Denial of Service (and other) Attack Strategies, Worms, Viruses

Protecting Security of Assets

What is denial of service?

A denial of service occurs when a legitimate user is denied access to a network,

system, device, or other resources that they are otherwise authorized to access.
That can include their email, e-banking account, public online services, etc.
Denial of service can result from a cyber attack known as a denial of service attack
(DoS), whose explicit aim is to achieve this effect.

Denial of Service Definition

A denial of service attack is the deliberate flooding of a machine or network with

bogus traffic to overwhelm them and make their service unavailable. It can lead to
the target server crashing or simply being unable to respond to legitimate requests.

Denial of service attacks usually do not lead to system compromise, data loss, or
theft. However, a DoS attack can cause a significant loss of time and resources to
the targeted service since it can last anywhere between a few hours and several
months.

How a Denial of Service Attack works

The mechanism of a DoS attack is pretty straightforward: it seeks to overwhelm

the capacity of the attack target via traffic. The specific way of executing such an
attack will depend on the vulnerability of the targeted system.

For example, one way of doing this is by sending many requests with fabricated
return addresses (i.e., they are junk) to a server. This makes it impossible for the
server to verify their source. It can lead to a server simply exhausting its RAM or
CPU capacity, and crashing.

A multitude of different DoS attacks exists. Depending on the attack vector, DoS
attacks either seek to flood or to crash a system. The three main types of DoS
attacks are:
 • Application-layer attacks are intended to crash a specific application or
service rather than a whole network. It is usually achieved by flooding the
app with malicious HTTP requests and making it unable to respond further.
Application-layer attacks are measured in requests per second (RPS).
• Protocol or network-layer attacks exploit weaknesses in network
protocols and procedures by targeting infrastructure and network
management tools. They seek to disrupt a whole network instead of a single
application. These attacks are measured in packets per second (PPS) or bits
per second (BPS).
• Volumetric attacks are the most common type of DoS attack. It seeks to
overwhelm a target’s bandwidth capacity by flooding it with fake requests. It
creates network congestion and makes it impossible for legitimate traffic to
pass. The magnitude of these attacks is measured in bits per second (BPS).

There are two general methods of DoS attacks: flooding services or crashing
services. Flood attacks occur when the system receives too much traffic for the
server to buffer, causing them to slow down and eventually stop. Popular flood
attacks include:

• Buffer overflow attacks – the most common DoS attack. The concept is to send
more traffic to a network address than the programmers have built the system to
handle. It includes the attacks listed below, in addition to others that are designed
to exploit bugs specific to certain applications or networks
• ICMP flood – leverages misconfigured network devices by sending spoofed
packets that ping every computer on the targeted network, instead of just one
specific machine. The network is then triggered to amplify the traffic. This attack
is also known as the smurf attack or ping of death.
• SYN flood – sends a request to connect to a server, but never completes
the handshake. Continues until all open ports are saturated with requests and none
are available for legitimate users to connect to.
Other DoS attacks simply exploit vulnerabilities that cause the target system or
service to crash. In these attacks, input is sent that takes advantage of bugs in the
target that subsequently crash or severely destabilize the system, so that it can’t be
accessed or used.
Motives for Denial of Service Attacks

• Financial motives. Organized crime groups can use the threat of a DoS
attack to extort organizations. Some companies will pay up simply to
avoid the disruption that an attack would cause, or to end a sustained
attack.
• Political or social motives. DoS attacks can be used to take down
websites or networks of political opponents, or of companies or
organizations that an activist group sees as unethical. Readily available
‘stress-testing’ software such as LOIC can enable individuals to band
together and launch DDoS attacks with the click of a button.
• As a form of distraction. Attackers may use a DoS attack to draw your
attention away from other malicious activities they are carrying out. A
DoS attack on one system may preempt a more serious breach of
another system, or a different kind of attack on the same system.
• Self-inflicted incidents. Denial of Service disruptions can sometimes
stem from mistakes on the part of an organization’s IT department (eg.
failing to configure the company’s server properly, resulting in an
overload of network requests).

How to prevent a Denial of Service attack

While Denial of Service attacks are difficult to prevent entirely, there are a
number of measures you can take to limit their effectiveness, and react
appropriately when they do occur:

• Network security is imperative to stop any DoS attack attempt.

Ensuring that firewalls and intrusion detection systems, anti-virus and
anti-malware software, and endpoint security are in place is key. One
common method is to use a ‘reverse proxy’ service to check traffic
before it arrives at your website. This will absorb attacks, and prevent
obviously harmful access attempts from even reaching your servers.
• Look out for warnings. Signs of a DoS attack or – stress testing –
prior to an attack may include a poor connection, slow performance, or
unusual traffic. Spotting these signs will allow you to react quickly and
stop attacks that are in progress, or prevent larger attacks bef ore they
occur.
 • Continuous monitoring of network traffic. Real-time monitoring
ensures that you can detect a DoS attempt before the attack takes place,
even if the signs are not immediately obvious.

How to know if a DoS attack is happening

It may be difficult to spot a DoS attack, as interferences may initially appear non-
malicious. You can use several criteria to determine if you are being attacked with
a DoS. The three most common symptoms of an attack, according to the United
States Computer Emergency Readiness Team (US-CERT), include:

• Prolonged network performance (opening files or accessing websites)

• Unavailability of a particular website, or
• An inability to access any website

What is a distributed denial-of-service attack?

A distributed denial-of-service (DDoS) attack occurs when multiple machines are

operating together to attack one target. DDoS attackers often leverage the use of a
botnet—a group of hijacked internet-connected devices to carry out large scale
attacks. Attackers take advantage of security vulnerabilities or device weaknesses
to control numerous devices using command and control software. Once in control,
an attacker can command their botnet to conduct DDoS on a target. In this case, the
infected devices are also victims of the attack.

Botnets—made up of compromised devices—may also be rented out to other

potential attackers. Often the botnet is made available to “attack-for-hire” services,
which allow unskilled users to launch DDoS attacks.

DDoS allows for exponentially more requests to be sent to the target, therefore
increasing the attack power. It also increases the difficulty of attribution, as the true
source of the attack is harder to identify.

DDoS attacks have increased in magnitude as more and more devices come online
through the Internet of Things (IoT). IoT devices often use default passwords and
do not have sound security postures, making them vulnerable to compromise and
exploitation. Infection of IoT devices often goes unnoticed by users, and an
attacker could easily compromise hundreds of thousands of these devices to
conduct a high-scale attack without the device owners’ knowledge.
What is the difference between a DDoS attack and a DoS attack?

The distinguishing difference between DDoS and DoS is the number of

connections utilized in the attack. Some DoS attacks, such as “low and slow”
attacks like Slowloris, derive their power in the simplicity and minimal
requirements needed to them be effective.

DoS utilizes a single connection, while a DDoS attack utilizes many sources of
attack traffic, often in the form of a botnet. Generally speaking, many of the
attacks are fundamentally similar and can be attempted using one more many
sources of malicious traffic.