Denial of Service, how it works and how to Protect Yourself

Online activity has only grown since it’s been introduced to the public and has revolutionized how individuals conduct business. Business owners, both big and small, have either already or are in the process of making their platform available online. Online platforms have become so popular that they can be some businesses’ primary revenue source. When the online platform plays such an essential role in the industry, owners must take the correct precautions to ensure their website’s security and safety. One of the biggest threats to website owners is a DoS (Denial of Service) attack. A DoS attack is the act of attempting to make a network resource unusable to its intended users. DoS attacks come in many forms and can affect their targets differently. Action can be taken against such an attack, and in this synopsis, we will look at how DoS attacks work and how they can be combated.

Total DDoS attacks

Types of DoS attacks

Having been around for almost 50 years, DoS attacks have had a lot of time to evolve and take different forms. Almost every DoS attack can fall into three categories. These categories are Application Layer Attacks, Protocol Attacks, and Volume-Based Attacks. Volume base attacks involve an attacker attempting to overwhelm the available bandwidth a server has set for its predicted customer traffic. In a Protocol Attack, the attacker targets essential networking tools such as firewalls by various methods; once the specific infrastructure is disabled, the whole server can no longer function as intended. In the third category, Application Layer Attacks, attackers find exploits in operating systems that can impede their normal function; this is crucial to the network infrastructure since it relies on the same operating system it is running on.

Any DoS attack where the attacker(s) attempt to fill the server’s available bandwidth is categorized as a volume-based attack. Most Volume Based Attacks are labeled as DDoS attacks rather than DoS attacks because more than one machine is used to attack a target. Hence the extra “D” in DDoS stands for distributed. One example of a Volume Based Attack is the Buffer Overflow Attack, also known as the “Ping of Death.” In such an attack, memory buffers used for receiving packets are overflowed by maliciously altered packets. When such an attack is initiated, server memory typically allocated for legitimate requests is unavailable, denying service.

To understand Protocol Attacks, it is essential to know how connections to a server are made. When users connect to a particular server, they use a process known as “handshakes,” the TCP connection sequence, which are steps taken to verify the user’s connection to the server. When two systems connect using TCP, a “3-way handshake” will establish a connection, exchange synchronize and acknowledgment packets, and use FIN packets to close the connection. This will pause the TCP connection sequence and create a waiting period for any legitimate users to connect to the server until intentionally faulty connection attempts are dealt with. In an SYN Flood attack, a type of Protocol Attack, an attacker will make many synchronize requests to the target server; the server will then try to respond to these requests. The server will not be able to meet these requests because the attack will either send the recommendations from a spoofed ID or purposely keep any further requests to the server on hold.

Simplified TCP Connection Diagram

Application attacks often rely on an underlying vulnerability to be effective. An example of a vulnerability that could kick off a DoS attack was the log4j vulnerability. Now patched, this vulnerability allowed malicious actors to inject code that would cause target systems to run unsafe code or send the victim’s system a DNS query. If the attacker obtains the target’s DNS record, the attacker can apply either a Volume-Based Attack or Protocol Attack to deny service.

DDoS/DoS Attack Motivations

The fact is that DoS service attacks are only getting more prevalent, and anyone can be a target, which may lead to the question, what are the motives behind such attacks? Motives can be categorized as extortion, business, ideology, and cyber warfare. An example of extortion is an attacker threatening a business owner of an online platform for money. This can devastate the business owner’s digital platform if the attacker can successfully deny service to online customers. On the other hand, a business owner can hire an individual to attack a competing business platform to give the other owner a competitive advantage. Ideologically motivated DoS attacks are carried out by individuals that disagree with the beliefs held by a specific institution or individual. This motive is uniquely different from the other listed motives, as most DDoS attacks require many machines compromised by malware. In contrast, the ideological DDoS attack is made willfully by many individuals. Because of a DDoS attack’s impact, governments can use military-run or sponsored teams to attack an enemy web server.

