Denial of Service Attacks

A DoS attack occurs when bad actors and hacktivists intentionally target systems, networks, or internet services with traffic or malicious data requests to throttle network performance, disrupt services and render them inaccessible. Attacks can last anywhere from a few minutes to a couple of hours to several days at a time — leading to costly service outages, unhappy customers, and reduced profitability.

When an organization is the victim of any type of DoS attack, operations grind to a halt. Since network connectivity is difficult or impossible, customers can’t access cloud services, make payments, or communicate with customer support.

In some cases, hackers employ several different methods in a coordinated campaign. For example, bad actors might launch DoS attacks as a smokescreen to divert attention away from a ransomware attack.

DoS and DDoS attacks are similar in that they both aim to disrupt service to a target or a group of target hosts. However, they tend to differ in scale and logistics: 

• A DoS attack occurs when a single device floods a targeted network or service with traffic.

• A distributed denial of service (DDoS) attack originates from a network of connected compromised computers or devices, or a botnet, that a bad actor controls. 

Since DDoS attacks involve more computing resources, they typically have a bigger impact. At the same time, they’re also harder to trace and mitigate because they have multiple origination points. Unfortunately, DDoS attacks are now a top threat, accounting for 25% of reportable incidents for all companies.

DoS attacks make network resources or machines unavailable to legitimate users for an extended period. Such attacks typically start with early reconnaissance work, with cybercriminals first discovering a target like a website, server, or Internet of Things (IoT) device.

Attack tactics and procedures vary depending on whether an attacker is launching a DoS or DDoS attack. But in general, a DoS attack involves the following tactics: 

• Overwhelming network or system resources. For example, a threat actor might send tons of malicious traffic packets to a website’s IP address or a single infected packet to a website server, causing it to crash.

• Exhausting bandwidth. Attackers may also try to consume a target’s bandwidth. This happens when incoming traffic exceeds the available network capacity and prevents end users from accessing the system. 

• Exploiting vulnerabilities. Threat actors often look to exploit vulnerabilities in services and applications that enable them to issue large volumes of requests. They may also attempt to infiltrate operating systems or network infrastructure.

• Consuming server resources. Hackers may try to consume server resources to make online services inoperable by exhausting system resources, including CPU, memory, or disk space.

DDoS attacks require advanced preparation and more resources. To launch this type of attack, a threat actor must first create or purchase a botnet to gain control over a large number of infected devices. Afterward, hackers deploy malware to establish control over the distributed devices and issue commands to flood target locations with traffic requests.  

Hackers use several different tactics hackers use to carry out DoS and DDoS attacks. Here are some of the most common types to know about.  

1. TCP/IP-based attacks

Most internet-based communication uses the Transmission Control Protocol/IP Protocol (TCP/IP). A TCP/IP-based attack exploits TCP/IP to gain access to systems and then disrupt them. Such attacks include: 

• SYN floods, where the attacker attempts to overload a target server with SYN packets without completing a handshake, or authentication signal. This causes the target to try and allocate the necessary resources, eventually crashing it.

• ICMP flood attacks, which involve using the Internet Control Message Protocol (ICMP) to flood a target system with ICMP packets.

• UDP floods, where hackers deploy a flood of User Datagram Protocol (UDP) packets to a host system to disrupt service. This type of attack commonly targets UDP-based services like voice over internet protocol (VoIP) platforms, online games, and other web applications.

2. Application layer attacks

Application layer DoS attacks — or layer 7 attacks — target the application layer of the network. During these attacks, actors try to exploit the way applications process requests. Examples include: 

• HTTP floods, which involve overwhelming web servers with tons of HTTP requests, causing the server to deplete its resources.

• Slowloris, where hackers target web servers with incomplete connections, depleting the application’s resources by forcing the server to keep connections open while waiting for requests to complete.

• DNS amplification, an amplification attack targeting vulnerable Domain Name System (DNS) servers with DNS queries which then reply with larger responses, overwhelming the application and causing it to crash.

3. Resource exhaustion attacks

A resource exhaustion attack drains a system’s resources, like network bandwidth and CPU, preventing the target system from functioning properly:

• Ping of death attacks target a network device or computer’s IP stack. For example, an attacker might create oversized Internet Control Message Protocol (ICMP) Echo Request packets that exceed the IP protocol’s specifications. In turn, the target system struggles to process the packets, which eventually knocks the service offline.

• Teardrop attacks target the IP stack’s fragmentation system. An attacker creates an IP packet with fragments that manipulate the host system’s reassembly process. When the target system tries to reassemble the packets, issues like buffer overflow and memory corruption cause the system to become unresponsive and eventually fail. 

• NTP amplification attacks use vulnerable Network Time Protocol (NTP) servers to send more traffic to target systems. In these attacks, the attacker discovers misconfigured and publicly accessible NTP servers and issues a monlist command to access the previous 600 IP addresses that interacted with the server. Next, the attacker spoofs the source IP, sends a large volume of forged monlist requests to vulnerable NTP servers, and creates a massive volume of amplified NTP responses, which overwhelms the target.

