Denial of Service (DoS) attacks are a common form of cyber attack that disrupts a targeted system’s service. Attackers overwhelm the system with numerous requests or traffic, causing it to fail and preventing users from accessing it. This can be particularly problematic for organizations that require their online resources to accomplish their objectives.
This article aims to provide a brief overview of DoS attacks, including their definition, operational principles, and primary types. We will also examine two key types of DoS attacks: Distributed DoS (DDoS) and application-layer attacks. Finally, we will provide advice on how to safeguard against DoS attacks, enabling organizations to secure their systems and ensure the stability and accessibility of their online resources.
Who carries out DoS attacks and why?
There are organizations or groups that carry out DoS attacks to disrupt important infrastructure systems, cause chaos in the network, or steal confidential information. Regardless of their goals, DoS attacks can pose a serious threat to organizations and individuals who rely on their online resources for successful operations. Therefore, protection against DoS attacks is a critical aspect of information security.
DoS attacks can be carried out for various reasons and with different objectives. Some of the main reasons and objectives of DoS attacks may include:
- Extortion: In some cases, attackers may use DoS attacks to extort money or other services from the targeted organization. For example, they may threaten to launch further attacks if they do not receive the requested amount of money.
- Competitive advantage: In some cases, competing companies may use DoS attacks to harm their competitors and gain an advantage in the market. This may involve disabling a competing website or service to redirect users to their own product or service.
- Activism: Some hackers may carry out DoS attacks based on political or ideological beliefs. For example, they may use attacks to protest against the activities of certain organizations or states.
- Security testing: In some cases, DoS attacks may be used to test vulnerabilities in systems and networks. This can help organizations improve their protection and defend against future attacks.
- Entertainment: In some cases, hackers may carry out DoS attacks simply for fun or to demonstrate their skills. Such attacks can harm organizations but have no specific goal or motivation.
- Destruction of data: In some cases, attackers may use DoS attacks to destroy or damage the integrity of data located on the server or network of the targeted organization. This can result in the inability to restore data and significant financial losses for the organization.
- Undermining system stability: Some DoS attacks can be used to undermine the stability and reliability of systems and networks. This can affect the business processes of an organization and lead to dissatisfaction among customers and users.
- Sabotage: Some DoS attacks can be used to sabotage the activities of specific individuals or groups. For example, they may be carried out against politicians, public figures or journalists to remove them from the scene and draw attention to certain issues or ideologies.
How DoS attacks work
These attacks are attempts to disrupt the normal functioning of a system by overloading it with requests or denying access to resources. DoS attacks are carried out by overwhelming a system or device with requests it cannot process. For example, an attacker may use a botnet – a network of computers that are infected with malware and can be remotely controlled. Each computer in the botnet sends thousands of requests per second to the target server, overloading it and not allowing legitimate requests from users to be processed.
The main types of DoS attacks:
- Bandwidth attack: the attacker generates a huge volume of traffic and directs it at the target system, overloading its network interface and not allowing legitimate users to use resources.
- Vulnerability attack: the attacker exploits vulnerabilities in the software used by the target system to disable it or even cause it to crash.
- Syntax attack: the attacker sends requests with incorrect syntax to the target system, which can cause programs or the entire system to crash.
- Application-level attack: the attacker sends requests to the target system that are meaningless or malicious, such as SQL injections or requests for non-existent pages, to overload its resources. Unlike classical DoS attacks that rely on exceeding network resource limits, Application-layer DoS attacks use application protocols and can overload the server with requests that simulate legitimate traffic. For example, a malicious actor may send a large number of authentication requests to the server, which leads to the consumption of resources for the authentication of each request.
Examples of Specific DoS and DDoS Attacks
In this section, we will explore some examples of specific Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks can vary in their complexity and impact, but they all share the common goal of disrupting the normal functioning of a system or network. By examining real-world examples, we can gain a better understanding of the tactics and techniques used by attackers, as well as the potential consequences for organizations that fall victim to these types of attacks.
Ping of Death – an attack that sends large data packets to the target system, which can cause buffer overflow and result in system crash.
For example, to create a Ping of Death packet, you can use the ping command with the -s parameter to specify the packet size:
ping -s 65507 <target system IP address>
Here, 65507 is the maximum allowable packet size for the IPv4 protocol, which can lead to buffer overflow on the vulnerable system.
SYN flood – an attack that sends a large number of SYN requests to the target system without closing the connection. This can cause network interface overload and result in denial of service.
