A law was passed in 2006 that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison. Read more on the DoS law...

 

In July three men suspected of masterminding a cyber-extortion racket targeting online bookies were arrested in a joint operation between the UK's National Hi-Tech Crime Unit and its counterparts in the Russian Federation. DoS used for extortion...

 

Websites blocked by ISPs when under a distributed denial of service attack (DDoS) face millions of pounds in lost business because ISPs refuse to take responsibility for hosting infected computers on their networks. Who's responsible for protecting sites against DoS attacks?

Distributed Denial of Service (DDos)


Description:  Denial of service (DoS) is an umbrella term used to describe attacks on websites and other computing services, usually by creating massive demands on the services. Eventually the systems are unable to cope and bona-fide users are then prevented from gaining access.

 

RDF
 


Different Types of DoS Attacks

DoS attacks started out as simple 'flooding' of a network with information, usually using one or a few attacking systems. As attacked servers can only process a certain amount of requests at a time (depending on the type of server, power of the machine, network capacity and a number of other variables) eventually they hang and can't process requests from real users. On the web this will appear as error pages from a website instead of the correct web page being presented to the user.

A simple attack like that can be prevented, once it's spotted, by blocking traffic from the IP addresses of the attacking servers, or taking the attacked server off-line and reinstating it on a different network. Different methods of DoS then began to be developed to make them more effective and more difficult to stop. The developments have broadly been in two areas, developing more specific lines of attack and using techniques to make the attacking servers harder to find and block.

Distributed DoS Attacks

To take the latter scenario first, distributed DoS (DDoS) attacks use networks of computers rather than just one or two, making the source of the attack harder to find. This activity is closely linked with the writing and distributing of viruses, trojans and worms that allow a third party to take control of a PC and use it in a DDoS.

Denial of Service AttackThese malicious methods allow the perpetrators of an attack to create networks of PCs under their control, known as 'botnets'. They can be activated by remote control or by a triggering event such as a specific date and time. Thus computers with access to the internet that do not have good security can become part of the attacking botnet causing a DDoS without their owners even knowing it.

Different Attack Methods

Email servers were a favourite target in the early days of these attacks, as well as flooding attacks, but the developers of these malicious tools devised more specific attacks as the game developed. Database servers are commonly attacked with botnets issuing thousands of spurious queries which can quickly bring servers to their knees. It should be noted that when we talk about serves in this way we are talking about software servers, not physical hardware servers. One server in the hardware sense can support many different types and instances of software servers.

DoS attacks can target networking equipment as well as application servers. Most communications equipment, such as routers and switches, are computers in their own right. This means that code can be written to exploit loopholes in their programming and tie up the network, preventing the computers inside the network from communicating even if they aren't themselves directly affected. In extreme cases bugs in code can render communications equipment useless by corrupting the firmware (the operating code they hold in memory) making replacement the only practical solution.

Motivations for DoS Attacks

Many DoS attacks are purely mischievous, that is to say they are aimed at companies or organisations that someone has taken a dislike to for one reason or another. This could be a political motivation, like the attacks on South Korean and US systems in July 2009 or those on Estonia in April and May 2007. Often they are about ideologies, where supporters of one side will attack websites espousing the opposite view. These are still damaging, but they are not an attempt to commit a crime, although if a business is succesfully attacked it will suffer from being off the air and spending time and money fixing resulting problems.

Distributed Denial of Service ScreenOther DoS attacks are directly fraudulent or criminal. The botnets of compromised PCs can be hired over the internet, usually to send out spam but also to mount DDoS attacks, so any criminal can use them. Often a DoS attack is the threat in an extortion attempt, for example the attacks on the US credit card company Authorize.Net in 2004. There is also evidence that business rivals occasionally mount DoS attacks on each other.

What Can My Business Do?

The ingenuity of software manufacturers and anti-virus products is at least matched by the creativity of hackers employed to exploit loopholes in software in operating systems, applications and communications equipment firmware. DoS covers such a multitude of methods that the only real protection is a comprehensive security, protection and disaster recovery policy, something that many businesses are reluctant to spend on but it's essential if using the web is a key part of their business proposition.

Protection from attack is largely three-fold. Firstly use firewalls and other access control mechanisms such as intrusion protection systems (IPS) to govern the incoming traffic. Secondly protect operating systems and other code by keeping up-to-date with service patches and security updates. Thirdly maintain monitoring systems that collect data on your normal traffic and activity levels so that you can then identify abnormal patterns. If there is no legitimate reason for a spike in activity then it's likely that something untoward is happening. More on DDos protection.

Belt and Braces

Once that is in place it's time to consider a disaster recovery policy. This assumes that you will get hit one day, whatever protection measures you put in place, and provides a means for you to get a replacement service up and running quickly. This means precious lost business hours are minimised.

Finally protect your PCs as well, both at home and within the organisation. This won't keep you from being the victim of a DoS attack but it may prevent your PC from being used as part of a botnet. If every PC user did this, then mounting DoS attacks would be a lot harder.