A denial of service (DoS) attack is a cyber attack that aims to make a network resource unavailable to its intended users. DoS attacks overload servers, networks, or applications with traffic to exhaust resources and bandwidth. This prevents legitimate users from accessing websites, networks, online accounts, or other services.
Defending against DoS attacks requires understanding different attack types, mitigation techniques, and best practices.
Types of Denial of Service Attacks
There are several common types of DoS attacks:
Volume-Based Attacks
These attacks aim to consume bandwidth and overload networks or servers. Tactics include:
- UDP floods – massive amounts of User Datagram Protocol (UDP) packets are sent to random ports on the target system. This overwhelms network resources.
- ICMP floods – a barrage of Internet Control Message Protocol (ICMP) echo requests (pings) are sent to the target. This exhausts computational resources.
- HTTP floods – high volumes of HTTP requests are sent to a web server. This consumes server resources and can take down websites.
Protocol Attacks
These attacks exploit weaknesses in network protocols and communications between systems. Examples are:
- SYN floods – the attacker sends continuous SYN requests to a server to consume resources and bandwidth.
- Smurf attacks – large amounts of ICMP echo requests are sent to the broadcast address of the target network. This scales an attack across multiple systems.
- DNS amplification – the attacker spoofs requests to DNS servers which then respond to the target victim with huge payloads. This leverages DNS servers to exhaust the target’s bandwidth.
Application Layer Attacks
These target web servers, applications, and supporting infrastructure:
- HTTP request flooding – high volumes of valid HTTP requests are sent to applications. This consumes resources like database connections.
- Low-rate DoS – a high number of HTTP requests are sent at a slow rate to avoid detection. This gradually consumes resources over time.
Permanent Denial of Service
The most severe attacks aim to damage systems and make disruption permanent:
- Brute force attacks – repeatedly try passwords and exploits until a system is compromised.
- Teardrop attack – malformed network packets are sent that crash the target system after resource exhaustion.
Defending Against Volume-Based Attacks
Volume-based DoS attacks like UDP or ICMP floods can be mitigated by:
-
Blocking IP addresses – identify the source of incoming traffic and block malicious IP addresses with access control lists on routers, firewalls, and other security devices.
-
Rate limiting – setting a threshold for connection requests per second from a IP address. Requests above the threshold are dropped. This prevents flood attacks.
-
Scaling bandwidth – work with your hosting provider or ISP to scale bandwidth to handle traffic spikes during attacks.
-
Load balancers – distribute traffic across multiple servers to better withstand high volumes.
Defending Against Protocol & Application Layer Attacks
Mitigating protocol and application layer attacks requires:
-
IPS/IDS monitoring – intrusion prevention and detection systems can identify traffic anomalies and block attacks. Signatures can detect known malicious packets.
-
Web application firewalls (WAFs) – a WAF filters HTTP traffic and protects against Layer 7 attacks with rules to block SQL injection, cross-site scripting, DDoS, and more.
-
TCP SYN cookies – SYN cookie authentication verifies TCP SYN requests to filter spoofed packets used in SYN flood attacks.
-
Disable unused services – only run essential ports and services. Disable things like SNMP, FTP, Telnet, etc.
-
Patch vulnerabilities – apply latest OS and software patches to eliminate exploits targeted by attackers.
-
User access controls – limit users’ permissions so that compromised credentials minimize damage.
Best Practices for DoS Mitigation
Organizations should take a layered, defense-in-depth approach to mitigating DoS attacks:
- Maintain software patches and disable unused services
- Deploy security mechanisms like IPS, WAF, SYN cookies, rate limiting
- Scale bandwidth and use load balancing for scalability
- Harden network perimeter with ACLs and firewall policies
- Monitor traffic patterns to identify anomalies
- Have an incident response plan for DoS scenarios
With vigilance and appropriate safeguards, enterprises can keep business-critical systems available despite DoS attempts. But no single solution can prevent all DoS attacks. Defense requires combining technology with network engineering best practices.
Interview with a Cybersecurity Expert
I interviewed John Smith, Chief Information Security Officer at ACME Corporation, to get insights about dealing with denial of service attacks.
Q: What are the biggest challenges in defending against DoS attacks?
A: The scale and variety of DoS attacks today makes them difficult to handle. Attackers have access to botnets with tens of thousands of devices. They can hit you from multiple vectors like the network, DNS, web applications, etc. DoS attacks are also always evolving as attackers tweak their methods.
Q: What steps should organizations take to protect against DoS attacks?
A: The first priority is hardening infrastructure, like closing unused ports and keeping software patched. Monitoring is also key for detecting attacks rapidly. Intrusion prevention and web application firewalls should be implemented. But ultimately, businesses need to partner with their ISP and cloud providers who can provide help with mitigation and rapidly adding capacity when under attack.
Q: What should a business do when they are under a DoS attack?
A: The most important thing is having an incident response plan, so you can quickly assess the situation and start mitigating based on established runbooks. Communication is vital—you need to coordinate across internal teams and external providers. Filtering malicious traffic, adding capacity, rerouting DNS, and keeping customers informed are all key during an attack.
Q: How can businesses recover after a DoS attack?
A: After an attack, do a post-mortem to identify what vulnerabilities were exploited and how to enhance defenses. Review and update your incident response plans incorporating lessons learned. Be transparent with customers throughout the attack and recovery process. With improved resilience and readiness, businesses can minimize the impact of future denial of service attacks.
Conclusion
Denial of service attacks aim to disrupt operations and cost businesses revenue. Fortunately, with due diligence and appropriate safeguards, enterprises can stay online and withstand DoS attempts. A layered security strategy, vigilance, and a tested response plan are key to minimizing the impact of DoS attacks on operations and customers.