4. Distributed Denial of Service 

A DDoS attack may utilize both TCP/IP attacks and application layer attacks to target host systems. Threat actors may also launch volumetric DDoS attacks to overload the target’s bandwidth using these tactics:

• Botnet attacks, which involve using a network of compromised devices to target host networks or services. 

• Reflection/amplification attacks, where hackers use protocols and services to amplify traffic toward a target location.

DoS and DDoS attacks are increasing in volume and sophistication, impacting organizations worldwide. Recently, security researchers observed multiple cyberattacks using a Mirai botnet variant which attacks vulnerabilities in Linux servers and devices. This particular variant — IZ1H9 — mainly focuses on DDoS attacks.  

As one of the more pervasive methods of attack in today’s threat landscape, many organizations are victimized by various types of DDoS attacks — including industry giants like Amazon, Microsoft, and Google. With that in mind, let’s examine some real-world examples of how bad actors have bypassed cloud security protections to launch DDoS attacks.

AWS 

In 2020, AWS mitigated a massive 2.3 Tbps DDoS attack that was executed using hijacked CLDAP web servers. This created an internal elevated threat warning that lasted for three days. 

Google 

Google experienced an even larger threat in 2017, mitigating a 2.54 Tbps DDoS attack. In 2022, the company received a series of HTTPS DDoS attacks peaking at 46 million requests per second. As Google explains, that’s the equivalent of receiving all daily requests made on Wikipedia — in just 10 seconds.

GitHub

In 2018, GitHub.com was knocked offline for several minutes following a significant volumetric DDoS attack. The attack peaked at 1.35 Tbps. According to GitHub, the attack originated from over 1,000 different autonomous systems across tens of thousands of unique endpoints. 

Dyn 

Leading DNS provider Dyn experienced a major DDoS attack in 2016 stemming from the Mirai botnet. The attack caused widespread outages across Dyn’s systems and took down multiple internet platforms across Europe and North America, leading to significant business interruptions and substantial recovery costs.

With DoS and DDoS attacks becoming increasingly common, businesses and service providers must take preventative action to mitigate risks. Companies that fail to shield their assets from such attacks risk costly outages, data loss, and reputational harm. This section will explore strategies businesses can use to prevent DoS attacks from impacting operations. 

Use firewalls 

Firewalls help protect against low-level DoS and DDoS attacks. These systems can filter incoming and outgoing traffic, block malware, and enforce rate limits and traffic-shaping policies. 

While firewalls can thwart some attacks, they don’t offer complete protection. After all, they primarily sit on the network layer, making them vulnerable to application-layer attacks. Additionally, firewalls have bandwidth and processing limitations that can make them less effective during large-scale DDoS attacks.

For the best results, use next-generation firewalls with additional network security features like integrated intrusion protection and advanced threat detection capabilities. Even so, it’s best to use firewalls as part of a layered defense strategy alongside additional cybersecurity technologies. 

Implement intrusion prevention systems 

Intrusion prevention systems (IPS) monitor network traffic for breach attempts. They can also be useful for protecting against DoS attacks.

For example, a business might use an IPS to study legitimate traffic patterns and identify anomalies that align with DoS attacks, like sudden traffic spikes. An IPS also enables rate limiting and traffic shaping and can dynamically filter rules and manage blocklists for harmful IP addresses and domains. 

Unfortunately, an IPS is less effective at preventing large-scale cyber attacks due to bandwidth restrictions and limited visibility. Such systems only inspect network traffic and known attack patterns, making it difficult to detect emerging threats.

Deploy content delivery networks 

A content delivery network (CDN) — like Cloudflare — is a geographically distributed network of data centers and servers that deliver web content to intended users. As it turns out, CDNs can also help against DoS attacks. CDNs offer distributed network infrastructure with multiple points of presence. For example, a business might have servers in Southeast Asia, Latin America, and North America. In the event of a DDoS attack, the CDN can distribute traffic across its network and avoid the origin server — preventing the incoming attack from disrupting operations.

CDNs also have advanced features like load balancing, anycast routing, and traffic filtering, providing extra protection.

Conduct regular traffic analysis

One of the best ways to protect against DoS attacks is to conduct regular traffic analysis. This makes it possible to gain a baseline of normal network traffic patterns and discover and respond to abnormal patterns and incoming attacks when they occur. 

For example, your business might notice a spike in traffic from an unusual source which may indicate that a botnet is attacking the organization. By understanding where traffic typically comes from, organizations can take immediate action to shield against bad traffic. 

Enable rate limiting

Rate limiting involves restricting the amount of incoming traffic for a network resource — e.g., a user, service, or application. By creating rate limits, organizations can set thresholds on incoming requests and prevent threat actors from abusing them. What’s more, rate limiting also prevents threat actors from depleting critical system resources during attacks.