% of the 60,000 systems in the U.S. were affected. Damage was estimated to be as high as $10 million, according to the U.S. General Accounting Office (GAO), now known as the Government Accountability Office. Prosecuted under the 1986 Computer Fraud and Abuse Act (CFAA), Morris was sentenced to 400 community service hours and three years' probation. He was also fined $10,000.

DoS and DDoS attacks have become common since then. Some recent attacks include the following:

16 Apr 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement