Denial-of-Service (DoS) Attack - What is it, How Does it Work

A DoS attack is a type of cyberattack in which an attacker seeks to overload a server or network with requests, rendering it unavailable to legitimate users. This can be done by flooding the target with traffic from multiple computers, or by using a single computer to send very large amounts of data. Either way, the goal is to overwhelm the system and prevent it from being able to function properly. DoS attacks have become increasingly common in recent years, as more and more people realize that they can be quite effective at taking down websites and other online services.

The main objective of a DoS attack is to make a server or network unavailable to users by overwhelming it with traffic. Usually, this is done using one of two methods: flooding the target with multiple malicious requests, or crashing the target by sending very large amounts of data. Attackers most commonly use the first method. Flood attacks are carried out by sending huge amounts of traffic to a system or website, which eventually overloads it and forces it to stop. They can be of many types such as an ICMP flood, or a SYN Flood. Crash attacks are much less common. They’re carried out by sending bugs that exploit weaknesses in the target system. As a result, the system crashes. 

DoS attacks don’t rely on the execution of specific programs on the targeted system, instead they leverage the inherent flaws in network communication protocols.  In a DoS attack, the computer is programmed to transmit hundreds or even thousands of fake requests to a target server. These requests are usually transmitted only once to establish a connection between the end-user and the website or server they’re trying to access. The server/website then responds with a signal that recognizes that the user is authorized to connect. Whenever you visit a website, a conversation is taking place between your web browser and the server. This process where the client and server establish a connection is known as a handshake. When the targeted server is hit with a large number of fake requests, it attempts to respond to them, but because it is overwhelmed, it just stops functioning.

Buffer Overflow

A buffer overflow is the most common type of DoS attack. It occurs when the traffic sent to a target network address exceeds the size of the buffer that is allocated to it. This results in unexpected behavior of the target system. 

ICMP Flood

Also known as ping flood or the smurf attack, the ICMP flood technique takes advantage of misconfigured network devices. The attackers send spoofed ICMP packets that ping every computer on the targeted network, rather than just one. The network is then activated to boost the traffic. 

SYN Flood

SYN flood is a type of DoS attack that floods the target network with SYN packets. Also known as a half-open attack, this occurs when the TCP layer becomes saturated with SYN packets and does not allow the completion of the TCP three-way handshake among the client and server on all ports. As a result, the target machine is unable to establish a connection with the server.

Slowloris

Slowloris is a DoS attack that uses a series of requests to slow down the targeted machine while using very little bandwidth to do so. Slowloris attempts to maintain as many connections to the target web server as possible for as long as possible. Instead of sending all the requests at once, hackers divide their commands and send them slowly over several seconds. When the server is unable to respond in time it crashes.

A denial-of-service attack can be difficult to diagnose and may go undetected for weeks or even months. Many signs indicate that a site is under attack, but not all of them are specific to a denial-of-service attack. Here are some signs to look for if you think you’re experiencing a DoS attack: 

• High volumes of traffic directed to the site. This means that the site is receiving more traffic than it can handle.
• Abnormal network activity
• Unexpected activity on the target system
• High CPU or memory usage
• Unusual loss of connectivity among devices connected to the same network
• Slow page loading times

The first major and infamous DoS attack was against the computer network of the United States Department of Defense (DoD) in October 1988. Dubbed the " Morris Worm " by its creator, Robert Tappan Morris, the attack resulted in thousands of computers being infected, many in critical services with serious consequences. At the time of the attack, the internet was a brand new technology (launched in late 1983) that had only a few thousand computers linked to each other.

Another recent example of a DoS attack is the Mirai botnet. Mirai is a type of malware that infects IoT devices and turns them into zombie computers, or bots, that can be controlled remotely. The bots are then used to launch DDoS attacks. Mirai malware infected 75,000 IoT devices and was used in the massive October 2016 attack that took down Dyn, a company that provides DNS services. The attack on Dyn was so bad that it took major websites like Twitter, Netflix, and Reddit offline.

With the ever-growing likelihood of a DoS attack, organizations must be vigilant in their preparation. Threat Intelligence provides best practices and expert consulting on information security, privacy, and risk management in order to protect organizations from cyber-crime and data theft. If you’re looking for a solution against DoS attacks and other cyberattacks, contact our team today.