What Is a Denial of Service Attack (DoS)?

What Is a Denial of Service Attack (DoS)?

The world of cybersecurity is ever-evolving, with new threats appearing almost every day. Denial of service (DoS) attacks are not new, but they can have a serious impact on a wide variety of services. Estimates suggest there are thousands of DoS attacks happening every single day and the numbers keep increasing. Their goal is to interrupt a device’s or service’s normal functioning.

When these attacks are successful, legitimate users won’t be able to access the service. Stopping such an attack once it happens is possible, but not always easy, which is why they can cost organizations a lot of time and money. Here’s everything you need to know about DoS attacks.

What Is a Denial of Service (DoS) Attack?

A denial of service (DoS) attack is a cyber attack that aims to make a device, service, network, or other information system unavailable to legitimate users. The hacker uses a single machine and typically floods the target with an extremely high number of requests. Eventually, the target machine can no longer process normal traffic.

When thinking of a cyber attack, for many people what comes to mind is someone trying to access data illegally. A DoS attack is not necessarily about accessing or stealing someone else’s data. The goal, in most cases, is to block users from accessing a service. Revenge, competition, extortion, and even activism are some reasons people resort to DoS attacks.

Sometimes, denial of service attacks serve as a precursor to other, more severe attacks. Once a device or service becomes inactive, the attackers can infiltrate other areas of the system and attempt to install malware with the aim of conducting a bigger attack in the future.

How Do DoS Attacks Differ from Distributed Denial of Service (DDoS) Attacks?

A distributed denial of service (DDoS) attack is a type of DoS attack that uses several distributed machines to launch the attack instead of a single machine.

DoS attacks come from one IP and are relatively easy to counter. DDoS attacks come from multiple IPs, which makes them more difficult to stop.

When the attack comes from distributed sources, it can be much harder to differentiate malicious traffic from normal traffic. As a result, DDoS attacks are harder to detect before they cause real damage. With a DoS attack, only one machine needs to be detected and stopped.

Types of DoS Attacks

Denial of service attacks are usually divided into two categories:

  • Buffer overflows, which crash web-based services. This is the most common type of DoS attack. The hacker drives high traffic and data to a network point. To handle the traffic, the system will need to use all its resources and memory, eventually causing it to crash.
  • Flood attacks, which flood services and devices. These attacks are carried out by sending high volumes of data packets, connection requests, and other types of traffic to a network or system.

Both types come with several other subtypes.

Types of Buffer Overflow Attack

The most notable buffer overflow attacks include:

  • Stack overflow. Here, the attacker sends more information to a device, program, or network than it can handle. The program will respond by using an area of the memory called “the stack.” When the stack is full, information can overflow to other parts of the program until it crashes.
  • Unicode overflow. This type of attack is designed specifically for programs that process text. The program usually expects to receive ASCII. Instead, the attacker sends Unicode characters beyond the program’s capacity. ASCII comprises 128 characters, the numbers, and letters you use every day. Unicode contains a much larger set of characters and symbols, up to 221 (roughly 2,000,000,) which won’t be readable to a program that expects ASCII. The extra text can overflow in other parts of the memory, causing the program to crash.

Types of Flood Attack

Flood attacks also come in different forms, such as:

  • ICMP flood. In this attack, the hacker hits the targeted network with a flood of Internet Control Message Protocol (ICMP) packets. ICMP is a protocol normally used to send error messages over the internet. When a network is flooded with such packets, it can’t handle any more legitimate traffic and may crash.
  • SYN flood. Here, the attacker tries to overwhelm a network by flooding it with connection requests; namely SYN packets. Devices communicate over the internet through the TCP protocol. To start the communication, one device will send an SYN (synchronize) packet to the others. To respond, the other device sends an SYN-ACK (synchronize-acknowledge) packet. During an SYN Flood attack, the attacker sends many SYN packets but never responds to SYN-ACK packets. The network begins slowing down, is unable to handle legitimate traffic, and could eventually crash.

Denial of Service Attack Examples

Denial of service attacks have a long history. The first documented attack of this kind is the Robert Morris worm attack that took place in 1988. The worm installed itself on systems connected to the internet, triggering DoS attacks and buffer overflows. At the time, there weren’t many computers connected to the internet and most were used in academia and research. However, estimates suggest up to 10% of the computers in the US were affected. Since then, these attacks have evolved, but their goal has stayed the same: limiting users’ access to certain services or devices.

