What Is a DoS Attack in Cybersecurity?
Definition of DoS attack
A DoS (Denial-of-Service) attack is a type of cyberattack that can cripple an organization by denying legitimate users access to services.
In a denial-of-service attack, a malicious actor (or group) interrupts the functionality of the target system by flooding or overwhelming the target with requests that keep the target too busy to respond to legitimate requests. The result is that users can no longer engage as needed with a website or system.
Types of DoS attacks
A DoS attack is relatively simple to execute: the attack is launched from a single computer, the targeted system becomes busy replying to excessive requests, and services are disrupted.
There are several types of DoS attacks: some flood a network with excessive data, some exploit network protocol vulnerabilities, and some target specific applications or services. A DoS attack comes from one location.
Impact of DoS attacks on businesses
A business always suffers loss when legitimate users can no longer access services– the question is: how severe will the loss be?
In these types of attacks, employees and customers cannot complete tasks required for the functionality of the business. Imagine an online clothing store where customers can’t access the site. Now, imagine a busy hospital where nurses can’t access patient data and finance specialists can’t bill insurance. A DoS attack, no matter the type, is a significant threat to any organization, and a costly one.
What Is a DDoS Attack?
Definition of DDoS attack
A DDoS (Distributed denial-of-service) attack is a DoS attack on steroids. Using multiple malware-infected hosts–thousands of them in many different locations– malicious actors flood the target with requests, rendering the task of recognizing, stopping, and identifying the source of the attack far more complicated. The impact is greater because IT or cybersecurity staff will need to detect and sever connections with thousands, if not millions, of attacking servers from a variety of locations. This is what makes DDoS so effective.
Because this type of attack mimics normal behavior at first, red flags may not be noticed until the target is already flooded or overwhelmed, making it hard to detect and respond.
How DDoS attacks work
Why do hackers choose a DDoS vs DoS attack? A cybercriminal may decide to use a DDoS vs DoS attack because the method may make identifying the source and severing the connection of the attack more difficult. Traditional methods like ingress filtering may not work.
Examples of DDoS attacks
Recent examples of DDoS attacks exemplify the challenges faced by even well-prepared cybersecurity and IT professionals when addressing these threats, demonstrating the power of this type of attack.
In 2020 Amazon experienced a DDoS attack, interrupting service for eight hours. The target was the AWS cloud service, and the disruption was significant.
In 2018 GitHub experienced a DDoS attack that lasted 20 minutes, registering at 1.35 terabits per second. The traffic generated was astonishing, especially in light of GitHubs well-prepared defenses.
In 2014, CloudFlare, a well-known cybersecurity company, experienced an unprecedented DDoS attack demonstrating that NTP servers were an effective attack tool.
Key Differences Between DoS and DDoS Attacks
Number of attackers involved
How can you differentiate between a DDoS and a DoS attack? The simplest answer is that a denial-of-service attack occurs when one system targets another system, typically by flooding the system with TCP or UDP packets, and a distributed denial-of-service attack occurs when a network of infected computers targets one system, usually by amplifying traffic exponentially toward that system.
Attack infrastructure used
Some experts believe DDoS attacks can be broken down into three types. The first is an application-layer attack, in which applications are flooded with requests. The second is a network-layer attack, in which the system is flooded with packet requests. The third is a volume-based attack, using massive amounts of traffic to overwhelm a device or computer.
Sending requests to flood a system prevents legitimate traffic from moving– somewhat like a traffic jam on a highway preventing necessary or even emergency traffic from getting through. DDoS infrastructure does so in such a way as to create a complete standstill – and may even collapse the road.
Impact on target systems
When the victim host becomes flooded or overwhelmed with these requests, legitimate traffic cannot go through, and resources become unavailable. End users will experience painfully slow speeds, and a loss of access to necessary websites or applications. In a denial-of-service attack, the impact can be dramatic but can be resolved quickly. In a distributed denial-of-service attack the impact on the victim can be staggering and it can take a long time to resolve.
