Denial of Service or DoS is a term used to describe a digital attack on a machine or network intended to make it unusable. In many cases, that means flooding the recipient with so many requests or so much traffic that it causes a malfunction. Sometimes, it can also mean sending a smaller amount of specific, damaging information to trigger a crash, for example.
To explain the process in more detail – a machine connected to a network can handle (that is to say, send and receive) a certain amount of traffic and still function. The amount of traffic depends on multiple factors, such as the size of the requests made and the information transferred. As well as the quality and strength of the network connectivity.
When too many requests are made, then the network will struggle to keep up. In some cases, requests will be dropped or go unanswered. If the excess is too high, then either the network or the receiving machine can suffer issues, up to and including errors and shutdowns.
Types of Attacks
There are many different types of DoS attacks, with different goals and attack methodologies. Some of the most popular ones include:
A SYN flood (pronounced “sin”) is an attack where the attacker sends rapid, repeated connection requests without finalizing them. This forces the receiving side to use their resources to open and hold new connections, waiting for them to resolve. This doesn’t happen. This consumes resources and either slows down or renders the affected system completely unusable.
Think of it like responding to DMs – if a seller receives a hundred requests about a car they want to sell. They have to spend time and effort to reply to them all. If 99 of them leave the seller reading, the single genuine buyer might not get a reply or get it far too late.
The SYN flood attack gets its name from the packet used in the attack. SYN is the packet’s name used to establish a connection via the Transmission Control Protocol or TCP that is the basis of most internet traffic.
Buffer Overflow Attack
A buffer overflow occurs when a program that uses whatever memory a system has available exceeds its memory allocation. So, if it is flooded with so much information, the allocated memory isn’t enough to handle it. It, therefore, overwrites adjacent memory locations as well.
There are different types of buffer overflow attacks. For example, sending a tiny bit of information to trick the system into creating a small buffer before flooding it with a larger bit of information. Or those that send a malformed type of input. Any form of it can cause errors, shutdowns, and incorrect results in whatever the affected program is.
Ping of Death
The relatively humorously named PoD attack sends a malformed or malicious ping to a computer in order to cause it to malfunction. Normal ping packets are around 56-84 bytes at most. However, that isn’t the limitation. They can be as large as 65k bytes.
Some systems and machines aren’t designed to be able to deal with that sort of packet, which leads to a so-called buffer overflow that usually causes the system to crash. It can also be used as a tool in order to inject malicious code, in some cases where a shutdown isn’t the goal.
Distributed DoS attacks
DDoS attacks are a more advanced form of DoS attack – they comprise of multiple systems that work together to execute a coordinated DoS attack on a singular target. Instead of a 1-to-1 attack, this is a Many-to-1 situation.
Generally speaking, DDoS attacks are more likely to succeed as they can generate more traffic, are harder to avoid and prevent, and can easily be disguised as ‘normal’ traffic. DDoS attacks can even be done by proxy. Suppose a third party manages to infect an ‘innocent’ users machine with malware. In that case, they can use that user’s machine to contribute to their attack.
Defending Against (D)DoS Attacks
DoS and DDoS attacks are relatively simple methods. They don’t require an exceptionally high degree of technical knowledge or skill on the attacker’s side. When successful, they can massively impact important sites and systems. However, even government websites have found themselves taken down this way.
There are multiple different ways to defend against DoS attacks. Most of them work somewhat similarly and require monitoring of incoming traffic. SYN attacks can be blocked by blocking a specific combination of packets from being processed that doesn’t occur in that combination in regular traffic. Once identified as DoS or DDoS, blackholing is used to protect a system. Unfortunately, all incoming traffic (including genuine requests) is diverted and discarded to preserve the system’s integrity.
You can configure Routers and firewalls to filter out known protocols and problematic IP addresses used in previous attacks. They won’t help against more sophisticated and well-distributed attacks. But are still essential tools to stop simple attacks.
Though not technically a defense, making sure there is plenty of spare bandwidth and redundant network devices in the system can also be effective in preventing DoS attacks from succeeding. They rely on overloading the network. A stronger network is harder to overload. An 8-lane motorway requires more cars to block than a 2-lane motorway, something like this.
A good portion of DoS attacks can be prevented by applying patches to software, including your operating systems. Many of the issues exploited are bugs in the software that developers fix or at least offer mitigations for. Some attack types though, like DDoS, can’t be fixed by patching.
Effectively, any network successfully defending against DoS and DDoS attacks will do so by combining a set of different preventative and countermeasures that work well together. As attacks and attackers evolve and become more sophisticated, so too do defence mechanisms.
Correctly set up, configured, and maintained can protect a system relatively well. But even the best system will likely drop some legitimate traffic and let through a few illegitimate requests, as there isn’t a perfect solution.