Distributed Denial of Service (DDos)
Description: Denial of service (DoS) is an umbrella
term used to describe attacks on websites and other computing services, usually
by creating massive demands on the services. Eventually the systems are unable
to cope and bona-fide users are then prevented from gaining access.
Different Types of DoS Attacks
DoS attacks started out as simple 'flooding' of a network with information,
usually using one or a few attacking systems. As attacked servers can only
process a certain amount of requests at a time (depending on the type of server,
power of the machine, network capacity and a number of other variables)
eventually they hang and can't process requests from real users. On the web this
will appear as error pages from a website instead of the correct web page being
presented to the user.
A simple attack like that can be prevented, once it's spotted, by blocking
traffic from the IP addresses of the attacking servers, or taking the attacked
server off-line and reinstating it on a different network. Different methods of
DoS then began to be developed to make them more effective and more difficult to
stop. The developments have broadly been in two areas, developing more specific
lines of attack and using techniques to make the attacking servers harder to
find and block.
Distributed DoS Attacks
To take the latter scenario first, distributed DoS (DDoS) attacks use networks
of computers rather than just one or two, making the source of the attack harder
to find. This activity is closely linked with the writing and distributing of
viruses, trojans and worms that allow a third party to take control of a PC and
use it in a DDoS.
These malicious methods allow the perpetrators of an attack to create networks
of PCs under their control, known as 'botnets'. They can be activated by remote
control or by a triggering event such as a specific date and time. Thus
computers with access to the internet that do not have good security can become
part of the attacking botnet causing a DDoS without their owners even knowing
Different Attack Methods
Email servers were a favourite target in the early days of these attacks, as
well as flooding attacks, but the developers of these malicious tools devised
more specific attacks as the game developed.
Database servers are commonly attacked with botnets issuing thousands of
spurious queries which can quickly bring servers to their knees. It should be
noted that when we talk about serves in this way we are talking about
software servers, not physical hardware servers. One server in the hardware
sense can support many different types and instances of software servers.
DoS attacks can target networking equipment as well as application servers. Most
communications equipment, such as routers and switches, are computers in their
own right. This means that code can be written to exploit loopholes in their
programming and tie up the network, preventing the computers inside the network
from communicating even if they aren't themselves directly affected. In extreme
cases bugs in code can render communications equipment useless by corrupting the
firmware (the operating code they hold in memory) making replacement the only
Motivations for DoS Attacks
Many DoS attacks are purely mischievous, that is to say they are aimed at
companies or organisations that someone has taken a dislike to for one reason or
another. This could be a political motivation, like the attacks on South Korean
and US systems in July 2009 or those on Estonia in April and May 2007. Often
they are about ideologies, where supporters of one side will attack websites
espousing the opposite view. These are still damaging, but they are not an
attempt to commit a crime, although if a business is succesfully attacked it
will suffer from being off the air and spending time and money fixing resulting
Other DoS attacks are directly fraudulent or criminal. The botnets of
compromised PCs can be hired over the internet, usually to send out spam but
also to mount DDoS attacks, so any criminal can use them. Often a DoS attack is
the threat in an extortion attempt, for example the attacks on the US credit
card company Authorize.Net in 2004. There is also evidence that business rivals
occasionally mount DoS attacks on each other.
What Can My Business Do?
The ingenuity of software manufacturers and anti-virus products is at least
matched by the creativity of hackers employed to exploit loopholes in software
in operating systems, applications and communications equipment firmware. DoS
covers such a multitude of methods that the only real protection is a
comprehensive security, protection and disaster recovery policy, something that
many businesses are reluctant to spend on but it's essential if using the web is
a key part of their business proposition.
Protection from attack is largely three-fold. Firstly use firewalls and other
access control mechanisms such as intrusion protection systems (IPS) to govern
the incoming traffic. Secondly protect operating systems and other code by
keeping up-to-date with service patches and security updates. Thirdly maintain
monitoring systems that collect data on your normal traffic and activity levels
so that you can then identify abnormal patterns. If there is no legitimate
reason for a spike in activity then it's likely that something untoward is
More on DDos protection.
Belt and Braces
Once that is in place it's time to consider a
disaster recovery policy. This assumes that you will get hit one day,
whatever protection measures you put in place, and provides a means for you to
get a replacement service up and running quickly. This means precious lost
business hours are minimised.
Finally protect your PCs as well, both at home and within the organisation. This
won't keep you from being the victim of a DoS attack but it may prevent your PC
from being used as part of a botnet. If every PC user did this, then mounting
DoS attacks would be a lot harder.