Among recent examples, the most significant one is an attack from 2019—the DoS ransomware attack that affected Baltimore. During the attack, many of the city’s critical systems were taken down, including email systems, bill payment services, and even the 911 emergency dispatch. Over 1,000 home sales had to be delayed as a result of the attack.

From DoS to DDoS Attacks

Today, DoS attacks are not that popular anymore. Because they come from a single IP, they are fairly easy to counter with modern technologies. They can still happen, but most companies are ready to stop them within minutes or even seconds.

DDoS attacks, on the other hand, are more prevalent and still pose a huge danger. As an example, we had a 650 Gbps attack on our infrastructure in January 2023. Cybercriminals tried to take down a service belonging to one of our clients. The incident lasted for fifteen minutes, after which the attack stopped because we prevented any losses for our client, meaning the attack was ineffective.

An older, infamous example is the attack against GitHub on February 28, 2018. The attack originated from tens of thousands of points and managed to take GitHub down for 10 minutes. Another major DDoS attack happened in June 2022 and targeted a Chinese telecommunications company. The attack lasted a total of four hours, during which time 25.3 billion requests were sent. The hackers used a botnet with 170,000 IPs and managed to compromise servers located in 180 countries.

Preventing DoS Attacks

As the saying goes, prevention is better than cure. It’s true for your health and certainly true when it comes to DoS attacks. Preventing an attack is almost always easier than trying to stop one that’s already in progress. Here are a few easy steps to reduce the likelihood of experiencing a denial of service attack.

1. Use a Firewall

A firewall may sound like a simple solution, but can be very effective. In fact, the simplicity of it means many people overlook this step. If you manage a large network with a large number of people connecting to it—such as a workplace—make sure that everyone understands the importance of using a firewall.

This tool may not be completely bulletproof, but it can help block out much of the unwanted traffic. It may also spot suspicious activity and unauthorized traffic sources, making a DoS attack less likely to be successful.

2. Limit Connections

Many DoS attacks come from perfectly harmless-looking sources. One way to counter this is by limiting the number of connections that can come from a single IP address in a given time period. This can help prevent flooding attacks from one IP address, though DDoS attacks could still be successful.

3. Consider Network Segmentation

Network segmentation—splitting large networks into smaller ones—helps reduce the impact of a denial of service attack. To achieve this, you can create several VLANs and firewalls that will help limit the spread of the attack.

DoS attacks can still happen, but they will only affect one segment. The other parts of the network will keep working, reducing the damage to your services and the users. Network segmentation could even allow you to end the attack sooner by limiting the attack’s potential spread.

4. Use Load Balancing

Load balancing is a similar concept to network segmentation. In this case, though, you’re distributing traffic across multiple servers. If one server is overloaded or becomes unresponsive, the load balancer will send the traffic to another server.

5. Use Intrusion Detection and Prevention Systems

Intrusion detection and prevention systems to analyze incoming traffic and look for suspicious patterns. They can also limit the number of connections within a time frame from a certain IP if they detect unusual traffic coming from that source. They can be useful in preventing various types of malicious attacks, including DoS and DDoS attacks.

6. The Power of Education

When users are aware of potential DoS attacks, how they look, and when they can happen, prevention becomes easier. You can’t prevent something if you don’t know what it looks like or that it even exists!

Not every person has the knowledge to understand all the intricacies of DoS attacks, but by being aware of them and their potential risks, they can take simple, small steps to prevent them. For example, they can become more diligent with keeping their software updated, using strong passwords and changing them periodically, and using a firewall. Education is key to ensuring broad implementation of basic steps to prevent DoS attacks.

7. Conduct Periodic Penetration Tests

Penetration testing (pen testing) can help you spot vulnerabilities in your systems. These may not be visible “to the naked eye,” but you can be sure hackers will find them sooner or later, and use them against you.

Conducting periodic pen tests will help you stay one step ahead of attackers and address vulnerabilities before attackers can target them.

Mitigating DoS Attacks—What to Do if You’ve Already Been Hit?

Prevention is king, but sometimes hackers can exploit the smallest vulnerabilities, and attacks happen. It’s very difficult to stop a denial of service attack entirely. However, there are a few ways to mitigate and reduce their impact on your systems.

