How Denial-of-Service Attacks work

Every service running on a server or a network device has a finite capacity and cannot accommodate an unlimited number of clients simultaneously. When the number of requests exceeds this capacity, additional clients are denied service. Denial-of-Service (DoS) attacks exploit this limitation by generating a volume of fake requests that surpasses the service's threshold. As a result, the service becomes preoccupied with responding to these illegitimate requests, preventing access for legitimate users, who are left waiting indefinitely.

How Denial-of-Service works

On a TCP/IP network, applications use TCP to transmit data. TCP transmits data only over an established connection. To establish a connection between two communicating nodes, TCP uses a three-way handshake process. In this process, a node sends a SYNC signal to another node. The SYNC signal indicates that the node wants to establish a new data connection.

The other node accepts the new connection request, assigns a unique ID to the connection, and replies to the first node that its request has been accepted. To reply, the other node uses a SYNC/ACK signal. This signal contains all the information that the first node needs to establish the new connection.

When the first node receives this signal from the other node, it sends an ACK. This signal confirms that the first node has received the required information and is ready to establish a new connection. When the other node receives the ACK from the first node, the three-way handshake completes, and the connection state changes to established. Once a connection is established, the nodes can exchange data.

The following image shows a typical TCP handshake workflow.

In an attack scenario, an adversary generates thousands of SYNC requests using IP address spoofing and transmits them to the server. IP address spoofing involves inserting a falsified IP address in the source address field of the IP packet.

For each request, the server creates a new entry, assigns a unique ID, sends a SYNC/ACK signal, and waits for an ACK to establish the connection. TCP waits for a response until the timeout expires. If it does not receive a response by the end of the wait time, it terminates the connection.

Because the attacker has spoofed the source address, the server does not receive a response to the SYNC/ACK signal and must wait until the timeout period expires. During this interval, the server's connection table is occupied by these illegitimate SYNC requests, preventing new connections from legitimate users.

The following image shows how a DoS attack works on TCP connections.

Distributed denial-of-service

Distributed Denial-of-Service (DDoS) is an advanced form of DoS attack in which multiple systems are leveraged to target a single host. In this approach, an attacker configures a master computer on the Internet to coordinate the attack.

The attacker subsequently develops malware, a virus, or a script and embeds it within pirated software, which is then distributed online. When a user installs this compromised software, their computer is covertly transformed into a bot. A bot is a system that passively awaits instructions from the master computer while continuing to function normally, making it unlikely for the user to detect it.

To initiate an attack, the adversary issues a command from the master computer to all bots, instructing them to launch a DoS attack against the target host. Because the attack originates from multiple distributed systems, it is classified as a distributed denial-of-service (DDoS) attack.

Types of DoS attacks

Attackers can employ various types of DoS attacks. The following are among the most prevalent methods.

ICMP ping attack

The Internet Control Message Protocol (ICMP) is primarily used for network debugging and troubleshooting, offering several diagnostic tools such as the ping command. Because most devices support the ping command, attackers can exploit it to conduct DoS attacks by sending thousands of ping requests to a server within a very short time frame. This overwhelms the server, preventing it from responding to legitimate requests. This technique is commonly referred to as the "Ping of Death".

ICMP overwhelm attack

In this attack, a hacker modifies the IP header of a packet so that the target server believes it contains more data than it actually does. In this method, an attacker alters the IP header of packets to mislead the target server into believing that each packet contains more data than it actually does. By sending millions of such modified packets, the attacker aims to overwhelm and potentially crash the server. It is performed to create significant congestion or consume all available network bandwidth.

SYNC flood attack

In this scenario, an attacker sends numerous SYNC requests to initiate an excessive number of TCP connections.

Packet fragmentation and reassembly attack

Network interfaces can automatically fragment and reassemble packets, enhancing network efficiency. Attackers can exploit this feature by generating packet fragments that cannot be properly reassembled, thereby disrupting network operations.

Email attack

In this attack, a hacker uses a bot or a script to send too many emails to a target user, consuming all available space of the user's inbox.

Conclusion

Denial-of-Service (DoS) attacks exploit inherent limitations in services and network protocols to disrupt access for legitimate users. Attackers employ a range of techniques, from overwhelming servers with fraudulent requests to orchestrating distributed attacks across multiple systems, in order to exhaust resources and obstruct genuine traffic. A comprehensive understanding of DoS and Distributed DoS (DDoS) attack mechanisms, along with the attack types, is crucial for developing effective prevention and mitigation strategies. By remaining informed and adhering to security best practices, organizations can significantly reduce their susceptibility to such disruptive incidents.