Understanding Denial-of-Service Attacks
A DoS (Denial-of-Service attack) is a cyberattack aimed at disabling an organization’s ability to do its job, impairing workflows, structure, routine, and even important infrastructure.
Denial-of-service attacks are usually launched from one single computer and wreak havoc on the target, causing significant impact. A DDoS (Distributed Denial-of-Service) is a more complex form of a DoS attack involving a launch from multiple sources with the same result: chaos.
What is a Denial-of-Service (DoS) attack?
Definition and explanation of denial-of-service attacks
A denial-of-service attack may prevent an organization from connecting devices across the same network, or from accessing a website. Internal IT teams may struggle to find the source of sudden inaccessibility issues, slow loading times, or strange, unexplainable timeouts and errors. Over time, decreased functionality can cause resources to become inaccessible. This is the objective of the attacker, whose aim is to prevent the organization from operating normally.
Common methods used in denial-of-service attacks
In a DoS attack, one computer floods a targeted machine with requests so the machine can no longer process due to overwhelm. This creates an impact on resources, eventually limiting or completely preventing connectivity and responsivity.
The attacker sends requests from one machine that causes a surge in usage, eventually causing the system to slow down or become unresponsive. This unresponsiveness is what prevents normal operation.
Impact of denial-of-service attacks on businesses and individuals
The impact of a DoS attack is far-ranging. Users are not able to access resources to carry out tasks, making work impossible. Actions that require specific timing are missed. Revenue is easily lost, and a business must expend financial resources to resolve an attack. Customers cannot access the website to make orders or receive services.
In addition, customers can quickly lose trust in an organization that has been impacted. Between damage to the reputation of a brand, lost time due to inability to function at work, lack of access, and the hefty price tag of remediation, it can even mean the end of a business or organization. This is the motivation of many threat actors.
These types of attacks can also affect community infrastructure, preventing services or the functionality of necessary resources.
Types of Denial-of-Service Attacks
TCP/IP-based attacks
There are several different types of denial-of-service attacks.
TCP/IP-based attacks function around the set of protocols used to govern communications between computers on the internet.
A SYN flood attack is one example of a TCP/IP-based attack. TCP (Transmission Control Protocol) is an expression of how data is delivered once the IP address is found. IP (Internet Protocol) governs which “address” the data is sent to. When everything is flowing according to standard procedure, the client opens the connection by sending a SYN packet to the server, like a knock. The server then sends a SYN/ACK packet, thus acknowledging the request to communicate. The client in response sends an ACK packet, thus completing the three-part process known as a TCP Handshake that opens the connection for data exchange.
In a SYN flood attack, the attacker floods the server using spoofed SYN packets. The server is programmed to respond to each one. This leaves open ports ready and waiting for the expected ACK packet to arrive, only in this case, it never does.
Another example of a similar TCP/IP-based Denial-of-Service attack is an ICMP flood, also known as a Ping Flood. In this type of attack the Internet Control Message Protocol (ICMP) is used to flood the target. ICMP is used to communicate error messages and operational information to and from network devices like routers and switches. Attackers take advantage of the ICMP echo request (in which a message from one device “pings” another to respond with an “echo” that confirms its presence on the network.) Through sending a high volume of network traffic using spoofed IP addresses or botnets (networks of devices frequently carrying malware), the attacker is able to paralyze the organization. The impact on the target is that there are no longer enough resources to continue processing legitimate requests, thus disabling functionality.
Application layer attacks
Application layer attacks are attacks reserved for a specific application or service on the internet. The purpose of this type of attack is to disrupt them from operating normally.
One example is an HTTP flood. In an HTTP request, the browser connects to the server and makes a request that the server can respond to. In an HTTP flood, these requests are so numerous that the targeted server becomes overwhelmed and cannot respond to a user, thus disabling normal operation.
Another type of attack is called a DNS amplification attack, in which a threat actor uses a vulnerability in the DNS system to flood the website with DNS requests, amplifying the size of the packets being sent, and paralyzing it. DNS (Domain Name System) is the service that points a user’s input in a browser (for example, a website address in the form of www.website.com) to a site itself. This is done by locating the IP address associated with that name, as a directory would. The client sends out a small request and returns a response that is only slightly larger through the DNS resolver. In a DNS amplification attack, the attacker sends a DNS request to amplify the response received by the DNS resolver, which means a much larger packet. Large packets are used to clog the system so that there are no resources left to continue with normal processes.
Distributed denial-of-service (DDoS) attacks
A distributed denial-of-service or DDoS attack is a DoS on steroids. It works by flooding the target or nearby machines that support it with internet traffic, causing a disruption in normal traffic. To use a roadway obstruction analogy, a DDoS is an intentionally created traffic jam made with oversized vehicles. Both types of attacks are used to overload a server or web application in order to interrupt services, but a DoS uses a single computer to do so, while a DDoS uses a network of computers to do so.
Detecting Denial-of-Service Attacks
Detecting a denial-of-service attack requires cybersecurity skills and knowledge. While there are common signs and symptoms to know, education and regular monitoring are the first line of defense.
Recognizing signs and symptoms of a denial-of-service attack
There are common signs to look for in a denial-of-service attack that can help with recognition and prevention. Unfortunately, many of the signs can be interpreted as positive signs of a business doing well, so it’s especially important to obtain education around DoS and DDoS attacks. First, look for abnormally high amounts of traffic, slow-loading times, or abnormal network activity. Then identify any high CPU or memory usage, unexpected activity, or devices that can’t communicate on the same network. A downed website is also a common sign.
Monitoring network performance and response times
Many companies offer a specific set of web analytics tools to help detect DoS and DDoS attacks. Since early detection is critical, employing regular monitoring services to look at network performance and response times can be beneficial.
Utilizing intrusion detection systems
Intrusion detection systems work by recognizing known attack signatures, and notifying an organization at times when activity seems other than normal.
How to Prevent Denial-of-Service Attacks
Implementing strong network security measures
The first line of defense in preventing denial-of-service attacks is education. Understanding how a DoS and a DDoS operate – and what signs and symptoms to look for – is key.
Other ways to implement network security measures are to practice network segmentation, to monitor regularly, to run updates as they roll out, and to check for patches and updates often. It’s also a good idea to back up data on a regular schedule and to have a plan ready to use if incident response becomes necessary.
Utilizing load balancers and firewalls
Firewalls are a common means of securing protection from denial-of-service attacks. By cloaking devices on a network, a firewall provides a strong and reliable means of defense and protection.
Load balancers help move traffic evenly across servers so that one single resource does not become overwhelmed. There are hardware and software options for load balancing, and both can be helpful.
Regularly monitoring network traffic and suspicious activities
Checking on suspicious activity, or sudden, unexpected activity that appears positive (as we have seen above) such as an inexplicable increase in traffic, can significantly reduce the impact. Run scans and monitor carefully. As with most things, prevention is key, and discovering an attack as early as possible is crucial.
Protect Against Future Denial-of-Service (DoS) Attacks with LastPass
Encrypted passwords
LastPass stores passwords, digital records, and other vital personal information to keep it from falling into the wrong hands. LastPass users easily access their own information while keeping it away from intrusive eyes. Promising a hassle-free login, encrypted passwords are an important aspect of cybersecurity in general, and helpful in preventing a denial-of-service attack among other cybersecurity incidents.
Enhanced security measures
LastPass has enhanced security measures that can help, including MFA (multi-factor authorization), third-party certifications, regular audits, and a responsible disclosure policy that allows users to access the intelligence team in order to effectively report threats. As the security threats landscape evolves, LastPass’s security measures evolve with it.
