What is a DoS attack? Do they have the potential to impact our organization negatively? If so, to what degree do we need to worry about DoS attacks, and how can an organization prevent or mitigate their impact? This pillar article is designed to equip you with a core understanding of what DoS attacks are, the motives of adversaries that launch them, and strategies for defending an organization against this increasingly common threat to IT security.
The “CIA Triad” stands for Confidentiality, Integrity, and Availability, which are the fundamental principles of information security that need to be protected. DoS attacks primarily disrupt the Availability of IT services – that is they prevent IT systems and services from functioning properly causing downtime. This can result in financial losses, negatively impact an organization’s operations and reputation, impose legal and regulatory liabilities, and cause data loss, reduced productivity, or loss of competitive disadvantage. Preventing and mitigating DoS attacks is therefore critical for organizations to maintain business operations indefinitely.
What are DoS Attacks?
What is a DoS attack exactly? DoS attacks primarily seek to disrupt the availability of critical IT services or even entire networks. DoS attacks can be broadly classified into several categories and understanding these broad categories is essential before exploring the various subtypes of DoS attacks. The broad categories of DoS attacks are:
- Volume Based Attacks / Flooding Attacks: Aim to flood the target network, system, or service with an overwhelming volume of traffic to exhaust system resources such as network bandwidth, CPU, RAM, disk space, or other hardware resources.
- Protocol Attacks: Target vulnerabilities in network protocols such as TCP, HTTP, or DNS to disrupt availability.
- Application Attacks: Target vulnerabilities or weaknesses in software applications that function in the Layer 7 of the OSI model.
- Amplification Attacks: A minimal amount of data sent by an attacker to a target system is exponentially increased resulting in a volume-based attack.
- Distributed Denial of Service Attacks (DDoS): Leverage a high number of devices, known as a botnet, to launch a DoS attack against a single target.
DoS attacks can disrupt availability in a variety of ways such as:
- System Crash: Cause critical systems to crash or shutdown, leading to complete service downtime until the system is restored.
- Service Degradation: Degrade the performance of applications, causing slow or reduced functionality.
- Data Loss: Data in transit may be dropped or lost when critical services are disrupted, leading to data loss or corruption.
- Access Denial: Users may be denied access to services due service disruption. This can impact an IT team’s ability to access and configure critical systems during an attack.
DoS Attack Variants
Understanding DoS attack types is critical for developing appropriate security controls. With our basic understanding of DoS attacks in hand, let’s explore some specific DoS attack techniques.
A Slowloris attack targets web server applications by establishing multiple connections but sending HTTP headers very slowly, typically one byte at a time. Applications vulnerable to a Slowloris attack will ultimately become unresponsive to legitimate requests due to exhaustion of the application’s connection pool. Modern web servers are more resilient to Slowloris attacks, but they can pose a significant threat to misconfigured, or legacy web server applications.
A Smurf attack floods a network with Internet Control Message Protocol (ICMP) echo request packets (ping) to a network’s broadcast IP address while spoofing a target’s IP address. This causes all network devices to reply to the spoofed IP address, flooding it with traffic. Modern networks have implemented countermeasures, making Smurf attacks less effective but they are still a threat against legacy network infrastructure.
DNS Amplification Attack
A DNS Amplification exploits open DNS servers by sending them a small number of forged DNS requests while also spoofing the victim’s IP address. In response, DNS servers reply with large responses to the victim, amplifying network traffic sent by the attacker. DNS Amplification attacks can overwhelm the victim’s network, causing service degradation or disruption.
Application Layer Attacks
Application Denial of Service (App-DoS) attacks target specific software or services operating within the OSI model Application Layer (Layer 7). The technical details of the attack vary depending on the application being attacked but typically exploit existing vulnerabilities in the application’s code by sending malicious requests to exhaust resources or cause a system crash. Regularly updating software with security patches is important for protecting against this type of DoS attack.
UDP Flood attacks target services that use the User Datagram Protocol (UDP) protocol. Since UDP is a connectionless protocol, unlike TCP, it does not establish connections before transmitting data. Because UDP doesn’t require a connection handshake, attackers can easily flood the target without validation of the source IP address.
