A denial-of-service attack is a security event that occurs when an attacker takes action that prevents legitimate users from accessing targeted computer systems, devices or other network resources.
Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim resources and make it difficult or impossible for legitimate users to use them. While an attack that crashes a server can often be dealt with successfully by simply rebooting the system, flooding attacks can be more difficult to recover from.
The United States Computer Emergency Readiness Team (US-CERT) provides some guidelines for determining when a DoS attack may be underway. US-CERT suggests the following may indicate such an attack:
- Degradation in network performance, especially when attempting to open files stored on the network or accessing websites;
- Inability to reach a particular website;
- Difficulty in accessing any website; and
- A higher than usual volume of spam email.
Experts recommend a number of strategies for enterprises to defend against a denial-of-service attack, starting with preparing an incident response plan well in advance of any attack. Once there is suspicion that a DoS attack is underway, enterprises should contact their internet service provider (ISP) to determine whether the incident is an actual DoS attack or degradation of performance caused by some other factor. The ISP can help mitigate the attack by rerouting or throttling malicious traffic and using load balancers to reduce the effect of the attack.
Enterprises may also want to explore the possibility of using denial-of-service attack detection products; some intrusion detection systems, intrusion prevention systems and firewalls offer DoS detection functions. Other strategies include contracting with a backup ISP and using cloud-based anti-DoS services.
While there have been instances where DoS attackers demand payment from victims to end the attacks, financial profit is not usually the motive behind this type of attack. In many cases, the attackers wish to cause harm to the organization or individual targeted in the attack; in other cases, the attackers are simply attempting to sabotage the victim, causing the greatest damage or inconvenience to the greatest number of victims. When a perpetrator of a DoS attack is identified, the reasons for an attack may also be revealed.
Many high-profile DoS attacks are actually distributed attacks, meaning the attack traffic is directed from multiple attack systems. While DoS attacks originating from a single source can be easier to mitigate because defenders can block network traffic from the offending source, attacks directed from multiple attacking systems are far more difficult to detect and defend against because it can be difficult to differentiate legitimate traffic from malicious traffic and filter malicious packets when they are sent from all over the internet.
Types of DoS attacks
In addition to differentiating between a single-source denial-of-service attack and a distributed denial-of-service (DDoS) attack, DoS attacks can also be categorized by the methods the attack uses.
In an amplified DNS denial-of-service attack, the attacker generates crafted domain name system (DNS) requests that appear to have originated at the victim's network and sends them to misconfigured DNS servers managed by third parties. The amplification occurs as the intermediate DNS servers respond to the faked DNS requests. The responses from intermediate DNS servers to the crafted attack requests may contain far greater volume of data than ordinary DNS responses, requiring more resources to process, with the result being to deny legitimate users access to the service.
Application layer attacks generate fake traffic to internet application servers, especially DNS servers or HTTP servers. While some application-layer denial-of-service attacks rely simply on flooding the application servers with network data, others depend on exploiting weaknesses or vulnerabilities in the victim's application server or in the application protocol itself.
A buffer overflow attack is a catchall description most commonly applied to DoS attacks that send more traffic to a network resource than was ever anticipated by the developers who designed the resource. One example of such an attack sent, as email attachments, files that have 256-character file names to recipients using Netscape or Microsoft email clients; the longer-than-anticipated file names were sufficient to crash those applications.
In a DDoS attack, the attacker may use computers or other network-connected devices that have been infected by malware and made part of a botnet. Distributed denial-of-service attacks, especially those using botnets, use command-and-control (C&C) servers to direct the actions of the botnet members. The C&C servers dictate what kind of attack to launch, what types of data to transmit and what systems or network resources are to be targeted in the attack.
The ping-of-death attack abuses the Packet Inter-Network Groper (ping) protocol by sending request messages with oversized payloads, causing targeted systems to become overwhelmed, stop responding to legitimate requests for service and possibly crashing the victim systems.
A SYN flooding attack abuses TCP's handshake protocol by which a client establishes a TCP connection with a server. In a SYN flooding attack, the attacker directs a high-volume stream of requests to open TCP connections with the victim server, with no intention of actually completing the circuits. The cost of generating the stream of SYN requests is relatively low, but responding to such requests is resource-intensive for the victim. The result is a successful attacker is able to deny legitimate users access to the targeted server.
TCP, or Transmission Control Protocol, -- also called state exhaustion attacks -- occur when an attacker targets the state tables held in firewalls, routers and other network devices by filling them with attack data. When these devices incorporate stateful inspection of network circuits, attackers may be able to fill state tables by opening more TCP circuits than the victim system can handle at once, preventing legitimate users from accessing the network resource.
The teardrop attack exploits flaws in the way older operating systems handled fragmented Internet Protocol (IP) packets. The IP specification allows packet fragmentation when the packets are too large to be handled by intermediary routers, and it requires packet fragments specify fragment offsets; in teardrop attacks, the fragment offsets are set to overlap each other. Hosts running affected OSes are unable to reassemble the fragments and the attack may also crash the system.
Volumetric DoS attacks aim to interfere with legitimate access to network resources by using up all the bandwidth available to reach those resources. In order to do this, attackers must direct a high volume of network traffic against the victim's systems. Volumetric DoS attacks flood victim devices with network packets using the User Datagram Protocol or the Internet Control Message Protocol, in large part because those protocols require relatively little overhead to generate large volumes of traffic, while, at the same time, requiring nontrivial computation on the part of the victim's network devices to process the incoming malicious datagrams.
History of denial-of-service attacks
DoS attacks on internet-connected systems have a long history, arguably started with the Robert Morris worm attack in 1988. In that attack, Morris, a graduate student at MIT, released a self-reproducing piece of malware (a worm) that quickly spread through the global internet and triggered buffer overflows and DOS attacks on affected systems. Mostly research and academic institutions were connected to the internet at the time, but it was estimated that as many as 10% of the 60,000 systems in the U.S. were affected. Damages were estimated to be as high as $100 million, according to the U.S. General Accounting Office, and Morris was successfully prosecuted under the 1986 Computer Fraud and Abuse Act and sentenced to three years' probation, 400 hours of community service and fined $10,000.
Physical infrastructure denial-of-service attacks
A denial-of-service attack can also exploit vulnerabilities in a physical infrastructure to deny legitimate users access to computer or network resources. While many service interruptions are disrupted by network attacks, the same result can also be achieved by physically severing wiring or preventing power and cooling resources from being accessed. In such cases, the physical attack may also be referred to as sabotage.
Continue Reading About denial-of-service attack
- Expert Michael Cobb offers guidance on how to reduce the odds of distributed denial-of-service attacks.