Ever wondered why websites suddenly become inaccessible during a DoS attack? Denial of Service (DoS) attacks are a potent threat in the cyber world, aiming to overwhelm systems, servers, or networks to render them unusable. These attacks disrupt services to legitimate users, causing significant damage and downtime. Well, we'll be going over:
Understanding the dynamics of DoS attacks is crucial for anyone looking to fortify their online defenses. Let's dive in.
Denial-of-Service (DoS) attacks disrupt services by overwhelming systems with traffic, making them inaccessible to users. Techniques like SYN flood, teardrop, ICMP flood, and buffer overflow exploit vulnerabilities to crash servers. DDoS attacks, a subset of DoS, use multiple compromised systems for a broader impact. Preventive measures include using Content Distribution Networks, strong Identity and Access Management, cloud computing for scalable resources, firewalls, and updated security patches.
As its name indicates, Denial of Service (DoS) is any cyberattack that renders the target service inaccessible to legitimate users and information systems. That is, you're trying to access a web page or web service and it's just down, not working. The most common way attackers achieve this is by flooding the host servers and network with excessive traffic, such that the host server crashes or fails to respond in an acceptable duration.
The denial-of-service style of attack is a common one. It’s neither new, nor going away anytime soon. In fact, research indicates that DoS attacks are expected to increase 300% in the year 2023 alone. Over 57,000 DDoS attacks were reported in Kaspersky’s recent quarterly report.
The first ever case of a DoS attack dates back to 1974 when a 13 year old student ran a program that simultaneously accessed all terminals of a shared learning platform located at a nearby computer lab. This caused all machines to crash, requiring manual restarts for all before another user could access the learning platform.
It took over two decades for this to scale into an intentional attack. The first documented case of a large-scale DoS attack was in 1996. The ISP provider Panix was flooded by DoS traffic that rendered the service inaccessible for a week!
In the Panix case, the attacker employed the SYN flood attack that starts a connection with the server and keeps it open. The server allocates resources on the half-opened connection. The process is repeated by multiple server requests to the point where all server resources are dedicated to the half-open connections, leaving it inaccessible for the legitimate traffic.
Other DoS attacks use different schemes to achieve the same goal.
A teardrop attack exploits a vulnerability in the TCP/IP Internet protocol suite that prevents the server from reassembling fragmented data packets. The server is flooded with fragmented packets, which overlap each other and make it difficult for the server to recompile the original data. This causes the server to crash.
The ICMP protocol is used to communicate diagnostic information between the client and the server. By sending an excessive number of ICMP pings, the target server fails to respond to all requests with the available resources. This ultimately causes the server to be unresponsive, resulting in a denial-of-service condition.
The buffer overflow attack exploits vulnerability in the data error correction mechanism — sequential data buffers that hold data temporarily.
The attack attempts to store more data than the allocated memory buffer, which overwrites the adjacent memory buffer locations. This causes the memory stack to store corrupted and overwritten error data, which leads the server to crash or failure to prevent execution of malicious code. Repeated attempts to corrupt these buffers causes a Denial of Service condition on the server.
Not all DoS attacks emerge as a malicious activity. A web service that cannot adequately handle a temporary surge in organic web traffic, like on Black Friday in the U.S., can also crash and run into a state similar to the Denial of Service.
And what about DDoS? All DDoS are a form of Denial of Service attack, but not all DoS are DDoS attacks.
Let’s explain how DDoS is a subset of DoS: In recent years, the term DDoS — Distributed Denial of Service — has gained popularity by bringing down large-scale Internet services that have impacted millions of users globally. In 2017, Google Cloud was the victim of a DDoS attack launched using 180,000 Web servers to flood Google data centers with traffic at 2.54 Terabits per second (Tbps). In 2020, AWS saw an attack at 2.3 Tbps.
The key difference between DoS and DDoS is this:
DoS may come from a single location, whereas the DDoS attack may be a coordinated activity — typically using bots on compromised machines used as attack nodes — launched at scale and high speed, which makes it more difficult to detect and prevent. And how can attackers run DoS bots on thousands of compromised machines to launch a DDoS attack at scale? It turns out, cybercriminals use DDoS for hire bots, also known as DDoS-as-a-Service.
(Read about XSS attacks and brute force attacks.)
What steps can you take to prevent your web services and websites from falling prey to a Denial of Service Attack? The following best practices can help reduce the risk of a DoS attack on your servers:
(For the latest in cybersecurity, stay up to date with these events and must-read books and articles.)
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.