SYN Flood attacks exploit the TCP handshake process by flooding the target with a high volume of SYN (synchronize) requests, but not completing the handshake by sending the final ACK (acknowledge) packet. This technique has a similar result to a Slowloris attack because the target server will eventually exhaust its connection pool.
Ping Flood attacks target network devices with a barrage of ICMP ping packets. The attacker sends a high volume of packets to the target, overwhelming its processing capabilities. Ping Flood attacks are similar to Smurf attacks, but instead, the attacker directly targets the victim’s IP address with ICMP ping requests to exhaust its resources rather than relying on ICMP reflection by spoofing echo requests to the network’s broadcast IP.
DNS Flood attacks target a victim’s DNS (Domain Name System) server with an overwhelming volume of invalid or spoofed DNS requests to overwhelm its capacity to respond to legitimate DNS queries. As a result, any hosts that rely on the targeted DNS server will not be able to resolve domain names to IP addresses – inability to resolve DNS will effectively block access to the Internet or local network resources that require DNS resolution.
Threat Actors That Leverage DoS Attacks
Denial of Service (DoS) attacks perpetrated by a diverse range of threat actors having a wide array of motivations, technical capabilities, and goals. Each type of threat actor is associated with different DoS attack types based on their skill level. Understanding these groups and their motives is essential for crafting an effective and strategic defense. Here is a list of various DoS threat actors and a description of their typical motives:
- Script Kiddies (Low Skilled Attackers): These low skilled attackers are driven by curiosity or notoriety. Supported by easily downloadable exploit code, their desire to prove their technical skills outweigh the potential consequences.
- Nation-State Threat Actors: Nation-states actively deploy DoS attacks (and Distributed Denial of Service, or DDoS attacks) as cyber warfare tactics, targeting critical infrastructure, government systems, or key industries to gain tactical advantage.
- Hacktivists: These individuals or groups use black-hat hacking techniques as a form of political protest to advance a social agenda.
- Cyber Criminals / Advanced Persistent Threats (APT): Cybercriminals typically possess advanced technical skills and launch DoS attacks for financial gain. They may demand ransom payments to cease an ongoing DoS attack or use the distraction to carry out data theft or fraud. DoS-as-a-Service (DaaS) groups offer targeted DoS attack services for a fee.
- Business Competitors: Organizations have been known to leverage DoS attacks against their competitors to create a competitive advantage by disrupting a competitor’s online services leading to lost revenue or migration of customers.
The DoS Attack Landscape
DoS attacks are an increasing threat to organizations globally and have even emerged as an additional form of extortion in Ransomware attacks. DoS attack statistics are sobering. 2022 saw 60% more DoS attacks in the first six months than were recorded in all of 2021. The cybercrime group Killnet emerged from the Russian-Ukrainian conflict and disrupted the health and public health sector. Some extreme examples of DoS attacks include the second highest volume DoS attack ever reaching 2.54 Terabytes per second (Tbps) was recorded in September 2017 by Google, and the current DoS record in which CloudFlare mitigated 71 million requests-per-second.
Preventing DoS Attacks
Understanding how to prevent a DoS attack is critical to prepare a strategic defence and preventing them from negatively impacting an IT environment. Let’s explore several preventative tactics:
Implement Network Security Measures
Implementing network security best practices such as strong access controls and the principle of least privilege, network segmentation, encrypting data in transit, conducting regular vulnerability scanning, and installing updates in a timely manner can help prevent DoS attacks. Preventing attackers from gaining an initial foothold on the network and appropriately limiting each device’s scope of network access makes it much more difficult for adversaries to launch successful DoS attacks.
Intrusion Detection and Prevention Systems (IDPS)
Intrusion Detection and Prevention Systems (IDPS) continuously monitor network traffic, identifying patterns that indicate a device has been compromised or that DoS attack is underway and alert defenders about the potential attack for investigation, or automatically take action to adjust network security configurations and prevent the attack.
