A denial of service (DoS) event is a cyber attack in which hackers or cybercriminals seek to make a host machine, online service or network resource unavailable to its intended users. Distributed denial of service attacks may be the most well-known type of hacking incident – the 2018 GitHub and 2016 Dyn DDoS attacks being the most prominent – but there are many other kinds of denial of service attacks that don’t necessarily involve the distributed or botnet approach. In virtually all cases, however, denial of service events are characterized by the target machine or service getting flooded with incoming traffic to the point where processing or bandwidth resources are overwhelmed and taken offline.
In conventional denial of service attacks, the hacker transmits multiple requests to the target machine or service with fictitious return Internet Protocol (IP) addresses. When the server attempts to authenticate these addresses, it encounters a wave of error code responses, setting off a recurring chain of SMTP traffic that can quickly saturate the server. Similarly, with a Smurf Attack, the hacker would broadcast packets to multiple hosts with a spoofed IP address belonging to those target machines. When the recipient host machines respond, they effectively flood themselves with responding packet traffic.
In a SYN flood, an attacker takes advantage of the TCP 3-Way Handshake (SYN, SYN-ACK, ACK) process to take a service offline. In the 3-Way Handshake, server A would initiate a TCP SYNchronize request message to server B. On receiving the request, host B (the target machine) sends a SYNchronize-ACKnowledgement packet back to server A. It’s at this point that the denial of service attack occurs. In a legitimate exchange to establish a TCP socket connection, the next step would be for host A to send an ACKnowledge message back to host B, but when the hacker controlling host A prevents this from happening, the handshake can’t be completed. The upshot is that host B has a connected port that’s unavailable for additional requests. When the attacker sends repeated requests of this nature, all available ports on host B can quickly hang up and become unavailable.
SYN floods, banana attacks and other types of conventional DoS hacks are still in use today – and of course, botnet-powered DDoS attacks remain a constant threat. But malicious hackers have in recent years broadened the number of machines and services they target, and expanded the threat surface considerably. Increasingly, organizations are getting targeted for lower-intensity “degradation of service” attacks that inflict costly service slowdowns without taking resources fully offline. This method of attack has grown increasingly common as more and more organizations have come to rely on Amazon Web Services (AWS) and similar cloud offerings to power their web operations.
When a large retailer, financial services provider, consumer brand or similar commercial enterprise hosts their website on AWS, Microsoft Azure or other cloud operator, the arrangement will be governed by a Service Level Agreement. In effect, the cloud operator, for a given price, promises to make available the processing resources, bandwidth, and support infrastructure necessary for that website to support X amounts of web traffic, where X would be measured as gigabytes of data, number of retail transactions, hours of uptime and related metrics. If traffic loads exceed the agreed levels, which would be a positive if the traffic is legitimate, the website owner would get charged at a higher rate. This process is often completely automated, as with Amazon CloudWatch, which has auto-scaling features to dynamically increase or decrease processing resources as needed.
As one might imagine, bad actors can inject themselves into these relationships by directing illegitimate traffic to a target website, and easily increase the cost of doing business for a target organization. Pulsing “zombie” servers that send intermittent traffic bursts are frequently used in this kind of attack. Since the traffic loads in question are occasional and not obviously from a malicious source, they appear very much like legitimate traffic, meaning it can be extremely difficult for cyber security staff to uncover and stop them.
Another toolset used in this type of denial of service or degradation-of-service incident are so called “stresser” applications that were originally designed to help website owners identify weak points in their web infrastructure. Easy to obtain and simple to use, these apps, including WebHive can be installed on multiple cloud instances to build up formidable DDoS capabilities. Coordinated together in this way, these attack tools can take large commercial websites offline for extended periods.
Denial of service attacks have shifted and changed over the years, but the damage wrought continues to increase. A Ponemon Institute survey of large enterprises across a range of industry sectors found that the typical company suffers four denial-of-service incidents annually, and that the average total cost per year to deal with DoS is approximately $1.5 million. Putting in place a security architecture that enables you to detect, prevent and respond to DoS attacks is a critical step in any effective cyber security program.