To test a SYN flood attack, you can use various tools such as hping3, Netwox, or Scapy. Here is an example of how to use hping3:
- Install hping3 on your machine.
- Open a command prompt or terminal and type the following command:
hping3 -c 10000 -d 120 -S -w 64 -p <port> <target system IP>
Here:
- -c 10000 means 10000 SYN packets will be sent.
- -d 120 specifies the data size in SYN packets (120 bytes).
- -S indicates that a packet with the SYN flag will be sent.
- -w 64 sets the TCP window size to 64 bytes.
- -p <port> specifies the port number to which the SYN packet will be sent.
- <target system IP> is the IP address of the target system.
- Press Enter to start the SYN flood attack.
HTTP flood – an attack that sends a multitude of HTTP requests to the target server, overloading it and not allowing legitimate users to access its resources.
To test an HTTP flood attack, you can use tools like HULK (HTTP Unbearable Load King) or GoldenEye. Here is an example command to launch an HTTP flood attack using HULK:
hulk.py -s <target IP address> -p <target port> -t 10 -v -ua 1
Here:
- <target IP address> is the IP address of the target server.
- <target port> is the port number that the target server is listening on.
- -t 10 specifies the number of threads to use (in this case, 10).
- -v enables verbose mode to display information about the attack.
- -ua 1 specifies that the User-Agent header of the HTTP request should be randomized.
Slowloris – an attack that uses multiple connections to the target system and gradually sends HTTP headers to keep the connection open and block access for other users.
To test the Slowloris attack, you can use specifically designed tools such as the slowhttptest utility. Here’s how to use it:
- Install the slowhttptest utility on your test computer.
- Launch the slowhttptest utility and configure it to attack the IP address of the target web server using the command:
slowhttptest -c 1000 -H -g -o output_file -i 10 -r 200 -t GET -u http://<target server IP address>
Here:
- -c 1000 means that 1000 connections will be made.
- -H specifies that the Host header will be used in the request.
- -g specifies that the GET header will be used in the request.
- -o output_file specifies the file where the test results will be written.
- -i 10 sets the interval between packets to 10 seconds.
- -r 200 sets the maximum delay between packets to 200 milliseconds.
- -t GET specifies the HTTP GET request method.
- -u http://<target server IP address> specifies the URL to which requests will be sent.
The slowhttptest utility will begin sending many incomplete requests to the target web server, which can lead to resource exhaustion.
DNS flood – an attack that sends a multitude of requests to the DNS server, causing overload and denial of service.
To conduct a DNS flood attack, you can use the following command in the hping3 utility:
hping3 -c 10000 -d 120 -S -w 64 -p 53 --flood <DNS server IP address>
Here:
- -c 10000 specifies that 10000 SYN packets will be sent;
- -d 120 specifies the size of data in SYN packets (120 bytes);
- -S specifies that a packet with SYN flag will be sent;
- -w 64 sets the TCP window size to 64 bytes;
- -p 53 specifies the port number of the DNS server;
- –flood means that a flood attack will be performed.
HTTP flood – an attack that sends a multitude of HTTP requests to the server, causing overload and denial of service.
To conduct an HTTP flood attack, you can use the following command in the hping3 utility:
hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood <target server IP address>
Here:
- -c 10000 specifies that 10000 SYN packets will be sent;
- -d 120 specifies the size of data in SYN packets (120 bytes);
- -S specifies that a packet with SYN flag will be sent;
- -w 64 sets the TCP window size to 64 bytes;
- -p 80 specifies the port number of the HTTP server;
- –flood means that a flood attack will be performed.
UDP Flood – an attack where the attacker sends a multitude of User Datagram Protocol (UDP) packets to the target system, overloading its network interface and not allowing legitimate users to access its resources.
To conduct a UDP flood attack, you can use the following command in the nping utility:
nping --udp -p 53 --rate 10000 <target server IP address>
Here:
- –udp specifies that a UDP packet will be sent;
- -p 53 specifies the port number to which the UDP packet will be sent;
- –rate 10000 specifies the packet sending rate per second;
- <target server IP address> is the IP address of the target server.
Smurf Attack – an attack where the attacker sends ICMP requests with the spoofed address of the target system to the network’s broadcast address, causing network overload and system unavailability.
To test a Smurf attack, you can use a tool such as Smurf6, Smurflood or hping3. These tools can send a large number of ICMP echo requests to a network’s broadcast address, causing all devices on the network to respond and flood the victim’s network with traffic.
