A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost the victim a great deal of time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Popular flood attacks include:

• Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a network address than the programmers have built the system to handle. It includes the attacks listed below, in addition to others that are designed to exploit bugs specific to certain applications or networks
• ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every computer on the targeted network, instead of just one specific machine. The network is then triggered to amplify the traffic. This attack is also known as the smurf attack or ping of death.
• SYN flood – sends a request to connect to a server, but never completes the handshake. Continues until all open ports are saturated with requests and none are available for legitimate users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system, so that it can’t be accessed or used.

An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A DDoS attack occurs when multiple systems orchestrate a synchronized DoS attack to a single target. The essential difference is that instead of being attacked from one location, the target is attacked from many locations at once. The distribution of hosts that defines a DDoS provide the attacker multiple advantages:

• He can leverage the greater volume of machine to execute a seriously disruptive attack
• The location of the attack is difficult to detect due to the random distribution of attacking systems (often worldwide)
• It is more difficult to shut down multiple machines than one
• The true attacking party is very difficult to identify, as they are disguised behind many (mostly compromised) systems

Modern security technologies have developed mechanisms to defend against most forms of DoS attacks, but due to the unique characteristics of DDoS, it is still regarded as an elevated threat and is of higher concern to organizations that fear being targeted by such an attack.

What is a Distributed Denial of Service Attack (DDoS)?

An Overview of DDoS Attacks

A Distributed Denial of Service (DDoS) attack is a variant of a DoS attack that employs very large numbers of attacking computers to overwhelm the target with bogus traffic. To achieve the necessary scale, DDoS are often performed by botnets which can co-opt millions of infected machines to unwittingly participate in the attack, even though they are not the target of the attack itself. Instead, the attacker leverages the massive number infected machines to flood the remote target with traffic and cause a DoS. 

Though the DDoS attack is a type of DoS attack, it is significantly more popular in its use due to the features that differentiate and strengthen it from other types of DoS attacks:

• The attacking party can execute an attack of disruptive scale as a result of the large network of infected computers—effectively a zombie army—under their command 
• The (often worldwide) distribution of attacking systems makes it very difficult to detect where the actual attacking party is located 
• It is difficult for the target server to recognize the traffic as illegitimate and reject it an entry because of the seemingly random distribution of attacking systems 
• DDoS attacks are much more difficult to shut down than other DoS attacks due to the number of machines that must be shut down, as opposed to just one

DDoS attacks often target specific organizations (enterprise or public) for personal or political reasons, or to extort payment from the target in return for stopping the DDoS attack. The damages of a DDoS attack are typically in time and money lost from the resulting downtime and lost productivity.

Examples of DDoS attacks are abundant. In January 2012, hacktivist cybergroup Anonymous conducted an attack multiple major supporters of the Stop Online Piracy Act (SOPA). In dissent of SOPA, Anonymous executed DDoS attacks that disabled the websites of the US Justice Department, the Federal Bureau of Investigations (FBI), the White House, the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), Universal Music Group, and Broadcast Music, Inc (BMI). To facilitate the attack, Anonymous built its botnet using an unconventional model that allowed users wishing to support the organization to offer their computers as a bot for the attacks. Users who wanted to volunteer support could join the Anonymous botnet by clicking links that the organization posted in various locations online, such as Twitter.

The DDoS attack is also leveraged as a weapon of cyber warfare. For example, in 2008 during the South Ossetia war, Georgian government websites were crippled by what is expected to be Russian criminal gangs under the auspices of the Russian security services. The attack was made just prior to Russia’s initial attacks on Georgian soil.

There are a number of DDoS mitigation techniques that organizations can implement to minimize the possibility of an attack. Network security infrastructure should include DDoS detection tools that can identify and block both exploits and tools that attackers use to launch an attack. Additionally, network administrators can create profiles to observe and control specific floods of traffic (i.e. SYN floods, UDP, and ICMP floods). Through looking at all traffic in aggregate, thresholds can be set to monitor and cut behaviours that indicate a possible DDoS attack.