Denial of Service (DoS) attacks

Nowadays, it’s essential to prepare for various dangers that lurk online. Without adequate preparation, attackers could easily infiltrate systems and manipulate or incapacitate them. A classic form of attack is the DoS attack. What exactly is it, and how can we protect ourselves against it?

Originally, denial of service (DoS) meant that specific internet services on an IT system (e.g. on a server) were not available for a limited time. This can happen when the relevant servers are overburdened – because of too many user requests, for instance. Examples of internet services include websites, email services, and chat functions.

In a DoS attack, the attacker intentionally causes the “denial of service.” They do this by “bombarding” an IT system’s network connections – which are responsible for the exchange of external data – with an immense number of requests, which end up overburdening it. If the number of requests rises above the capacity limit, the system slows or crashes completely, which means that websites, email features, or online shops, for example, can no longer be called up by users.

A DoS attack is more or less comparable with a real-life store that hundreds of people crowd into. Shoppers distract sales personnel with misleading questions and block resources, but make no purchases in the end. The sales staff is overburdened to the point of collapse, and actual customers are no longer able to enter the shop or be served by anyone.

In principle, pure DoS attacks are relatively simple to carry out. That’s because it’s not necessary to infiltrate secure IT systems. Even those with small budgets or little to no technical expertise can carry out an illegal attack – on a competitor, for example. Cyber criminals offer this type of attack on the dark net for as little as a few hundred euros. If companies and organisations are not prepared for DoS attacks, maximum damage can be caused with minimal effort.

A possible indication that someone has been the victim of a denial of service attack is unusually slow performance over the entire network, which is especially noticeable when opening files or your own websites. A successful DoS attack is easy to spot: attacked websites take a very long time to load and certain features such as shop systems don’t function at all. At the peak of an attack, a website won’t be reachable.

You can determine whether you’ve fallen victim of a DoS attack by observing and analysing the network traffic (network traffic monitoring and analysis). You can do this either with the help of a firewall or by using an intrusion detection system that has been specifically installed for this purpose. Network administrators have the option of setting rules for the detection of “abnormal” traffic. Should the number of suspicious requests to the system increase, the alarm is automatically raised, which means that countermeasures can be taken.

There are highly diverse types of DoS attacks that can be roughly classified into attacks against the bandwidth, attacks against system resources, and attacks that exploit security gaps and software errors. How attackers proceed during a denial of service attack and which measures can help systems safeguard against it is best explained using the example of a “Smurf” attack.

A Smurf attack is a specific type of DoS attack that targets the operating system or the computer system’s internet connection or network. In doing so, the attacker sends pings, ICMP data packets of the “echo request” type, to a network’s broadcast address. In these data packets, the attacker enters the address of the system that they are targeting. Subsequently, all computers in the network respond to the system being targeted with the assumption that the requests originated from it. The more computers belong to the network being utilised by the attacker, the higher the number of “responses” that will fail. The higher the number, the stronger the attack.

Nowadays, in order to prevent Smurf attacks, the standard configuration of systems is to no longer respond to ICMP packets of the “echo request” type, and for routers to no longer forward packets directed to broadcast addresses. Thanks to these general security measures, successful Smurf attacks have become rare.

In order to safeguard your infrastructure against denial of service attacks, certain measures can be adopted. Routers should be correctly configured and secured using strong passwords. By installing blocking measures, many DoS attacks can be prevented. This means attack packets are not granted access to the internal infrastructure at all. A good firewall ensures additional security.

If you have noticed that you are the target of an attack, you can also use a number of other resources. Through load balancing, short-term additional capacity can be requested from your hosting provider, for example, so that the attack fails.

For a more detailed overview of measures, read our article on the differences between DDoS and DoS attacks.

Most DoS attacks occur in the form of distributed denial of service attacks – or DDoS attacks for short. The essential difference between DDoS and DoS attacks is that while DoS attacks originate from a single source (e.g. a computer or a network), DDoS attacks are distributed indirectly via a botnet that is often widely ramified – hence the “distributed” designation.

A botnet is essentially a collection of hacked devices that are informally called zombies. Most of these are poorly maintained and the owners of the hacked computers often don’t notice that malware has been installed on their device or that it is being misused for cybercriminal activities. With this army of zombie computers, the operator of a botnet can carry out attacks against other IT systems.

There are botnets that consist of several million computers. If all of the computers are utilised in a DDoS attack, the number of malicious requests to one network can be enormous. This is one of the main reasons why websites such as Facebook, which have vast resources to prevent large-scale DDoS attacks, are not 100% safe.