Denial of Service (Dos)
What is a denial-of-service attack?
A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
What services could be affected?
Email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network.
How is Denial-of-service condition accomplished?
A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users.
Common DoS attack
Smurf Attack
The attacker sends Internet Control Message Protocol broadcast packets to a number of hosts with a spoofed source Internet Protocol (IP) address that belongs to the target machine. The recipients of these spoofed packets will then respond, and the targeted host will be flooded with those responses.
SYN flood
Normal three-way handshake
Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
- The client requests a connection by sending a SYN (synchronize) message to the server.
- The server acknowledges this request by sending SYN-ACK back to the client.
The client responds with an ACK, and the connection is established. - This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
SYN flood attack sends SYN only
A SYN flood attack works by not responding to the server with the expected ACK code.
The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.Consequences
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.
Distributed DoS (DDoS)
In a DDoS attack, the incoming traffic flooding the victim originates from many
different sources. This effectively makes it impossible to stop the attack simply by
blocking a single source.