Codepath

Denial of Service

Denial of Service (DoS) is an attack which denies authorized users access to a server, service, or resource to which they would normally expect to have access.

DoS is an explicit attempt to prevent legitimate users from using a service. The service itself may be unaffected, but it is no longer available and therefore must be considered insecure.

Security has three fundamental goals: Confidentiality, Integrity, and Availability. While many attacks effect confidentiality and integrity, DoS is one of the few attacks on availability.

DoS is usually accomplished by one of two techniques: Flooding and Crashing.

DoS Flooding is the result of overwhelming a system with too many requests. It could be sending too many page requests to a webserver to make it slow or unavailable. It could be an attempt to occupy all of a limited number of connections to a server or database. It could be too many spam emails being sent. Or it can be an attack on infrastructure, such as sending too much information to routers so that they become unable to route traffic.

DoS Crashing is the result of causing a software or hardware to stop operating, essentially turning it off. This could be due to exploit such as triggering a RAM buffer overflow to use up all server memory.

The motives behind DoS vary, but typically they fall into three categories: revenge, extortion, activism.


Distributed Denial-of-Service (DDoS)

Most DoS attacks are not performed by a single computer. The simple reason is that robust servers are designed to handle a lot of traffic and it takes a lot of resources to overwhelm them, usually more than one computer can provide.

Distributed Denial-of-Service (DDoS) is a DoS attack carried out by hundreds or thousands of computers at the same time. These computers could be controlled by hundreds of humans, such as activists or members of Anonymous, or they can be non-human attackers such as zombie botnets or malware. These attacks are much more powerful than a single attacker and can easily overwhelm a network or server. Some attacks have been measured at over 400 Gbit/s. Attackers usually spoof their IP addresses to hide themselves or to avoid filtering out of requests from a particular IP.


DoS Preventions

The best choice when faced with a rapid increase in traffic is to increase a system's capacity to handle it. After all, some DoS is not intentional or malicious. A prominent mention for a website in popular culture can send traffic through the roof for a normally low-traffice website.

But if infrastructure cannot meet the demands, then the choice is either to ignore all of the traffic or to try to sort through it to allow "good" requests to still get though.

Ignoring all traffic is called "blackholing". All traffic is re-routed to nowhere, also known as the "null resource". This will successfully divert the DoS attack, but the resource will remain unavailable. ISPs frequently resort to blackholing to avoid harming other customers who might share hardware or infrastructure with the targeted server.

"Sinkholing" is less drastic measure than blackholing. All traffic is re-routed to another server which can analyze the traffic and attempt to identify legitimate requests so that they can continue.

Another approach for keeping out "bad" traffic while letting "good" traffic through is filtering and rate limiting. Firewalls and Intrusion-Prevention Systems offer filtering based on IP address or particular attributes of the request ("request signatures"). They can also watch for repeated requests based on an IP address or request signature and limit the rate at which requests are allowed. (Rate limiting is like saying "slow down or I can't have a conversation with you.") It is also possible to filter traffic before it gets to the server using "upstream filtering". This is often a service performed by an ISP.

Fork me on GitHub