Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns
DoS attacks come in many varieties (not just DDoS). This simple set of descriptions will help you understand how they're different — and why each and every one is bad.
September 25, 2019
Denial-of-service (DoS) is a basic cyberattack mechanism that prevents a victim from doing business by denying them access to their network, server, or customer. It's an attack concept so simple that many different variations have arisen on the single basic theme.
Figure 1: (image: Bits and Splits, via Adobe Stock)
These variations, like weeds rising up to choke a garden, arise to choke out the productive applications in an enterprise ecosystem. And, like weeds, there are many different varieties of these thorny, choking vines from the underworld ready to make your security life miserable.
It's important to know the different sorts of DoS attacks because they have different remedies. Just as different weedy plants can be dealt with in different ways, the counter-measures for DoS attacks are different depending on whether they target the network or applications, and precisely which method of attack they use.
One thing you might have noticed is that we've referred to DoS attacks rather than DDoS. The reason is that DDoS (Distributed Denial of Service) is a particular sort of DoS attack, one in which the attack comes from many different sources so that it's more difficult to defend against.
Whether distributed or from a single source, DoS attacks can be divided into three broad categories based on the part of the infrastructure under attack. First, are application-layer attacks, which take aim at application servers or parts of the application software stack. Next come protocol attacks, which use one of the basic networking protocols, like arp, syn, or ping to do their dirty work. Finally, there are the DoS attacks that are most widely assumed when people talk about DoS — the volumetric attacks that simply try to use sheer traffic volume of one sort or another to choke off access to a victim's network.
Before we head off into this rogue's gallery, one absence should be noted: You won't find a discussion of ransomware here. It's true that ransomware is, technically, a denial of service attack, since it denies the victim access to their own data. It has grown and expanded so much, though, that it deserves it's own article, and it will have one.
In addition, it works in one way that's very different from the DoS attacks we'll discuss here: While all of these block customer access to applications and data, they don't alter the data or applications themselves. Ransomware, conversely alters the files and systems in ways that prevent users from interacting with them. Ransomware affects those files/systems value to the user — and may also result in the destruction of those items. Each type of attack is damaging, but the differences make treating them separately worthwhile.
Let's take a look at these dangerous and irritating pests, with a special eye toward understanding how they differ and how defense should differ, as well.
{Continued on Next Page}
Figure 2: (image source: Vladimir Buynevich, via Flickr)
Many companies have experienced an application-level DoS event without ever being the target of a real attack. Every time a retail company has complained that "so many people came to our site to buy our special product!" they've managed to use marketing to launch a DoS attack against themselves.
In addition to simply DoSsing themselves, companies can find a DoS attack on their application layer that comes in any of several flavors. One of the more insidious, and one that puts application layer DoS in a different category of attacks than the others to ba addressed, is called "low and slow."
How It Works
Low and slow attacks take advantage of the timeout setting of a server — the time between actions before the server "gives up" on a transaction and terminates the session — to generate just enough traffic, just often enough, to keep the application operating at full capacity.
Low and slow attacks are frequently launched using tools with names like Slowloris, which attacks by keeping HTTP sessions barely alive, and R.U.D.Y, which submits form data at an excruciating — but fast enough to keep the session alive — pace.
How to Defend Against It
Application-level attacks can use HTTP headers, HTTP GET, HTTP PUT, or TCP traffic to do their dirty work. Because they don't depend on either massive traffic flows or misshapen packets to be effective, they can be difficult to defend against.
Web application firewalls (WAFs) and, depending on the application's architecture, cloud service firewalls can help, but security teams should work closely with application developers to make sure that legitimate customers — with their legitimate dollars — aren't excluded from transactions.
{Continued on Next Page}
TCP/IP networking depends on a whole series of protocols and functions working together. Because these protocols must flow along with the data on a network, they can't simply be blocked by firewalls. That ability to traverse networks makes them useful for attackers who wish to deny a victim access to their network by sending protocol requests or responses in volumes far higher than that seen normally.
How Protocol-Based DoSes work:
Address Resolution Protocol (ARP) is one of these core protocols. ARP ties a device's physical address (the MAC) to its network address (its IP address). ARP requests and responses are typically between two computers who need to communicate. An ARP Flood attack sends ARP responses to every computer on the network, filling their ARP cache, and making it difficult or impossible for them to resolve addresses and communicate with other computers.
A different protocol attack is the SYN attack. SYN is the opening of the connection conversation in IP networking: The requesting computer sends SYN and expects ACK in return. In a SYN attack, the attacker sends SYN after SYN, never waiting for an ACK. With each SYN, the victim has to open a new network port connection, until the maximum number of connections has been reached and no new connection can be started.
Other protocol DoS attacks use additional protocols. These attacks have colorful names like "PING of Death" (which uses the connection verification protocol PING), and Smurf DDOS, which uses PING in ways that amplify the size and impact of the attack.
In each of these cases, the attack denies access to the application by choking a particular network port or access protocol. Because the attack is targeting such a narrow part of the network stack, the traffic volume doesn't have to be as high as in volume-based attacks.
How to defend against it:
Defending against these protocol attacks is often a case of carefully crafting server or routerconfiguration files to limit the system's susceptibility to maltreatment — reducing timeout parameters so stalled transactions are reset more quickly, for example. As long as networking is based on the IP stack, though, networks will be susceptible to attack through the critical protocols.
{Continued on Next Page}
Volume-based DoS attacks are the big, showy attacks that tend to make the news because the traffic can be measured in terabytes per second and the networks launching DDoS attacks can include hundreds of thousands of robotic soldiers. Volume-based DoS attacks are blunt instruments that can be very effective — and the splatter from a successful attack can have an impact on other customers of the ISP and network provider, no matter how large they may be.
How it works:
Because of the sheer volume of traffic required for a successful volume-based attack, two techniques — reflection and amplification — are used in most of these attacks. They typically use protocols like DNS or NTP — essential protocols for resolving addresses and synchronizing time on the network — to do their dirty work.
Reflection and amplification take advantage of the fact that the response to an inquiry on address resolution or time tends to be much longer than the initial inquiry itself. So the attacker sends a request to an innocent third-party with the victim's address spoofed as the source. The response is sent to the victim which, having not requested anything, is confused and has to deal with this unwanted information.
The result is that a 10-byte attack can result in a 500-byte hit on the victim. Multiply that by a half-million attacking bots, and the impact of the attack is far greater than the investment in the attacking network.
There are other ways to launch a DDoS attack, including simply sending vast quantities of UDP traffic from ephemeral ports (those that aren't strictly defined, like port 80 for HTTP) against a target. Ultimately, the edge router for the victim can't deal with all the traffic and begins refusing additional connections. If the attack continues, the back-up can shift upstream and have an impact on more customers of the network provider.
How to defend against it:
Protecting from this type of attack is as brute-force as the attack itself. Third-party protection is based on a process that is, essentially, an authorized man-in-the-middle attack to shunt attack traffic to safe servers and keep traffic flowing to the legitimate applications. Other solutions have included forklifts and trucks as servers are moved to different providers and networks to escape attacks on hosting providers.
There are many ways to deny service to a legitimate company. These weeds, though they may be ingenious and advanced, can be cut short by understanding what they do, how they do it — and how the same protocols can be used to protect the network.
Related Content:
Read more about:
2019About the Author
You May Also Like