Denial of service attacks: Methods used to prevent them.
What is a Denial of Service Attack?
DoS, or denial of service attack, is an attempt to suspend the services of an online host by flooding the target with excessive and unnecessary requests, causing them to overload and prevent legitimate requests from being fulfilled. DDoS, or distributed denial of service, is where the flooding occurs from multiple sources of attack, rather than just a single computer or IP address.
The results of a successful DoS attack are characterized by a particular website or online service being unusually slow or entirely unreachable. This could be likened to large groups of Black Friday shoppers cramming themselves into a store, blocking entry to the people behind them and slowing down customer traffic.
What are the symptoms of one?
When a client attempts to connect with a service that’s influenced by an effective DoS attack, they may experience the following:
- Excessive load times with partially loaded data or a total failure to connect
- Inability to connect to one particular website or its services
- In the case that an ISP is targeted, all of its users may be unable to access the web
- Sudden loss of internet connection, whether to one service or all of them.
Unwitting (and unwilling) participants of a poorly controlled DDoS attack can lose their own internet connection as the attack jumps from one IP to the next in a spread sequence, knocking entire geographical locations offline. This is usually not intended, as DoS attackers are generally more interested in disabling a specific target.
A recent example of this is when the Australian Bureau of Statistics (ABS) conducted their Census, which had received over $500,000 in stress testing for quality assurance — only to be subjected to a series of DDoS attacks that resulted in multiple interruptions of service. At the time, sites like Google and Yahoo! would have worked fine — only the ABS website was down.
Motives of a DoS attack
Not all cases of mitigated or failed connection is due to DoS; however, it’s a distinct possibility if the affected service has garnered a great deal of publicity lately. This is because perpetrators frequently use DoS software to temporarily disable websites, network providers, web-based services and video game hosts in order to make a statement, gain publicity, exact revenge, or simply as a show of power.
In the case of the ABS being attacked, the Census was a matter of high publicity. As with other high-profile web-based situations, such as the launch of an anticipated site or video game, the attention of unsavory individuals was captured. Attacks were administered for what was guessed to be no other reason than “because they can”.
Denial of service attacks have been used for benevolent causes as well, shutting down criminal enterprises or even singular IP addresses of criminal perpetrators. Hacktivist group Anonymous has gained traction for administering DoS attacks against organizations and people that are thought to have engaged in illicit activities.
Unfortunately, DoS is an effective method of briefly shutting down almost any host whose services are provided over the Internet in any form. An attack can last for minutes or hours, depending on how long the offending IP addresses continue to send superfluous requests. Hosts and legitimate clients usually have to wait it out until it’s over. There are countermeasures to mitigate the effectiveness of an attack, but there’s no surefire way to avoid it altogether.
Typically, hosts with more bandwidth and server support are more difficult to crash, but this isn’t an especially effective means of directly combating such attacks, since the scale has been rising rapidly over the years in proportion to advancements in the technology that can handle it. The volume of an attack nowadays can exceed 400Gbit/s, which could effectively bring large-scale providers to their knees.
There are other well-known methods that are implemented to mitigate the severity of DoS attacks, listed as follows.
- Blackholing routes the offending traffic to a “black hole” or null server where it causes no harm.
- DNS sinkholing routes all traffic to a working IP that checks packets and rejects the ones that are faulty. This is not effective for severe attacks, however.
- Firewalls are effective because they can block the offending IP addresses or the ports they’re attacking. This has the drawback of also blocking legitimate requests through those ports, however.
- Intrusion prevention systems (IPS) are designed to detect server requests that are not legitimate and deny them. There are multiple types of IPS, but generally speaking, DoS requests that mimic legitimate ones can bypass this countermeasure.
- DoS defense systems (DDS) are similar to IPS and are designed to block malicious requests that appear legitimate.
- Routers offer limitation settings and ACL features, but are easily overpowered regardless. They can still mitigate the effects of an attack.
- Upstream filtering routes data through numerous means of network cleaning systems that identify malicious traffic and separate it from the traffic that’s legitimate. This is offered as a service by companies such as Arbor Networks, AT&T, Verizon, Cloudflare, Radware, and more.
The problem with preventing malicious requests is that there’s no effective way to know what the request will be until it’s already in the system and pulling on its resources. Blocking malicious traffic tends to be much like blocking an entire highway: The bad traffic is halted, but so is the good.
The future of DoS prevention
Because of the technicality involved, denial of service attacks not only continue to grow in volume but also complexity. The means of dishing out an attack is growing more sophisticated while security methods are still playing catch-up, and with every new implementation of an attack, security needs more time to come up with a countermeasure, meaning they’re always effectively behind. For now, there’s no certain strategy or one-size-fits-all approach to prevention going forward.