About Denial of Service (DoS)
Discover what Denial of Service (DoS) attacks are and how they work; how they can impact a user; and why they are considered a significant menace on the modern Internet.
What is a Denial of Service attack?
A Denial of Service (DoS) attack is a type of assault made on an online service, computer network or system, with the aim of disrupting or terminating the services they provide. A successful DoS attack prevents other legitimate users from accessing the service, unless and until the attack is deflected or ceases.
The most common targets for DoS attacks are websites, particularly major commercial entities. More rarely, other resources such as e-mail accounts, online databases and Domain Name Service (DNS) servers may also be targeted.
DoS attacks may be performed with a profit motive in mind. In some cases, businesses may covertly hire hackers to attack a competitor's website, as an underhanded business tactic. The attack may also be a form of 'hostage taking', in which the attacker demands payment to cease attacks. For a major online business such as Yahoo! or Amazon, a successful attack can mean millions of dollars in lost revenue and business.
Attacks may also be made for personal reasons, or for pure mischief. The target may be chosen because of a personal grudge or belief, or may be chosen at random. In this case, a DoS attack may cause frustration, wasted time and high network charges for the individual user. If the attack is against a website the victim uses for business purposes, the consequences may also be financial.
A Brief History
DoS attacks used to be rather uncommon occurrences back in the late eighties, as performing them required more technical knowledge than was then common. They were often performed by individuals, using the physical resources of one, or a handful of computers.
Towards the end of the eighties however, DoS tools - easy-to-use utility programs for performing DoS attacks - began to appear, making it much easier for any user to perform an attack. This lead, naturally, to an increase in DoS attacks. This increase was especially notable in the early 2000s, when many web-based companies were just beginning to thrive. Countless websites, including those of major businesses such as Amazon, Ebay! and Microsoft, were subjected to DoS attacks.
DoS attacks generated by DoS tools eventually segued into DoS attacks generated by malware (usually Trojans or Worms) which included DoS routines in their payload. Once installed on a computer, the malware would direct the infected machine to attack a specified target, usually at a specified time. If multiple infected computers assault a target at the same time, the effects of the attack were greatly amplified. By using malware in this manner, an attacker might lose some portion of direct control, in return for potentially much greater effectiveness.
The next evolution of DoS attacks saw attackers regaining more control. Rather than simply releasing a DoS-generating malware and trusting infected computers to perform as desired, attackers developed malware - backdoors or bots - that allowed them to issues commands to all the infected computers, coordinating and controlling the DoS attack. This is, in essence, a botnet.
Since the mid-2000s, DoS attacks launched from botnets have grown in scope and effectiveness, as attackers have invented or refined techniques to bring computers under their control (to produce more powerful attacks). They have also become one of the most significant threats in the online world today, especially for businesses which depend on web-based transactions.
How A DoS Attack Works
Technically, a DoS attack denies legitimate users access to an online resource, such as a website or server, by either overwhelming the physical resources of the target, or exhausting or disrupting all networks connections to it. A more specific type of DoS attack known as a vulnerability attack focuses on exploiting a specific flaw or loophole in the target, in order to achieve the same effect.
Targeting Physical Resources
Overwhelming a target's physical resources is an effective tactic because it is simply an abuse of how the Internet normally functions. Though it may not be obvious to most users, the entire virtual world of the Internet rests on a web of interconnected physical resources, such as bandwidth, processors, memory, storage space and so on.
Unfortunately, these resources are finite: for example, a website can only process so many requests before it runs out of memory and processing capacity. Once the resource's limits are reached, it must first clear all the current requests before any new ones can be accepted and dealt with.
Normally, all pending requests are completed within seconds. If an attacker can keep flooding the website with requests however, they can effectively prevent any new requests from being fulfilled. If at the same time a legitimate user tries to send in a request, it is put on hold, essentially blocking them from accessing the site - hence, a denial of service.
Targeting Network Connections
Similarly, browsing the virtual world depends on network connections, such as those between a website and a user's computer. Again, these connections are finite - website can only accept so many connections before a limit is reached. In addition, the connections must be stable and conform to certain standardized Internet-wide protocols.
If these connections are overwhelmed or disrupted, normal browsing is no longer possible. To achieve this aim, an attacker can attacker use invalid, malformed or simply overwhelming amounts of connection requests to flood the target and disrupt normal connections, again resulting in a denial of service.
Types of DoS Attacks
There are numerous types of DoS attacks possible, each targeting a different resource or connection type. The following are only a few of the attacks possible:
- SYN Flood
An attack that consumes network resources by initiating, but not completing, a connection request; while these requests are 'hanging', subsequent attempted connections by legitimate users cannot be processed
- Smurf Attack
A type of 'reflected attack', in which the attacker impersonates a target and sends a system message to other hosts on a network; the hosts respond by sending the appropriate reply to the actual target, unintentionally overwhelming it
Most of these DoS attack types can be deflected or prevented, to varying degrees. In some cases, specific DoS attacks have become obsolete as the vast majority system or network administrators routinely put effective protection measures in place. Doing so however requires a certain amount of knowledge, resources and conscious use of security procedures, which may be outside the reach of most normal users, or even most organizations.
Performing A DoS Attacks
To perform a DoS attack singlehandedly, a technically skilled attacker can create the attack material and launch it himself; alternatively, he can simply use the appropriate DoS tool. Most DoS tools will perform specific types of DoS attacks, and selecting the right tool removes the work for creating the data needed. Once the attacker has selected the target and the desired type of DoS attack, performing it is as simple as clicking a few buttons in the DoS tool.
Nowadays however, DoS attacks are more commonly launched from botnets. In this case, a botherder (the botnet controller) can simply use a client program and direct the computers in the botnet to produce the necessary attack data, before commanding them to send it to the unfortunate target.
Attacked systems will notice a huge increase in network traffic. If the system does not crash from the attacks, its network capacity will quickly be exhausted. Some attacks generate traffic at the rate of several gigabits per second, which far exceeds the capacity of most Internet sites.
The increase will often result in the service (e-mail, web browsing, etc) being significantly slowed, frozen, or completely disconnected. Attempts to form new connections, or reconnect, may not be processed at all.
If the targeted system does not have appropriate defenses against the DoS attack, restarting it will be of no use, as reconnecting it to the network will subject it to the same attack, causing it to crash again, and keep doing so until the attack ceases. Many websites have been completely cut off by DoS attacks for periods ranging from a few hours to a couple days. For online businesses, the forced downtime can result in significant losses.
More generally, another important consideration is that most systems or administrators lack the ability to trace the source of the attack, especially if spoofed (forged) IP addresses are used to obfuscate the source. This inability allows attackers to remain anonymous and indirectly encourages them to continue their attacks.