DoS: attack patterns and countermeasures

When an online service isn’t available, it’s known in the IT world as ‘denial of service’ (DoS). A denial of service normally comes about when individual IT infrastructure components are overloaded. If this is caused deliberately by external parties, it’s referred to as a DoS attack. This occurs when an attacker floods a targeted URL with so many requests that the server can no longer process them all. This means that network devices, operating systems, and individual server services are only able to respond to requests in a delayed manner, if at all. An especially effective approach is one where a system is inundated with requests from various computers. This is known as a DDoS attack, which differs from a DoS attack since thousands of ‘botnets’ are used, rather than one.

What is DDoS?

A common form of DoS is known as ‘distributed denial of service’ (DDoS). Instead of just using one computer, cyber criminals overload systems with requests from many computers, which are combined together to form gigantic botnets. By using such computer networks, more traffic is generated than with simple DoS attacks. DDoS attacks have drastic effects on those involved and hope of locating the source of the attack is generally quite bleak. Attackers that plant botnets of this kind place special software agents on insufficiently protected computers. These computers are then used to control them without the owner’s knowledge. An ‘infection’ sometimes happens months before the actual DDoS attacks are carried out.

The goal of DoS and DDoS attacks

Unlike other cybercriminal invasions, DoS and DDoS attacks don’t try to infiltrate a system; instead, they are often part of a larger attack. For example, when a system has been paralysed, the attacks can be used to distract server operators of the fact that an attack is happening elsewhere on another system. If a system’s responsiveness is delayed due to a DoS or a DDoS attack, hackers have the opportunity to change requests to the overloaded system through manipulated responses. The strategies underlying such attacks can be divided into three categories: bandwidth overload, system resource overload, and exploitation of software errors and security gaps.

Bandwidth overload

The aim of overloading the bandwidth is to make a computer inaccessible. DoS and DDoS attacks directly target networks and their respective connecting device. A router can only process a certain amount of data at once. If this capacity is exceeded due to an attack, the corresponding services will no longer be available to other users. A typical DDoS attack designed for overloading bandwidth is the Smurf attack.

  • Smurf attack: this DDoS attack takes advantage of the ‘internet control message protocol’ (ICMP), which helps the exchange of information and error reports in computer networks. The attacker sends manipulated ICMP Echo Request packets (Ping) to the broadcast address of a network and uses the target’s IP address as the sender address. The broadcast request is then forwarded from the network router to all connected devices, which causes them all to send a response to the sender address (Pong). A large network with many devices connected to it can therefore massively impair the target’s bandwidth

System resource overload

A DoS or DDoS attack targets the resources of a system; this way, attackers exploit the fact that the web server can only establish a limited number of connections. If these are used for invalid requests, the server will be effectively blocked for regular users. This is known as ‘flooding’; some examples of this are ping flood, SYN flood, and UDP flood.

  • Ping flood: when it comes to this type of attack, cyber criminals overload the server with ICMP Echo Request packets. These requests are usually sent by botnets on a massive scale. Since these requests (ping) have to be answered with a data packet from the target system (pong), slow systems end up being thwarted by a ping flood.
  • SYN flood: this attack abuses the TCP three-way handshake connection. TCP (‘transmission control protocol’) is a network protocol that, together with an IP, ensures smooth data traffic flow over the internet. A TCP connection is always made in a three-step authentication process, which starts with the client sending the server a synchronisation packet (SYN). This is then received by the server which acknowledges the request with its own synchronisation packet (SYN) as well as a confirmation (ACK). The connection process is then ended with a client-side confirmation (ACK). If this last step fails to happen, the system will be paralysed since the server doesn’t have a final confirmed connection to store in the working memory. If a large number of these half-opened connections meet due to SYN flooding, the available server resources will be completely used up.
  • UDP flood: with these attacks, cyber criminals rely on the connectionless ‘user datagram protocol’ (UDP). Unlike transmission over the TCP protocol, data can be transferred via UDP without needing an established connection. In regards to DoS and DDoS attacks, UDP packets are sent to random ports on the target system. The system tries unsuccessfully to determine which applications are waiting for the transferred data, and then, as a result, sends an ICMP packet back to the sender along with the message ‘destination unreachable’. If a system is feeling the strain of numerous requests of this kind, the resource overload can cause limited availability for regular users.

Exploiting software errors and security gaps

If a hacker finds certain security gaps in an operating system or program, they can plan DoS or DDoS attacks so that the requests trigger a system crash. Examples of this type of attack include the ping of death and LAND (local area network denial) attacks.

  • Ping of death: the aim of this attack is to cause a system crash. Hackers take advantage of implementation errors in the internet protocol (IP). IP packets are generally sent as fragments. If incorrect information is sent for the packet assembly, many operating systems can be tricked into thinking that the IP packet is bigger than the maximum allowance of 64 KB. This can lead to a buffer overflow, which is where a program tries to store more data in a buffer than it can handle. The extra information has to go somewhere and flows into adjacent buffers, leading to any information stored there to be overwritten or corrupted.  
  • LAND attack: during this type of attack an attacker sends a SYN packet in line with the TCP three-way handshake (see above). The SYN packet has the same target and sender address as the corresponding server that is to be attacked. The server then responds to the request by sending itself a response in the form of a SYN/ACK packet. This can be interpreted as a new connection request that again needs to be answered with a SYN/ACK packet. This leads to a capacity overload since the system keeps repeatedly responding to requests, which can then crash the system.

Counter measures

Various security measures have been developed to stop IT systems being overloaded by DoS and DDoS attacks. One approach is that they identify critical IP addresses as well as close any known security gaps. In addition, making hardware and software resources available can compensate for smaller attacks.

  • IP blacklist: blacklists make it possible to identify critical IP addresses and to reject data packets. These security measures can be implemented manually or automatised through dynamic blacklists via a Firewall.  
  • Filtration: in order to filter out irregular data packets, you can define limits for data volumes in a specified period. You should pay attention to proxies, which can mean that many clients are registered with the same IP address on the server and can potentially be blocked.    
  • SYN cookies: SYN cookies focus on security gaps in the TCP connection. If these safety measures are implemented, information about the SYN packet won’t be saved on the server anymore, but rather sent as a crypto cookie to the client. SYN flood attacks take up some computer capacity, but don’t overload the memory of the target system.  
  • Load balancing: an effective counter measure against overloading is to distribute the load onto different systems, which is made possible through load balancing. Here the hardware capacity of the available service is spread across several physical machines. This is how DoS and DDoS attacks can be intercepted to a certain degree.

Want to make your website more secure? Learn more about SSL certificates from 1&1 and how they increase your site’s trustworthiness.