< Back to EPP 101

What are Denial-of-Service (DoS) Attacks?

November 12, 2020

What is a Denial-of-Service (DoS) attack

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network. While most DoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money and other resources in order to restore critical business operations.

red keyboard with malware icon

How Do DoS Attacks Work?

A DoS attack is most commonly accomplished by flooding the targeted host or network with illegitimate service requests. The hallmark of these attacks is the use of a false IP address, which prevents the server from authenticating the user. As the flood of bogus requests are processed, the server is overwhelmed, which causes it to slow and, at times, crash—at which point, access by legitimate users is disrupted. In order for most DoS attacks to be successful, the malicious actor must have more available bandwidth than the target.

Types of DoS Attacks

There are two main types of DoS attacks: those that crash web-based services and those that flood them. Within those two categories, there are many different subsets, which vary based on the adversary’s methods, the equipment that is targeted and how the attack is measured.

Buffer Overflow

Buffer overflows is the most common form of DoS attack. In this type of exploit, the adversary drives more traffic to a network address than the system is capable of handling. This causes the machine to consume all available buffers, or memory storage regions that temporarily hold data while it is being transferred within the network. A buffer overflow occurs when the volume of data exceeds all available bandwidth, including disk space, memory, or CPU, resulting in slow performance and system crashes.

Flood Attacks

Flood attacks occur when the system receives too much traffic for the server to manage, causing them to slow and possibly stop. Common flood attacks include:

ICMP floods, commonly called smurf or ping attacks, exploit misconfigured network devices. In these attacks, the adversaries deploy spoofed packets — or the false IP addresses — that “ping” each device on the targeted network without waiting for a reply. As the network manages the surge in traffic, the system will slow and possibly stop.

A SYN flood sends a connection request to a server, but never completes the metaphorical “handshake” with the host. These requests continue to flood the system until all open ports are saturated, leaving no available avenues for access for legitimate users.

Want to Stay Ahead of Adversaries?

Download the 2020 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

What is the difference between DoS attack and DDoS attack?

The main difference between a Distributed Denial-of-Service (DDoS) attack and a DoS attack is the origin of the attack. A DDoS is an orchestrated attack launched from multiple locations by several systems simultaneously, whereas a DoS attack is singular in nature.

Typically, a DDoS is considered to be a more sophisticated attack and poses a much larger threat to organizations because it leverages multiple devices across a variety of geographies, making it more difficult to identify, track and neutralize. Most commonly, DDoS attackers leverage a botnet — a network of compromised computers or devices that are supervised by a command and control (C&C) channel — to carry out this type of synchronized attack.

While many standard security tools adequately defend against DoS attacks, the distributed nature of DDoS attacks requires a more comprehensive security solution that includes advanced monitoring and detection capabilities, as well as a dedicated threat analysis and remediation team.

DDoS attacks have become more common in recent years due to the proliferation of connected devices enabled by the Internet of Things (IoT). It is essential for both organizations and consumers to employ basic security measures, such as setting strong passwords, for any connected device in the workplace or home. The security of these devices is especially important because most do not show any indication of compromise, making it possible for adversaries to utilize them for their attacks possibly as part of a botnet, unbeknownst to owners.

How can you identify a DoS Attack?

The signs of a DoS attack can be observed by any network user. Common indicators include:

  • Slow network performance for common tasks, such as downloading/uploading files, logging into an account, accessing a website or streaming audio or video content
  • Inability to access online resources, including websites or web-based accounts, such as bank accounts, investment portfolios, education materials or health records
  • An interruption or loss in connectivity of multiple devices on the same network

Unfortunately, for most system users, the symptoms of a DoS attack often resemble basic network connectivity issues, routine maintenance or a simple surge in web traffic — prompting many to disregard the issue.

As such, the best way to detect, identify and resolve a DoS attack is through a robust network monitoring and detection solution. These tools will alert system administrators about unusually heavy traffic or other network anomalies that may indicate the presence of an attack.

Organizations that suspect they may be the victim of a DoS attack should engage a reputable, trusted cybersecurity partner to determine the origin of the issue and determine how to contain and resolve it. In addition to analyzing the situation, this cybersecurity partner would also coordinate with the network administrator and ISP to ensure that the interruption or outage is not the result of a non-malicious network issue or an external problem.

It is important to note that in many cases DoS attacks may be used by adversaries as a diversion technique in a broader attack scheme. In drawing attention and resources to the DoS, the threat actors may then launch subsequent attacks, which may result in the loss of data or use of ransomware. As such, the information security team should remain vigilant about the health of their entire network in the event of a DoS attack.

How can you reduce the risk of a DoS attack

In a recent post, Robin Jackson, principal consultant for CrowdStrike, offered organizations the following tips to prevent, detect and remediate cyberattacks, including DoS attacks. He suggests the following steps:

  • Establish consistent and comprehensive training for employees about how to recognize common attack indicators and promote responsible online activity.
  • Verify extortion attempts when adversaries threaten massive DoS attacks. A cybersecurity partner could help the organization quickly investigate the threat and gauge their ability to disrupt operations — potentially saving the organization significant money in the event the threat is not credible.
  • Conduct routine tabletop exercises and penetration testing to improve prevention capabilities by identifying weaknesses in the network architecture.
  • Segregate backups to prevent enumeration if and when ransomware begins to encrypt.
  • Encrypt sensitive data when it is at rest and in motion to reduce the risk of data loss, leakage or theft.
  • Ensure the best instrumentation in order to improve network visibility.
  • Create a communications plan so that your company can manage media inquiries, customer questions and other stakeholders issues quickly and clearly.
  • Contact law enforcement so that officials have more information about cyber criminals and their tactics.

How CrowdStrike Provides Protection over your Network

CrowdStrike Falcon Network as a Service provides an extensive network security monitoring capability for detection, response and threat hunting. Our team identifies threat actors trying to gain access or threaten the stability of the network through denial-of-services (DoS) attacks.

Learn how Falcon can help maintain your network health and stability:

CrowdStrike Services