1. Traffic Filtering

Filtering can be effective both as prevention and mitigation. When you know you’re being flooded with unwanted traffic, filtering can be an effective solution to stop it in its tracks.

The filter will check all incoming traffic and make sure that only legitimate sources are allowed in. Sometimes it won’t stop the flood entirely, but it can reduce its load on your system, preventing it from becoming unavailable or crashing.

2. Scrubbing Services

Scrubbing services are like the cleaning crew that comes after the party. Their role is to check all existing traffic and remove malicious sources, while allowing legitimate traffic to continue.

Scrubbing centers are effective against all denial-of-service attacks—both DoS and DDoS. For example, scrubbing techniques stopped one of the most famous DDoS attacks of the past few years—the 2018 attack against GitHub. The traffic directed at GitHub was redirected to other data centers, where it was then “scrubbed.” As a result, only the legitimate traffic remained, and GitHub services were once again available.

3. Blackhole Routing

Blackhole routing means redirecting traffic to a null route, or a “black hole.” It is effective whenever a network is flooded with traffic from one or several IP addresses.

This technique has one major downside: it doesn’t always differentiate between malicious and legitimate traffic. In other words, you could be stopping access to your services for real users. It can still be a quick and effective way to mitigate a DoS attack in progress, though most agree it is not a great tool for prevention.

4. Encrypt Data and Use Backups

Encryption and backups will not stop a cyber attack in its tracks, but they are life savers if you do experience a DoS attack. They will reduce the risk of damage or theft, which can sometimes occur during or immediately after a DoS attack. Plus, if some of your systems do become unresponsive or corrupt, a backup will minimize your losses and will help you restore your workflow quickly.

How to Know if You’re Experiencing a DoS Attack?

Acting quickly is essential when you’re experiencing a DoS attack, but to do that, you must know what one looks like. The answer will vary slightly depending on your systems, any preventative measures you have in place, and the type of attack. But there are a few telltale signs that can help you recognize a denial of service attack.

1. Slow or Unresponsive Network

Before systems crash, they start slowing down for no apparent reason. You may notice that it’s taking longer to load websites, download files, or even send emails. If there’s no other reason for the slowdown, you may be experiencing a DoS attack.

2. Websites or Services Become Unavailable

Sometimes the network doesn’t crash all at once. You may have certain preventative measures like segmentation or load balancing that help reroute floods of traffic. Instead, you may notice that certain services become unavailable.

For example, your email could suddenly become unavailable. If you’re not having connectivity or other server issues, it is possible that your email server is being targeted by a DoS attack.

3. Unusual Network Traffic

Unusual and unexpected network traffic is never a good sign. Systems will soon become slow or unresponsive, and it won’t be long until no one can access any services.

A firewall can usually spot unusual network traffic and even stop it. If it doesn’t, you may need to start considering DoS attack mitigation tools like traffic filtering.

4. High CPU or Memory Usage

Certain DoS attacks—like buffer overflows—affect the memory of the systems they target. The first signs will usually include a slower-than-normal system and unresponsive programs. These issues can have other causes, though. High CPU usage could simply be an incompatible program, for instance, while unresponsive services could be caused by a connectivity issue.

You will need to keep an eye on your systems at all times and double-check every time you’re experiencing what could be symptoms of a DoS attack. Connectivity, software, or hardware issues will usually be easy to find and will cease once the culprit is identified and remedied, whereas a DoS attack will get worse until it is stopped.

Conclusion

A denial of service attack prevents legitimate users from accessing a device, service, or network. The disruption can have serious consequences for users and businesses alike and include loss of revenue, reputation, and sensitive data.

DoS attacks come in many forms, including buffer overflows and flooding, with the attack having a single source. You may also encounter distributed denial of service attacks. These are similar to DoS attacks, but they come from multiple IPs, which makes them harder to detect and stop.

The good news is there are ways to prevent DoS attacks. Some are more simple, like using a firewall and educating users about what DoS attacks look like. Others are more complex and involve using load balancing techniques, intrusion detection and prevention systems, encryption, and pen testing.

Keep your systems secure against DoS and DDoS attacks with Gcore’s DDoS protection solution. It can keep your services, apps, and websites safe, and has over 1 Tbps total filtering capacity. Connect with one of our experts to learn more.

What Is a Denial of Service Attack (DoS)?

Subscribe
to our newsletter

Get the latest industry trends, exclusive insights, and Gcore
updates delivered straight to your inbox.