DDoS Attacks in the Real World

Now that the severity of DoS attacks is understood, we can examine some examples and how they played out. On October 16, 2020, 180,000 of Google’s servers received traffic of 167 million packets per second. The attack was traced to be coming from 3 ISPs in China, and the DoS attack lasted approximately six months. Google, being the tech giant they are, was able to handle this immense traffic and leave relatively unscathed. Although no severe damage was dealt with, the sheer volume of the organized attack had never been seen before and testified to the size a DDoS attack could reach.

In that same year of the Google attack, Amazon Web Services, a provider of many virtual platforms, was the victim of a massive DDoS attack. Amazon Web Services is known to provide a platform to many small businesses meaning a successful attack could cause damage to not just amazon but all the business owners that rely on Amazon’s AWS. Like Google, AWS was able to fend off the attack, but the event also left many people to question what would have been the outcome had the attack been successful.

March 12, 2012, Bank of America, JPMorgan Chase, U.S. Bank, PNC Bank, Citigroup, and Wells Fargo would become the targets of a 60 gigabit-per-second attack. Allegedly claimed to be carried out by Izz ad-Din al-Qassam Brigades, the leader of a military division for Palestine, the attacker was able to cripple critical services the banks were offering and damaged the bank’s branding image. This would be classified as a case of cyber warfare, a form of action that was growing in popularity and still is to this day.

These are examples of large conglomerates being exposed to DoS attacks, but small businesses can lose $8,000 to $74,000 every hour their platform becomes inaccessible to customers. Since more significant, more established companies are better suited against such attacks, small businesses become more likely targets of DoS attacks. Meaning small companies are the most vulnerable to a DoS attack. Luckily, some actions can be taken to suppress an ongoing attack as well as decrease the probability of facing any DoS attacks in the future.

DDoS/DoS Attack Mitigation and Defense

Just as there is a broad category of DoS attacks, there are plenty of actions both large and small server operators can do to defend against DoS attacks. A fact about DoS of service attacks is that there is no magic bullet solution to their threat. Fortunately, there are a variety of methods that significantly decrease and mitigate the chances of an attack completely denying service. In the space of DoS, attack defense exists in three primary ways, on-premise appliances, cloud-based solutions, and good old do-it-yourself protection. Each technique has its pros and drawbacks, so it’s essential to understand when and why someone might want to use a specific method of defense.

On-premise appliances will require hardware that can filter traffic and reroute traffic if recognized to be coming from an attack. Such a tool can do this through various mechanisms, such as rate limiting, geo-blocking, and IP reputation. This approach works best against application layer attacks but can struggle against volume attacks since the hardware struggles with traffic exceeding 10 Gbps. To deal with a volume attack, an owner would need to invest in more hardware which can be expensive, another potential downside to this defensive strategy.

Cloud-based solutions, also known as off-premise solutions, are offered by a company specializing in DoS attack defense. A server owner can pay for the service provided by the company to handle the traffic and respond to threats. The pro of this approach is that the server owner will not be required to purchase and maintain their hardware. Service providers can also offer a higher level of protection since they will have better traffic handling capabilities. It is also often the case the price of the service will be lower than purchasing and maintaining your personal DoS attack defense hardware.

An individual is experiencing a DoS attack; one common approach is tarpitting. To tarpit, a server owner will manually configure a server setting to force the attacking systems to lower the traffic they are trying to send. Tools capable of doing this function exist for Windows and Linux operating systems. A downside to this method is that an attacker can change the way of attack if their attack is being mitigated. If a server owner cannot afford to pay for a DoS defensive service or hardware, they can resort to other means of protection.

Undoubtedly, DDoS and DoS attacks will continue to grow in popularity and evolve to adapt to new methods of defense. The financial costs presented by these attacks have given and brought the need for entire industries dedicated to handling such threats. Therefore, business owners operating on a digital platform must be aware of the risks of DoS attacks and choose the correct security method.