Denial of Service (DoS) attacks

Nowadays, it’s essential to prepare for various dangers that lurk online. Without adequate prepa­ra­tion, attackers could easily in­fil­trate systems and ma­nip­u­late or in­ca­pac­i­tate them. A classic form of attack is the DoS attack. What exactly is it, and how can we protect ourselves against it?

Orig­i­nal­ly, denial of service (DoS) meant that specific internet services on an IT system (e.g. on a server) were not available for a limited time. This can happen when the relevant servers are over­bur­dened – because of too many user requests, for instance. Examples of internet services include websites, email services, and chat functions.

In a DoS attack, the attacker in­ten­tion­al­ly causes the “denial of service.” They do this by “bom­bard­ing” an IT system’s network con­nec­tions – which are re­spon­si­ble for the exchange of external data – with an immense number of requests, which end up over­bur­den­ing it. If the number of requests rises above the capacity limit, the system slows or crashes com­plete­ly, which means that websites, email features, or online shops, for example, can no longer be called up by users.

A DoS attack is more or less com­pa­ra­ble with a real-life store that hundreds of people crowd into. Shoppers distract sales personnel with mis­lead­ing questions and block resources, but make no purchases in the end. The sales staff is over­bur­dened to the point of collapse, and actual customers are no longer able to enter the shop or be served by anyone.

In principle, pure DoS attacks are rel­a­tive­ly simple to carry out. That’s because it’s not necessary to in­fil­trate secure IT systems. Even those with small budgets or little to no technical expertise can carry out an illegal attack – on a com­peti­tor, for example. Cyber criminals offer this type of attack on the dark net for as little as a few hundred euros. If companies and or­ga­ni­za­tions are not prepared for DoS attacks, maximum damage can be caused with minimal effort.

A possible in­di­ca­tion that someone has been the victim of a denial of service attack is unusually slow per­for­mance over the entire network, which is es­pe­cial­ly no­tice­able when opening files or your own websites. A suc­cess­ful DoS attack is easy to spot: attacked websites take a very long time to load and certain features such as shop systems don’t function at all. At the peak of an attack, a website won’t be reachable.

You can determine whether you’ve fallen victim of a DoS attack by observing and analyzing the network traffic (network traffic mon­i­tor­ing and analysis). You can do this either with the help of a firewall or by using an intrusion detection system that has been specif­i­cal­ly installed for this purpose. Network ad­min­is­tra­tors have the option of setting rules for the detection of “abnormal” traffic. Should the number of sus­pi­cious requests to the system increase, the alarm is au­to­mat­i­cal­ly raised, which means that coun­ter­mea­sures can be taken.

There are highly diverse types of DoS attacks that can be roughly clas­si­fied into attacks against the bandwidth, attacks against system resources, and attacks that exploit security gaps and software errors. How attackers proceed during a denial of service attack and which measures can help systems safeguard against it is best explained using the example of a “Smurf” attack.

A Smurf attack is a specific type of DoS attack that targets the operating system or the computer system’s internet con­nec­tion or network. In doing so, the attacker sends pings, ICMP data packets of the “echo request” type, to a network’s broadcast address. In these data packets, the attacker enters the address of the system that they are targeting. Sub­se­quent­ly, all computers in the network respond to the system being targeted with the as­sump­tion that the requests orig­i­nat­ed from it. The more computers belong to the network being utilized by the attacker, the higher the number of “responses” that will fail. The higher the number, the stronger the attack.

Nowadays, in order to prevent Smurf attacks, the standard con­fig­u­ra­tion of systems is to no longer respond to ICMP packets of the “echo request” type, and for routers to no longer forward packets directed to broadcast addresses. Thanks to these general security measures, suc­cess­ful Smurf attacks have become rare.

In order to safeguard your in­fra­struc­ture against denial of service attacks, certain measures can be adopted. Routers should be correctly con­fig­ured and secured using strong passwords. By in­stalling blocking measures, many DoS attacks can be prevented. This means attack packets are not granted access to the internal in­fra­struc­ture at all. A good firewall ensures ad­di­tion­al security.

If you have noticed that you are the target of an attack, you can also use a number of other resources. Through load balancing, short-term ad­di­tion­al capacity can be requested from your hosting provider, for example, so that the attack fails.

For a more detailed overview of measures, read our article on the dif­fer­ences between DDoS and DoS attacks.

Most DoS attacks occur in the form of dis­trib­uted denial of service attacks – or DDoS attacks for short. The essential dif­fer­ence between DDoS and DoS attacks is that while DoS attacks originate from a single source (e.g. a computer or a network), DDoS attacks are dis­trib­uted in­di­rect­ly via a botnet that is often widely ramified – hence the “dis­trib­uted” des­ig­na­tion.

A botnet is es­sen­tial­ly a col­lec­tion of hacked devices that are in­for­mal­ly called zombies. Most of these are poorly main­tained and the owners of the hacked computers often don’t notice that malware has been installed on their device or that it is being misused for cy­ber­crim­i­nal ac­tiv­i­ties. With this army of zombie computers, the operator of a botnet can carry out attacks against other IT systems.

There are botnets that consist of several million computers. If all of the computers are utilized in a DDoS attack, the number of malicious requests to one network can be enormous. This is one of the main reasons why websites such as Facebook, which have vast resources to prevent large-scale DDoS attacks, are not 100% safe.