DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are becoming increasingly common and potent. Denial of Service attacks come in many forms, but share a common purpose: stopping users from accessing a resource, whether it’s a web page, email, the phone network, or something else entirely. Let’s look at the most common types of attacks against web targets, and how DoS can become DDoS.
At its core, a Denial of Service attack is typically performed by flooding a server—say, the server of a web site—so much that it’s unable to provide its services to legitimate users. There are a few ways this can be performed, the most common being TCP flooding attacks and DNS amplification attacks.
Almost all web (HTTP/HTTPS) traffic is performed using the Transmission Control Protocol (TCP). TCP has more overhead than the alternative, User Datagram Protocol (UDP), but is designed to be reliable. Two computers connected to each other via TCP will confirm receipt of each packet. If no confirmation is provided, the the packet must be sent again.
What happens if one computer gets disconnected? Maybe a user loses power, their ISP has a failure, or whatever application they’re using quits without informing the other computer. The other client needs to stop re-sending the same packet, or else it’s wasting resources. To prevent never-ending transmission, a timeout duration is specified and/or a limit is placed on how many times a packet can be re-sent before dropping the connection completely.
TCP was designed to facilitate reliable communication between military bases in the event of a disaster, but this very design leaves it vulnerable to denial of service attacks. When TCP was created, nobody imaged that it would be used by over a billion client devices. Protection against modern denial of service attacks was just not a part of the design process.
The most common denial of service attack against web servers is performed by spamming SYN (synchronize) packets. Sending a SYN packet is the first step of initiating a TCP connection. After receiving the SYN packet, the server responds with a SYN-ACK packet (synchronize acknowledgement). Finally, the client sends an ACK (acknowledgement) packet, completing the connection.
However, if the client does not respond to the SYN-ACK packet within a set time, the server sends the packet again, and waits for a response. It’ll repeat this procedure over and over, which can waste memory and processor time on the server. In fact, if done enough, it can waste so much memory and processor time that legitimate users get their sessions cut short, or new sessions are unable to start. Additionally, the increased bandwidth usage from all the packets can saturate networks, making them unable to carry the traffic they actually want.
Denial of service attacks can also take aim at DNS servers: the servers that translate domain names (like howtogeek.com) into IP addresses (12.345.678.900) that computers use to communicate. When you type howtogeek.com in your browser, it gets sent to a DNS server. The DNS server then directs you to the actual web site. Speed and low latency are major concerns for DNS, so the protocol operates over UDP instead of TCP. DNS is a critical part of the internet’s infrastructure, and bandwidth consumed by DNS requests are generally minimal.
However, DNS slowly grew, with new features being gradually added over time. This introduced a problem: DNS had a packet size limit of 512 bytes, which wasn’t enough for all those new features. So, in 1999, the IEEE published the specification for extension mechanisms for DNS (EDNS), which increased the cap to 4096 bytes, allowing for more information to be included in each request.
This change, however, made DNS vulnerable to “amplification attacks”. An attacker can send specially crafted requests to DNS servers, asking for large amounts of information, and asking for them to be sent to their target’s IP address. An “amplification” is created because the server’s response is much larger than the request generating it, and the DNS server will send its response to the forged IP.
Many DNS servers are not configured to detect or drop bad requests, so when attackers repeatedly send forged requests, the victim gets flooded with huge EDNS packets, congesting the network. Unable to handle so much data, their legitimate traffic will be lost.
A distributed denial of service attack is one that has multiple (sometimes unwitting) attackers. Web sites and applications are designed to handle many concurrent connections—after all, web sites wouldn’t be very useful if only one person could visit at a time. Giant services like Google, Facebook, or Amazon are designed to handle millions or tens of millions of concurrent users. Because of that, it’s not feasible for a single attacker to bring them down with a denial of service attack. But many attackers could.
The most common method of recruiting attackers is through a botnet. In a botnet, hackers infect all sorts of internet connected devices with malware. Those devices can be computers, phones, or even other devices in your home, like DVRs and security cameras. Once infected, they can use those devices (called zombies) to periodically contact a command and control server to ask for instructions. These commands can range from mining cryptocurrencies to, yes, participating in DDoS attacks. That way, they don’t need a ton of hackers to band together—they can use the insecure devices of normal at-home users to do their dirty work.
Other DDoS attacks may be performed voluntarily, usually for politically motivated reasons. Clients like Low Orbit Ion Cannon make DoS attacks simple and are easy to distribute. Keep in mind that it is illegal in most countries to (intentionally) participate in a DDoS attack.
Finally, some DDoS attacks can be unintentional. Originally referred to as the Slashdot effect and generalized as the “hug of death,” huge volumes of legitimate traffic can cripple a website. You’ve probably seen this happen before—a popular site links to a small blog and a huge influx of users accidentally bring the site down. Technically, this is still classified as DDoS, even if it isn’t intentional or malicious.
Typical users do not have to worry about being the target of denial of service attacks. With the exception of streamers and pro gamers, it’s very rare for a DoS to be pointed at an individual. That said, you should still do the best you can to protect your all devices from malware that could make you part of a botnet.
If you’re an administrator of a web server, however, there is a wealth of information on how to secure your services against DoS attacks. Server configuration and appliances can mitigate some attacks. Others can be prevented by ensuring unauthenticated users cannot perform operations that require significant server resources. Unfortunately, a DoS attack’s success is most often determined by who has the bigger pipe. Services like Cloudflare and Incapsula offer protection by standing in front of websites, but can be expensive.
Dennis Stewart is a science fiction fan who wants you to be a little more paranoid. When he’s not at his day job as a CipherTechs security engineer or writing for How-To Geek, he works a third job as a space trucker in Elite: Dangerous.