To test the Smurf attack, you can use the following command in the hping3 utility:
hping3 -1 --flood -a <source IP address> <broadcast IP address>
Here:
- -1 specifies that an ICMP Echo Request packet (type 8) will be sent;
- –flood means that a flood attack will be performed;
- -a <source IP address> allows you to set a fake source IP address for the packets;
- <broadcast IP address> is the IP address of the broadcast network to which ICMP Echo Request packets will be sent.
Teardrop Attack – an attack where the attacker sends fragmented data packets with incorrect parameters to the target system, resulting in system crash.
To test a Teardrop attack, you can use a tool such as the Teardrop tool or hping3, which sends fragmented IP packets with overlapping payloads to the victim’s system. This can cause the victim’s system to crash or become unstable.
To test the Teardrop attack, you can use the following command in the hping3 utility:
hping3 -1 --flood -a <source IP address> -p 80 --rand-source <target IP address>
Here:
- -1 specifies that an ICMP Echo Request packet (type 8) will be sent;
- –flood means that a flood attack will be performed;
- -a <source IP address> allows you to set a fake source IP address for the packets;
- -p 80 specifies that packets will be sent to port 80;
- –rand-source specifies that a random source for the packets will be used;
- <target IP address> is the IP address of the target server.
NTP amplification – an attack that uses open NTP servers to send a large number of requests to the target server, causing overload and denial of service.
To test an NTP amplification attack, you can use a tool such as ntpdc, which is included with the NTP software package. The tool can be used to send requests to NTP servers that will result in a large number of responses being sent to the victim’s system, flooding it with traffic.
To test the NTP amplification attack, you can use the following command in the ntpdc utility:
ntpdc -c monlist <NTP server IP address>
Here:
- -c monlist specifies that a list of the last clients who used the NTP server will be requested;
- <NTP server IP address> is the IP address of the target NTP server.
When using these tools, remember that conducting attacks without the owner’s consent is illegal and can lead to serious legal consequences. Use them only for security testing purposes on your own system or with the permission of the system owner.
What is the difference between DoS and DDoS?
Denial of Service and Distributed Denial of Service are two different techniques of computer attacks that are used to disrupt the availability of a website, server, or network.
The main difference between them is that DoS attacks come from a single source, such as a single computer, while DDoS attacks use multiple computers that are part of a botnet.
In DoS attacks, the attacker sends a large number of requests to the target server, which leads to the overloading of its resources and temporary unavailability. However, if the victim uses DoS protection measures, such an attack may be ineffective.
In DDoS attacks, attackers use multiple computers located in different places, which work together to create a botnet and send a large number of requests to the victim. This makes it difficult to detect and prevent the attack, as the sources of the requests may be distributed worldwide. In addition, DDoS attacks can use multiple attack methods simultaneously, making them even more difficult to protect against.
Thus, the main difference between DoS and DDoS attacks is that DoS attacks come from a single source, while DDoS attacks use multiple sources.
Effective Ways to Protect Against DoS and DDoS Attacks
To protect your networks and services from DoS attacks, measures such as installing traffic filters, monitoring network activity, regularly updating software, and training staff on information security should be taken. In addition, consider using specialized solutions to protect against DDoS attacks, such as CDN and WAF services.
CDN (Content Delivery Network) is a content distribution system that can help protect websites from DoS attacks. Using CDN to distribute the load across multiple servers makes the attack more difficult and less successful. In the case of a DDoS attack, CDN can block requests from blocked IP addresses, thus preventing access to the site from malicious users. Another protection method that uses CDN is called “traffic scrubbing.” In this case, when a website receives a large amount of traffic, CDN redirects the traffic to more powerful servers in the network that can handle more requests.
Thus, the probability of service denial due to overload on one server is reduced. In addition, CDN can use various protection technologies, such as traffic filtering that filters out requests from malicious sources, and caching that reduces the load on the website by storing a copy of the content on CDN servers. Thus, CDN can be an effective tool for protecting against DoS attacks by distributing the load and using additional protection technologies.
WAF (Web Application Firewall) is an intermediate layer between the web server and the Internet that filters web traffic and blocks requests that are considered malicious or unauthorized. WAF can be used to protect against DDoS attacks, including Slowloris and RUDY attacks, which are used to exhaust server resources by establishing long-term connections and gradually sending small portions of data.
WAF can detect such attacks, blocking them at the earliest stage. This prevents significant consumption of server resources and reduces the likelihood of the need to use additional resources to protect against attacks in the future. In addition, WAF can be used to configure security policies, such as limiting the number of requests from a single IP address, blocking requests with incorrect headers, or containing malicious code, etc.