A noticeable spike in traffic, especially from one IP address, could indicate an attack. Other indicators of compromise include a website no longer working, a ping request timing out, slow performance, or a 503-server error. While all of these could be signs that an attack is underway, the complexity of identifying a denial-of-service attack or distributed denial-of-service attack is that the signs frequently mimic ordinary use, or at least start that way.
Common Forms of DoS Attacks
TCP/IP based attacks
A TCP/IP-based attack or SYN flood is a common form of a denial-of-service attack. In this type of attack, a malicious threat actor exploits the Transmission Control Protocol, the protocol that governs internet communication, which involves the use of a three-way handshake. Ordinarily, to establish a data connection, the first computer sends a SYN packet, the server responds with an ACK and a SYN, and then an ACK packet is returned, establishing the connection. In this type of attack, a hacker sends a large volume of spoofed SYN packets, keeping the server busy waiting for the ACK.
Application layer attacks
An application layer attack involves a cybercriminal exploiting the uppermost or 7th layer in the OSI model, consuming resources at a rapid pace. It can be difficult to diagnose because the signs mimic normal end-user behaviors. Application layer attacks concern end-user applications and the supporting services that constitute a user’s interaction with network services.
Ping flood attacks
In a ping flood attack, the threat actor uses a vulnerability in the ICMP (Internet Control Message Protocol) involving the use of echo-request and echo-reply messages that are commonly used to “ping” a device and test its connectivity on the network. The attacker uses a machine (or multiple machines) to “ping” the target device. The targeted server then sends a packet in response to each IP address’s request. In these types of attacks, the malicious actor continuously “pings” the target– the equivalent of calling and hanging up repeatedly to keep a line busy.
Common Forms of DDoS Attacks
Botnet-based attacks
Botnet-based attacks are attacks staged through a network of malware-infected hosts. These networks exploit a variety of vulnerabilities in target systems and are managed remotely by the malicious threat actor. Compromised devices in locations all over the world infected with malware operate as a unit to focus resources on the work of making requests given by the hacker(s). Thousands and even millions of these hosts may be involved in a DDoS attack and controlled remotely by the threat actor.
Amplification attacks
Amplification attacks are a type of flooding or volumetric attack. Traffic from the sender is amplified through a third-party system and then sent to the target, effectively amplifying the amount of traffic, thus creating the ability to launch a large-scale attack designed to disrupt services.
An amplification attack involves three separate segments: the threat actor, the reflector, and the target or victim. The hacker spoofs the target’s IP address, sending a request to a reflector, which amplifies its response when connecting to the target machine in reply. The hacker’s goal is to get the largest response from as many reflectors as possible and thus flood the target’s system, rendering it unusable.
DNS reflection attacks
A DNS (Domain Name System) reflection attack uses open DNS resolvers to launch an attack. It might be useful to think of the DNS as the internet’s phone book. It is a database that stores domain names and associates them with IP addresses. In this type of attack, false requests are made by the hacker via a network of controlled computers designed to flood the target system.
The attacker makes a number of requests to a publicly open DNS resolver, using the target’s spoofed IP address, thus generating a large return response going straight to the target. Since the size of the reply is larger, large amounts of traffic are then directed toward the victim server.
How to Prevent DoS and DDoS Attacks
Creating strong passwords
We’ve all heard the value of using strong passwords as a critical first line of defense. Choose passwords with a mix of upper and lowercase letters, numbers, and symbols. Maintaining excellent password hygiene by using a password manager may be the easiest and most important step in helping ensure employees routinely follow cybersecurity best practices.
Multi-factor authentication
Multi-factor authentication is a rising and useful response to the increase in DDoS attacks in recent years. Enabling MFA (Multi-factor authentication) allows organizations to ensure a significantly safer login process, thus defending against data breaches and malicious activity.
Continuous monitoring
While strong passwords and using MFA immediately improve a security posture, continuous monitoring is key when taking action toward securing a network or device.
Continuous monitoring allows for a better understanding of baseline system and traffic behaviors and can give IT managers or business owners early indications of a DoS and DDoS, reducing both the risk and burden of securing an organization. Having proper security measures in place will mitigate the effects of an attack, even if one occurs.
