What is a DoS or DDoS attack?

DoS - Denial of Service

A denial of service is an attack where a service or host connected to the internet is rendered unable to respond to connections from legitimate internet hosts due to its resources being overloaded by malicious requests. 

The aim of a DoS attack is to overload the targeted server’s bandwidth or other resources. This will make the server inaccessible, blocking the website and or other legitimate resources hosted there.

DDoS – Distributed Denial of Service

A DoS attack coming from a number of source IP addresses, making it difficult to manually filter or drop the traffic from these sources, is known as a Distributed Denial of Service attack.

Instead of using one computer and one internet connection, a DDoS attack utilizes multiple computers and many connections to flood the targeted website or other services with malicious traffic requests, making online services unavailable. The source computers behind this type of an attack are often distributed across the globe and used without their owner’s consent due to infection by a virus or equivalent, and are known collectively as part of a botnet.

DDoS attacks usually take the form of the following:

  • volume-based attacks
  • application layer attacks
  • low-rate attacks

Examples include: 

DDoS volume-based attacks

The most common attack on the internet today is the Volume-based attack. Volume-based attacks work by sending more data than a customer’s connection to the AARNet network can carry, thereby saturating the connection and making services unavailable.  In certain cases, the AARNet connection can successfully carry the volume of malicious traffic, however the border firewall or router is unable to support the traffic, resulting in the same effect.

With the recent advent of cloud-based servers, which are well-connected to the internet, it is imperative that providers and users of these machines secure them. Their high speed connectivity can be utilized to attack a victim with greater effect than a traditional home internet-connected machine. 

DDoS Application Attacks / Low-Rate Attacks

Application attacks are focused on rendering applications such as web servers unavailable by exhausting the web server resources. These attacks do not have to consume all of the network bandwidth to be effective. Instead they place an operational strain on the application server in a way that renders the server unavailable.

Specific services, which have specific vulnerabilities allowing attackers to take down the service with minimal bandwidth usage, are targeted, making it hard to identify the attack.

An example of this is the Slowloris attack, which keeps a number of connections open to a web server and sends occasional HTTP headers but doesn’t close the session, tying up the resource from other users attempting to access it.

Further examples of specific services targeted and attacked are:

  • DNS
  • SIP/H323
  • NTP

Distributed Denial of Service Attack as a Service

Botnets enabling Denial of Service attacks can by purchased for a few dollars on the internet, or even tested briefly at no cost.  These services are known as booter or stresser services, and their existence has led to the increased prevalence of DoS and DDoS attacks.

For more information

There is plenty of information on the internet regarding DoS and DDoS attacks.

See AUSCERT Resources for instance.