A denial-of-service attack is a security event that occurs when an attacker prevents legitimate users from accessing specific computer systems, devices, services or other IT resources. Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim's resources and make it difficult or impossible for legitimate users to access them.
While an attack that crashes a server can often be dealt with successfully by simply rebooting the system, flooding attacks can be more difficult to recover from. Recovering from a distributed denial-of-service (DDoS) attack, in which attack traffic comes from a large number of sources, can be even more difficult.
DoS and DDoS attacks often use vulnerabilities in the way networking protocols handle network traffic; for example, by transmitting a large number of packets to a vulnerable network service from different Internet Protocol (IP) addresses in order to overwhelm the service and make it unavailable to legitimate users.
Signs of a DoS Attack
The United States Computer Emergency Readiness Team (US-CERT) provides some guidelines to determine when a DoS attack may be underway. US-CERT states that the following may indicate such an attack:
Preventing a DoS attack
Experts recommend a number of strategies to defend against DoS and DDoS attacks, starting with preparing an incident response plan well in advance.
When an enterprise suspects a DoS attack is underway, it should contact its internet service provider (ISP) to determine whether the incident is an actual DoS attack or degradation of performance caused by some other factor. The ISP can help with DoS and DDoS mitigation by rerouting or throttling malicious traffic and using load balancers to reduce the effect of the attack.
Enterprises may also want to explore the possibility of using denial-of-service attack detection products for DoS protection; some intrusion detection systems, intrusion prevention systems and firewalls offer DoS detection functions. Other strategies include contracting with a backup ISP and using cloud-based anti-DoS
While there have been instances where attackers have demanded payment from victims to end DoS or DDoS attacks, financial profit is not usually the motive behind this type of attack. In many cases, the attackers wish to cause harm to the organization or individual targeted in the attack. In other cases, the attackers are simply attempting to sabotage the victim by causing the greatest damage or inconvenience to the greatest number of victims. When a perpetrator of a DoS attack is identified, the reasons for the attack may also be revealed.
Many high-profile DoS attacks are actually distributed attacks, meaning the attack traffic is directed from multiple attack systems. While DoS attacks originating from a single source or IP address can be easier to mitigate because defenders can block network traffic from the offending source, attacks directed from multiple attacking systems are far more difficult to detect and defend against. It can be difficult to differentiate legitimate traffic from malicious traffic and filter out malicious packets when packets are being sent from IP addresses seemingly located all over the internet.
Types of DoS attacks
In addition to differentiating between a single-source denial-of-service attack and a DDoS attack, DoS attacks can be categorized by the methods used in the attack.
In an amplified domain name system (DNS) denial-of-service attack, the attacker generates crafted DNS requests that appear to have originated from an IP address in the victim's network and sends them to misconfigured DNS servers managed by third parties. The amplification occurs as the intermediate DNS servers respond to the faked DNS requests. The responses from intermediate DNS servers to the crafted attack requests may contain more data than ordinary DNS responses, which requires more resources to process. This can result in legitimate users being denied access to the service.
Application layer attacks generate fake traffic to internet application servers, especially DNS servers or HTTP servers. While some application-layer denial-of-service attacks rely simply on flooding application servers with network data, others depend on exploiting weaknesses or vulnerabilities in the victim's application server or in the application protocol itself.
A buffer overflow attack is a catchall description most commonly applied to DoS attacks that send more traffic to a network resource than the developers who designed it ever anticipated. One example of such an attack sent files with 256-character file names as attachments to recipients using Netscape or Microsoft email clients; the longer-than-anticipated file names were sufficient to crash those applications.
In a DDoS attack, the attacker may use computers or other network-connected devices that have been infected by malware and made part of a botnet. Distributed denial-of-service attacks, especially those using botnets, use command-and-control (C&C) servers to direct the actions of the botnet members. The C&C servers dictate what kind of attack to launch, what types of data to transmit, and what systems or network resources to target with the attack.
The ping-of-death attack abuses the ping protocol by sending request messages with oversized payloads, causing targeted systems to become overwhelmed, to stop responding to legitimate requests for service and to possibly crash the victim's systems.
A SYN flood attack abuses TCP's handshake protocol by which a client establishes a TCP connection with a server. In a SYN flood attack, the attacker directs a high-volume stream of requests to open TCP connections with the victim server with no intention of actually completing the circuits. The cost of generating the stream of SYN requests is relatively low, but responding to such requests is resource-intensive for the victim. The result is a successful attacker can deny legitimate users access to the targeted server.
State exhaustion attacks -- also known as TCP, or Transmission Control Protocol attacks -- occur when an attacker targets the state tables held in firewalls, routers and other network devices by filling them with attack data. When these devices incorporate stateful inspection of network circuits, attackers may be able to fill the state tables by opening more TCP circuits than the victim system can handle at once, preventing legitimate users from accessing the network resource.
The teardrop attack exploits flaws in a manner similar to how older operating systems handled fragmented Internet Protocol packets. The IP specification allows packet fragmentation when the packets are too large to be handled by intermediary routers, and it requires packet fragments to specify fragment offsets. In teardrop attacks, the fragment offsets are set to overlap each other. Hosts running affected OSes are then unable to reassemble the fragments and the attack can crash the system.
Volumetric DoS attacks aim to interfere with legitimate access to network resources by using all the bandwidth available to reach those resources. In order to do this, attackers must direct a high volume of network traffic at the victim's systems. Volumetric DoS attacks flood a victim's devices with network packets using the User Datagram Protocol or Internet Control Message Protocol. These protocols require relatively little overhead to generate large volumes of traffic, while, at the same time, requiring nontrivial computation on the part of the victim's network devices to process the incoming malicious datagrams.
History of denial-of-service attacks
DoS attacks on internet-connected systems have a long history that arguably started with the Robert Morris worm attack in 1988. In that attack, Morris, a graduate student at MIT, released a self-reproducing piece of malware -- a worm -- that quickly spread through the global internet and triggered buffer overflows and DoS attacks on the affected systems.
Those connected to the internet at the time were mostly research and academic institutions, but it was estimated that as many as 10% of the 60,000 systems in the U.S. were affected. Damages were estimated to be as high as $100 million, according to the U.S. General Accounting Office. Morris was successfully prosecuted under the 1986 Computer Fraud and Abuse Act and sentenced to three years' probation and 400 hours of community service and was fined $10,000.