What are Denial-of-Service (DoS) Attacks?

December 31, 2021

What is a Denial-of-Service (DoS) attack

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network. While most DoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money and other resources in order to restore critical business operations.

How Do DoS Attacks Work?

A DoS attack is most commonly accomplished by flooding the targeted host or network with illegitimate service requests. The hallmark of these attacks is the use of a false IP address, which prevents the server from authenticating the user. As the flood of bogus requests are processed, the server is overwhelmed, which causes it to slow and, at times, crash—at which point, access by legitimate users is disrupted. In order for most DoS attacks to be successful, the malicious actor must have more available bandwidth than the target.

Types of DoS Attacks

There are two main types of DoS attacks: those that crash web-based services and those that flood them. Within those two categories, there are many different subsets, which vary based on the adversary’s methods, the equipment that is targeted and how the attack is measured.

Buffer Overflow

Buffer overflows is the most common form of DoS attack. In this type of exploit, the adversary drives more traffic to a network address than the system is capable of handling. This causes the machine to consume all available buffers, or memory storage regions that temporarily hold data while it is being transferred within the network. A buffer overflow occurs when the volume of data exceeds all available bandwidth, including disk space, memory, or CPU, resulting in slow performance and system crashes.

Flood Attacks

Flood attacks occur when the system receives too much traffic for the server to manage, causing them to slow and possibly stop. Common flood attacks include:

ICMP floods, commonly called smurf or ping attacks, exploit misconfigured network devices. In these attacks, the adversaries deploy spoofed packets — or the false IP addresses — that “ping” each device on the targeted network without waiting for a reply. As the network manages the surge in traffic, the system will slow and possibly stop.

A SYN flood sends a connection request to a server, but never completes the metaphorical “handshake” with the host. These requests continue to flood the system until all open ports are saturated, leaving no available avenues for access for legitimate users.

2023 CrowdStrike Global Threat Report

The 2023 Global Threat Report highlights some of the most prolific and advanced cyber threat actors around the world. These include nation-state, eCrime and hacktivist adversaries. Read about the most advanced and dangerous cybercriminals out there.

Download Now

How can you identify a DoS Attack?

The signs of a DoS attack can be observed by any network user. Common indicators include:

  • Slow network performance for common tasks, such as downloading/uploading files, logging into an account, accessing a website or streaming audio or video content
  • Inability to access online resources, including websites or web-based accounts, such as bank accounts, investment portfolios, education materials or health records
  • An interruption or loss in connectivity of multiple devices on the same network

Unfortunately, for most system users, the symptoms of a DoS attack often resemble basic network connectivity issues, routine maintenance or a simple surge in web traffic — prompting many to disregard the issue.

What is the difference between DoS attack and DDoS attack?

The main difference between a Distributed Denial-of-Service (DDoS) attack and a DoS attack is the origin of the attack. A DDoS is an orchestrated attack launched from multiple locations by several systems simultaneously, whereas a DoS attack is singular in nature.

Typically, a DDoS is considered to be a more sophisticated attack and poses a much larger threat to organizations because it leverages multiple devices across a variety of geographies, making it more difficult to identify, track and neutralize. Most commonly, DDoS attackers leverage a botnet — a network of compromised computers or devices that are supervised by a command and control (C&C) channel — to carry out this type of synchronized attack.

While many standard security tools adequately defend against DoS attacks, the distributed nature of DDoS attacks requires a more comprehensive security solution that includes advanced monitoring and detection capabilities, as well as a dedicated threat analysis and remediation team.

DDoS attacks have become more common in recent years due to the proliferation of connected devices enabled by the Internet of Things (IoT). It is essential for both organizations and consumers to employ basic security measures, such as setting strong passwords, for any connected device in the workplace or home. The security of these devices is especially important because most do not show any indication of compromise, making it possible for adversaries to utilize them for their attacks possibly as part of a botnet, unbeknownst to owners.

How can you reduce the risk of a DoS attack

In a recent post, Robin Jackson, principal consultant for CrowdStrike, offered organizations the following tips to prevent, detect and remediate cyberattacks, including DoS attacks. He suggests the following steps:

  • Establish consistent and comprehensive training for employees about how to recognize common attack indicators and promote responsible online activity.
  • Verify extortion attempts when adversaries threaten massive DoS attacks. A cybersecurity partner could help the organization quickly investigate the threat and gauge their ability to disrupt operations — potentially saving the organization significant money in the event the threat is not credible.
  • Conduct routine tabletop exercises and penetration testing to improve prevention capabilities by identifying weaknesses in the network architecture.
  • Segregate backups to prevent enumeration if and when ransomware begins to encrypt.
  • Encrypt sensitive data when it is at rest and in motion to reduce the risk of data loss, leakage or theft.
  • Ensure the best instrumentation in order to improve network visibility.
  • Create a communications plan so that your company can manage media inquiries, customer questions and other stakeholders issues quickly and clearly.
  • Contact law enforcement so that officials have more information about cyber criminals and their tactics.