How a Denial of Service Attack Works

Denial of Service Attacks

There are two kinds of denial of service attacks: the first is a simply known as a Denial of Service and the second is a Distributed Denial of Service.

As the names hint, the main difference between the two is where the attacks originate from. A Denial of Service attack usually comes from a single person or network; a distributed attack will involve computers from networks all over the world in a bid both to amplify the attack and make it more difficult to stop.

Most DOS attacks launched today are technically DDOS attacks because they utilize botnets of computers, giving them a distributed element without having to involve other people. Sadly, these networks are usually comprised of systems that are infected with malware and are taken over without the owners permission or knowledge. This is part of what makes the attacks so dangerous.

However, for the rest of this post, we will be referring to two kinds of attacks even though most DOS attacks today are really DDOS attacks.

How a Denial of Service Attack Works

Though there are several approaches to achieving the goal of a DOS attack, the basic idea is always the same: send so many useless requests to a server or computer that legitimate ones cannot get through.

The simplest way to do this is to just flood a machine with a large amount of pointless traffic, similar to having a mob of human beings block a door to a building. Enough connections effectively shuts down or slows a server by using up the bandwidth, memory and other resources there's just not enough to go round for legitimate visitors.

However, since even small servers can handle a sizable amount of traffic, this goal can be tough to reach, even with a large number of computers opening up as many connections as they can. As such, attackers have sought to find ways to force servers to waste resources beyond what they would for a normal completed connection.

This method involves spoofing the IP address that the request comes from. Here's how it works: the attacking machine sends a SYN packet to the server but makes it appear to come from somewhere else. The server then responds with a SYN/ACK packet, but there's no response as the address is fake. The server, not wanting to instantly drop the connection, waits a few moments, keeping the connection open and in its memory until it times out.

Since one machine can send hundreds of fake requests at a time, this can cause the server to keep a slew of useless connections open (and in memory) even though no one is home to hear them. The result is that a relatively small number of attacking machines can bring down a seemingly larger server.

This attack can be done either by one computer, a botnet that's controlled by one master or, as with Operation Payback, a group of people working together.

The strategy is actually fairly successful and has slowed down or crashed some very large sites over the years. However, companies have become wise to DDOS attacks and have begun to take some precautions.

Defending Against a DDOS

There are several ways to defend against a DDOS attack. However, if one hits out of the blue there may not be much to prevent it from taking a site down for at least a short period of time.

Still, if one finds themselves under such an attack, there are three options for resolution:

  1. Filtering: Most DDOS attacks are easy to spot and filter. Routers at the edge of the network can be trained to spot and drop DDOS connections, preventing them from slowing the network or the server.
  2. Moving: If the attack is pointed at a specific IP address, as is often the case, one might be able to escape it by simply moving the site to another IP on the same network, as the White House did before a particularly nasty computer virus tried to DDOS its site.
  3. Blackholing: This is a desperate move but a host may simply €œblackhole a site that is being DDOSed, meaning directing all traffic to it to an address that doesn't exist, so that the flood doesn't impact other sites on the server or network.

In addition to those techniques, many companies sell anti-DDOS appliances and applications that are designed to detect and block such attacks.

Still, for the most part, the only sure-fire way to end a DDOS attack is to wait. Most attacks don't last very long because those with botnets don't wish to expose their network for too long, and group attacks can't hold their cohesion forever.

Though it may be a few days, the attack usually lifts and things return to normal soon after.

Bottom Line

All in all, DOS attacks represent a very seedy underside of the Web and, unfortunately, it is a side that webmasters large and small will have to deal with at some point.

It's important to bear in mind that DDOS attacks are not  œhacks (ie. the system is not compromised, data is not exposed, etc); they merely prevent the server from being able to receive legitimate requests for data.

Also, those who use DDOS attacks are not usually skilled hackers the tools necessary are open source and freely available online.

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Prevent Denial of Service (DoS) Attacks

Prevent Denial of Service (DoS) Attacks Denial of Service (DoS) attacks against web sites...