DoS (denial-of-service) attacks play an unusual role in cyber crime. Unlike most forms of criminal hacking, they aren’t primarily designed to capture or sensitive information, which can be sold for profit.
Instead, DoS attacks are intended to shut down or severely disrupt an organisation’s systems. There is no direct benefit to the criminal hacker in doing this, but the loss of service can cost the victim up to £100,000.
There are several ways that a criminal hacker can launch a DoS attacks, and countless reasons they might be motivated to pull off an attack.
How does a DoS attack work?
DoS attacks are hard to prevent, because in most cases they don’t exploit a vulnerability that an organisation can fix. Rather, attackers take advantage of the limitations of computer networks, overwhelming them until traffic is unable to be processed.
You can think of it like a traffic jam: roads are designed to enable a certain amount of traffic to pass through, but once they become overcrowded, cars must slow down or stop altogether.
That said, there are ways to mitigate the risk of some DoS attacks, as we explain below.
Types of DoS attack
There are two primary ways to conduct a DoS attack – flooding and crashing.
Flooding attacks are most common, and work by saturating the targeted server with packets.
These are segments of data that you send to the organisation’s network when you interact with its website, which are then reassembled to perform tasks or load information.
If the network receives too many of these packets in a short period of time, the network struggles to reassemble the data. As a result, service will be disrupted or the website will be forced offline altogether.
Alternatively, an attacker might crash an organisation’s website by exploiting vulnerabilities in its network.
For instance, they might leverage misconfigured network device by sending spoofed packets to every device on the target network rather than one specific machine.
The network is then triggered to amplify the traffic, in what is known as a smurf attack or ping of death.
Attacker motivation
The question that surrounds DoS attacks is what motivates a criminal hacker to do this?
Almost all forms of cyber crime are designed to make money, but this isn’t possible with a DoS attack alone. An attackers’ motivation, therefore, can be much harder to understand.
One reason for launching an attack is because they hold a grudge against the target. Many DoS attacks are politically or ideologically motivated, with the attacker holding a grievance against their target.
The attack could cost the organisation money if services are disrupted during the attack. The damage could also damage the organisation’s reputation, particularly if they are responsible for providing critical services of a time-sensitive nature.
However, cyber criminals might also bring down a service simply to show off their skills to the hacking community.
A high-profile attack can act as a calling card to other criminals to demonstrate their capabilities or to show off what they’re capable of.
Meanwhile, there are occasions when a DoS is used as a distraction while the criminal hacker launches a second attack designed to compromise an organisation’s systems.
The victim might be so focused on restoring its systems from the first attack that it doesn’t notice other security alerts related to unauthorised access to its systems.
DoS attacks versus DDoS attack
A related attack is DDoS (distributed denial of service). This works in the same way as a DoS attack, but uses multiple systems to launch a synchronised attack on a single target.
In other words, the attack isn’t coming from a single computer operated by the attacker but from several computers.
Cyber criminals do this with the help of a botnet, which is a series of infected Internet-connected devices that harvests their processing power.
As a result, DDoS attacks are far more powerful and sustained than a standard DoS attack.
DDoS attacks are also harder for the victim to identify, with malicious network traffic spread across locations and masked within legitimate traffic.
How do you know you’ve suffered a DoS attack?
The most obvious sign of a DoS attack is prolonged network problems. However, there are other signs to look out for:
- A higher volume of spam than normal.
- Sudden loss of connectivity across devices on the same network.
- Slow website performance, with pages failing to load.
- Staff being unable to open files stored on the network or when accessing websites.
How to prevent a DoS attack
It’s difficult to prevent DoS attacks, but there are steps you can take to mitigate the threat. Here are three ways to get started:
1. Increase your bandwidth
The simplest thing you can do is to buy more bandwidth. This enables you to handle a larger amount of traffic, reducing the risk of bottlenecks that could disrupt your service.
This is a particularly attractive solution to growing companies, as it also helps them process an increased amount of legitimate traffic and is something they might have to do eventually anyway.
The only downside is that increasing your bandwidth won’t protect you from crashing attacks, which exploit system weaknesses instead of flooding your server.
2. Build more complex servers
You should consider spreading your servers across multiple data centres to make it as hard as possible for cyber criminals to target you.
These servers should ideally be in different locations, either spread across different premises or in different countries altogether.
For this strategy to work, you’ll need a load balancing system to distribute traffic between servers.
Separating your servers this way means that criminals face an uphill task to flood your systems. Their attack may compromise one server, but the rest will be unaffected and should be capable of taking on at least some of the extra traffic.
3. Reconfigure your network hardware
You should adjust or strengthen your hardware configurations to reduce the risk of malicious traffic getting through.
For example, your network and web application firewalls can be modified to check incoming packets against predefined rules (such as allow/deny protocols, ports and IP addresses) and block incoming malicious traffic.
The best way to check how prepared you are for a DoS attack is with a penetration test. This is essentially a controlled form of hacking in which a professional tester uses the same techniques as a criminal hacker in an attempt to exploit your systems.
In this case, the tester will try to flood your systems or exploit vulnerabilities that cripple your servers.
Should they be successful, the tester will provide detailed notes on how the attack was possible and advice on how to mitigate the threat.
If that sounds like something you’re interested in, we recommend our Combined Infrastructure and Web Application Penetration Test.
One of our CREST-certified penetration testers will conduct a thorough examination of your networks, websites and web applications to determine how an attacker could target you and what you can do to stop them.
Want to know more? Download our free guide on penetration testing to understand how it works and the ways your organisation benefits.
A version of this article was originally published on 21 January 2021.
The post What is a DoS Attack? appeared first on IT Governance UK Blog.
