A denial-of-service (DoS) attack poses a serious security threat by disrupting legitimate users’ access to computer systems, networks, services, or other IT resources. Attackers employ tactics that overwhelm web servers, systems, or networks with traffic, rendering them inaccessible to others. While restarting a system can often resolve server crashes caused by attacks, tackling flooding attacks proves to be more challenging. Moreover, recovering from distributed DoS (DDoS) attacks, where attack traffic originates from multiple sources, presents even greater difficulties.
DoS and DDoS attacks typically exploit vulnerabilities in networking protocols and their handling of network traffic. For instance, attackers can flood a vulnerable network service with a high volume of packets from various IP addresses, causing a service overload. These attacks target various layers of the Open Systems Interconnection (OSI) model, including Layer 3 (network), Layer 4 (transport), Layer 6 (presentation), and Layer 7 (application).
Malicious actors employ different methods to target these OSI layers. For example, User Datagram Protocol (UDP) packets can facilitate speedy transmission by sending data before receiving parties agree to it. SYN (synchronization) packet attacks inundate server open ports with packets from fake IP addresses. Attacks on Layers 6 and 7 exploit protocol handshakes initiated from internet of things (IoT) devices, making them harder to detect and preempt due to the ubiquity of IoT devices.
There are recognizable signs that indicate a possible DoS attack in progress, such as slower network performance, delayed website loading times, inability to access websites, unexplained traffic surges, sudden spikes in network traffic, increased CPU usage, and a rise in spam emails. Promptly detecting these signs is crucial for initiating response protocols.
To safeguard against DoS and DDoS attacks, experts advise implementing proactive defense strategies. Establishing an incident response plan, collaborating with internet service providers (ISPs) to reroute malicious traffic, utilizing load balancers, employing intrusion detection systems, intrusion prevention systems, and firewalls, contracting backup ISPs, and deploying cloud-based anti-DoS measures are recommended practices. It is noteworthy that attackers may demand payment in some instances to cease DoS attacks, although the primary motive is often to damage the targeted organization’s business or reputation.
Mitigating a DoS attack requires the ability to differentiate between normal network traffic and attack traffic. Countermeasures include rate limiting to reduce server requests, implementing web application firewalls for server protection, employing network diffusion to spread requests across networks, and applying blackhole routing as a last-resort method to redirect malicious traffic.
Various types of DoS attacks exist, such as application layer attacks targeting internet servers, buffer overflow attacks exceeding network resource capacity, and DNS amplification attacks exploiting misconfigured DNS servers. Protocol attacks disrupt network connectivity, cloud-based attacks target cloud vulnerabilities, SYN floods abuse TCP handshake protocols, and teardrop attacks exploit IP fragmentation flaws, among others.
Distinguishing distributed denial-of-service (DDoS) attacks from DoS attacks is crucial, as DDoS attacks involve multiple attack systems originating from malware-infected computers or devices forming a botnet controlled by command-and-control servers (C&C servers). The complexity and scale of DDoS attacks make them challenging to detect and defend against, with legitimate traffic often indistinguishable from malicious traffic.
The history of denial-of-service attacks traces back to the Robert Morris worm attack in 1988, leading to subsequent evolution and prevalence of such attacks. Recent notable attacks, such as the Multiple-target Rapid Reset attack in 2023 and the UDP amplification attacks against Google and AWS, underscore the ongoing threat posed by DoS and DDoS attacks. Organizations must remain vigilant and implement robust security measures to thwart these malicious cyberattacks effectively.