What is a Denial of Service Attack?
Denial of Service (DoS) attacks are attempts to overload computing resources intended for users. They can cause outages of web sites and network services for small to large organizations. They can also be difficult to defend against and can be quite costly to fix. The means of execution can vary, and also the motives, but in general DoS attacks consist of malicious efforts from a person or group to prevent a website or service from serving its clients efficiently or at all.
A denial of service attack is one that is from a single origin, a single machine somewhere on the internet issuing large amounts of network requests against a targeted machine.
DoS attacks can be effective against victims that have no defense, but they have a few limitations:
- Victims can block originating IP address
- Security tools exist now that detect and prevent ICMP flood packets
- Web servers can be configured to detect and Block HTTP request attacks
- Enterprise Software can identify and block single origin attacks
What is a DDoS attack?
Today the more harmful type of DoS attack is the DDoS or Distributed Denial of Service attack. It is an advanced version of a DoS attack. In a DDoS attack the victim is flooded with incoming traffic coming from many different sources, potentially hundreds of thousands or more. This makes it impossible to stop the attack by simple blocking a single IP address. It is also difficult to distinguish legitimate user traffic from attack traffic, especially when they are coming from many points of origin. DDoS attacks generally target services or sites located on high-profile web servers such as credit card processing gateways, banks, and DNS root servers.
A DDoS attack consists of three parts. The first part is the master, the second is the slave, and the final part is the victim. The master is the attack launcher, the person or machine behind it all. The slave is the network or machines which are being compromised by the master and victim is the target site or server. The master informs the compromised machines or slaves to launch the attack on the victim’s site or machine.
DDoS attacks are typically done in two phases. The first phase is to compromise the weak machines in the different networks around the world. This phase is called the Intrusion Phase. In the next phase the attacker installs the DDoS tools or malware on the slave machines and starts attacking the victim’s machine or site. This Phase is called the Distributed DoS attack phase.
Botnets are essentially the network of machines infected with the attacker’s malware. Malware software can place a victim’s machine under the control of a remote hacker and are manipulated to create the high traffic flow necessary for a DDoS attack. Successful botnets can contain hundreds of thousands of infected machines. Many malware infections are sent via email attachment or are downloaded via P2P (Peer-to-Peer) file sharing networks. When the user executes the file, the malware installs itself onto their system, typically without their knowledge. The malware installed may include execution intended to max out the processor’s usage, trigger errors in the microcode of the machine, force the computer into an unstable state, and exploit errors in the operating system to cause resource starvation or crash the operating system itself.
Methods of a DDoS attack
A major difference between DDoS implementation is whether or not an attacker targets computing resources of the victim’s machine or their network resources. An attack against a web server based on HTTP flooding (as many as 10,000 requests per second) can overwhelm the server software, eventually consuming memory or CPU time. This can cause response time delays with applications running on the server. Disk space could also be consumed on the server, if logging is enabled, because the log files will grow in size. This can also cause problems to virtual memory, which can cause the server to become unstable.
An attack such as a SYN flood instead focuses on the TCP network, overloading it with unacknowledged TCP packets. Depending on how an organizations network is managed, this kind of DDoS can not only overwhelm a server but can cause overload on switches and other network resources. This could have a big effect on the network infrastructure and also on the ISP by the bandwidth it is consuming. A SYN flood is basically an aborted handshake; internet communications use a three-way handshake using SYN packets. A large numbers of these aborted SYN packet are sent to a target, resulting in server resources being exhausted. The server is now a victim of a SYN Flood DDoS attack.
HTTP and SYN floods are not the only methods used in DDoS attacks, but are the most common. Other methods may include UDP, ICMP, DNS floods, the Ping of Death, and mail bombs. A so-called “mixed DDoS” can incorporate several of these methods into one attack. It’s very difficult to defend against a sophisticated DDoS attack.
How to prevent an attack
The reasons DDoS attacks occur are because of vulnerable applications running on a machine or network, an open network setup, a network or machine setup that has not taken security into account, not doing any network monitoring or data analysis, or not doing any regular audit or software upgrades. The best way to survive an attack is to plan for one. For example, having a separate emergency block of IP addresses for critical servers with a separate route is invaluable. For protection from a SYN flood attack the use of SYN cookies can be used either in the operating system or a network security device. SYN cookies provide a more efficient method for tracking incoming TCP connections lessening the chance for a typical SYN flood to overwhelm the TCP stack. A good defense against an HTTP flood can be the deployment of a reverse proxy, or a collection of reverse proxies spread across multiple hosting locations. A reverse proxy decides which IP addresses are allowed to enter into the server. By having multiple proxies in different locations, the crush of incoming traffic decreases. The limitations of DDoS defenses are that if an attacker can generate network traffic at a higher rate than your internet connection can handle, it will be hard to avoid a crash.
Prevention is the key with DoS attacks, do not open file attachments from unknown sources, if it is from a legitimate source make sure they intended to send it to you and ask them what it is. If it is a game or application delete it. For any attachment that you download make sure you scan it with an up to date antivirus scanner before opening. Also make sure your computer has a firewall and antivirus software, this is a must. There are many free antivirus programs you can download such as AVG, Avira, or Avast. A free firewall program you can download is ZoneAlarm.
DoS attacks have become a typical threat with the internet today, the intentions may vary but the risk is always there. Some groups are just trying to send a message to the world, while others are using them for criminal purposes or personal gain. With a world becoming more connected with technology it is important to understand how to protect ourselves from becoming a slave or victim.