Firewalls and Filtering
Firewalls, especially next-gen firewalls inspect incoming and outgoing traffic to identify and block malicious packets. Using a default deny rule whenever possible and only allowing ports and protocols when required is considered the best practice for effective firewall configuration. Next-gen firewalls can also implement rules based on connection-state to control the volume of incoming connections, drop malformed packets, and prevent DoS attacks before they can have a negative impact on network availability.
Employ Traffic Management and Rate Limiting
Traffic management and rate limiting can effectively control network traffic volume and prevent DoS attacks. Setting limits on the number of requests or connections per IP address or port can prevent flooding attacks. Network management tools can identify fragmented packets or protocol attacks and stop DoS attacks before they begin.
Configure Load Balancing and Failover Systems
Load balancing and failover systems can automatically deploy additional compute resources in the face of a DoS attack and distribute the workload across multiple servers. If a DoS attack targets one server, traffic can be redirected to healthy servers, preventing loss of availability.
Utilize Content Delivery Networks (CDNs)
CDNs are third party services typically used to cache content closer to users for enhanced website performance, but can also act as DoS prevention by dispersing traffic logically based on load in addition to geolocation to ensure the availability of online services during DoS attack attempts. Cloud-based CDN services offer advanced enterprise grade DoS and web-application firewall (WAF) protection making them an attractive value for small and medium sized businesses.
Keep Software and Systems Updated
Proactive vulnerability management activities include regularly conducting vulnerability scans and keeping software and systems updated. Updates often include important security fixes that prevent known DoS vulnerabilities from being exploited. Software, especially exposed network services, with known vulnerabilities can easily be detected and exploited by attackers.
Mitigating DoS Attacks
When DoS attacks cannot be effectively prevented, organization’s need to prepare mitigation strategies to reduce the negative impact to business operations. Let’s explore some mitigation strategies for defending against DoS attacks.
Incident Response Plans
An IRP (Incident Response Plan) is a set of procedures and guidelines for detecting, responding to, and recovering from cybersecurity incidents such as DoS attacks or other forms of cyber-attack. IRPs help minimize downtime and service disruption by providing a standardized and tested playbook for defenders. IRPs enable the prompt isolation of affected systems, and redirection of legitimate traffic. DoS attacks can be simulated to imitate real-world DoS attacks and give defenders the opportunity to practice and gain experience.
DDoS Mitigation Services
DDoS Mitigation Services outsource the analysis of network traffic to highly experienced and skilled third-party IT security professionals leveraging specialized infrastructure. DDoS mitigation services are scalable and can handle substantial traffic volumes, provide 24/7 monitoring, and are often more cost-effective than building an in-house solution, especially for smaller organizations.
Cloud-based Security Solutions
Cloud-based security solutions leverage an Infrastructure as a Service (IaaS) business model rather than hosting critical network infrastructure within an organization’s own premise. Cloud IaaS providers leverage industry leading IT infrastructure and employ cybersecurity best practices to mitigate DoS attacks. IaaS providers may incorporate machine learning and behavioral analysis to detect and respond to emerging threats promptly and are best positioned to rapidly scale resources in response to a DoS attack.
Network Monitoring and Analysis
Network monitoring and analysis involve continuous scrutiny of network traffic, enabling the swift detection of anomalies indicative of an attack. By closely monitoring network traffic, organizations can identify sudden increases in connection requests or other unusual data flows, which indicate DoS attacks.
Denial of Service (DoS) attacks pose a significant threat to the availability of IT services and can impose operational downtime resulting in significant financial losses, reputational damage, and legal liabilities. DoS attacks can be broadly classified as volumetric attacks, protocol attacks, application attacks, and amplification attacks with a number of sub-variants in each category. Thwarting low-skilled attackers may only require implementing a few fundamental security measures, while DoS attacks conducted by nation-states or APT cyber crime adversaries can negatively impact even the largest and well-defended organizations. Understanding how to prevent DoS attacks requires deep knowledge about various prevention and mitigation strategies, but with this knowledge in hand, organizations can both prevent DoS attacks and mitigate their potential damage to an organization’s operations.