# Denial-of-Service Attack

Denial of Service (DoS) attack is the practice of flooding a system either with traffic or by disrupting the system in such a way that it will cause difficulty for the users to access the system. This attack often leads to a massive loss for the organisation. DoS attacks can be categorised in different ways, but the attacker's main aim is to target network availability by attacking the network's bandwidth or connectivity. The attacker tries to be anonymous by hiding the source of the traffic.

There are several techniques and tools to avoid or prevent DoS attacks. The most basic technique is the detection technique.

## Discussion

• What are the statistics for DoS attacks worldwide?

One research showed that more than 20M DoS attacks happen, targeting about 2.2M / 24 IPv4 network blocks. The figure depicts attacks that are most prominent around the world. There is also a 1-10 grading system, where 10 is the most fatal attack experienced. London has the highest DoS attack with a cumulative score of 230. This is followed by Milano with 202, Ashburn with 121, Frankfurt with 117, Buenosaires with 87, Saopaulo and Seoul with 68, Amsterdam with 52, Singapore with 50, and Portland with 50. After this, Mumbai is next, with a cumulative score of 47 from the top 20 places having fatal attacks.

CountryTargets%
US1232k29.50%
China416k9.96%
France323k7.73%
GB266k6.37%
Germany216k5.18%
Other1727k41.26%

The table tells the number of IP addresses targeted with the percentage of all observed attacks with the help of Honeypot. The observation is based on the NetAcuity Edge IP geolocation database.

• In what ways can a DoS attack be a threat to systems?

Specific resources become targets through DoS attacks. An attack can compromise the network bandwidth, aiming at the connection between the web server, the global internet, or any appliances connected to the network. Some of the attacks on web services can be SOAP array attack, XML entity expansion or oversized cryptography.

System resources are the next target where the system becomes overloaded with continuous requests. These obstruct responses to the actual users. One example is when the attacker sends a massive number of virtual connections to consume the memory and CPU resources of the target server. In application resources, a specific application in the system is attacked, making it unavailable.

Firewalls and Intrusion Detection Systems (IDSs) can be DoS attack targets. Such attacks fall into two classes:

• Stateful: Attack causes an excessive state or state with a pathological structure.
• Stateless: Attack exhausts the processing resources.

Attacks on an IDS face the same problems as firewalls but differ because some detectable attacks will be missed instead of denying services.

• What are the types of DoS attacks that attackers use?

DoS attacks are categorised as weakness-based or flooding attacks.

Weakness-based attack uses weaknesses of the internet system. Ping of death attack, TCP-SYN attack, HTTP Post and HTTP Get and Slowloris come under weakness-based attacks.

Flooding attack creates traffic in the system and fulfils its goal of making it inaccessible. UDP Flood, ICMP Flood (Ping Flood) and SSL Traffic Flood are examples of flooding attacks.

In some research papers, DoS attacks are divided into Bandwidth or Volume-based attacks (UDP flood and ICMP flood), Protocol attacks (SYN attack and Ping of Death attack) and Application Layer attacks (Teardrop attack and Spam).

• Which tools are commonly used for DoS attacks?

One popular tool used for DoS attacks is LOIC (Low Orbit Ion Cannon). LOIC can send millions of packets (UDP, TCP or HTTP requests) and flood the user's internet connection. Praetox Technologies developed this for experimental purpose. However, hackers have adopted this tool to create TCP, HTTP or UDP traffic.

There are also other tools:

• High Orbit Ion Cannon (HOIC): Can send massive TCP traffic and spoof the source IP addresses to make them appear random.
• Hping or hping3: Transmits an ICMP echo request while sending massive TCP traffic to the victim.
• Slowloris: Targets the victim server by sending them an HTTP header slowly, bit by bit until a timeout happens.
• Trinity and Trinoo: Use UDP packets to attack.
• What is the aim behind DoS attacks?

The motivation for DoS attack can be extortion and profit, causing a distraction or collateral damage. In recent years Hack-Activism has been a term concerning a famous group called Anonymous (famous internet activist). They are known to attack certain online services for political reasons.

We note the following reason for DoS attacks:

• Financial/economic gain: attacks are difficult to stop and are mostly concerns of cooperation
• Revenge : done by attackers with lower technical capabilities or frustrated individuals seeking revenge
• Intellectual challenge: attacks occur for experimental purpose from researchers trying new techniques
• Cyberware: attackers are military or terrorist organisations
• Service unavailability: attackers block the victims from getting any kind of resources or suffering slow performance
• Ideological belief: same as Hack-Activism
• How can we detect and protect against DoS attacks?

While creating a defence against DoS attacks, three significant points should be highlighted:

• Attack Prevention: Prevention happens before the attack. The techniques mostly applied are artificial intelligence, game theory, soft computing and multi-agent approaches. These examples can be Game Theoretic Approach, An Ant Based Framework, Message Observation Technique and Protection using KDS. Firewalls are used to protect the system from any suspicious incoming and outgoing messages. Messages that don't meet security criteria are blocked.
• Attack Detection: Detection takes place during the attack. Analysing the attack helps us learn the attack pattern and avoid similar attacks in the future.
• Attack Response: Response happens taken after the attack is detected. It is crucial to have an intrusion response team to identify the attack and track down the host. One possible response is to nullify the attack or shut down the network.
• How are DDoS attacks different from DoS attacks?

DoS (Denial of Service) attacks and DDoS (Distributed Denial of Service) attacks have the same aim but different methods of attacking. In a DoS attack, a single attacker uses a single system to attack a single target. In a DDoS attack, a single attacker uses multiple systems to attack a single target.

There is less traffic in a DoS attack as a single system creates traffic. In a DDoS attack, due to multiple systems attacking the victim, there is heavy traffic. The attack is easy to trace in the case of a DoS attack but difficult to trace in DDoS. In both cases, the attack period is short, but the DoS attack process is slow while the DDoS attack is fast.

## Milestones

1974

An incident occurs in CERL (Computer-based Education Research Laboratory) at the University of Illinois Urban-Champaign. David Dennis, a 13-year-old student at University High School, comes to know about external command (ext) in TUTOR, a programming language in PLATO. Through this command, he writes a program sending "ext" to everyone within a range of site numbers. The next morning around 31 users power off their system at once. He also experiments on some sites around the country, and a mass posting on notes files about locking out happens.

1988

Robert Tappan Morris develops the Morris Worm for research and experimentation. Nevertheless, a bug is found in the code where the system cannot detect whether it already has the code installed. Due to this, the worm replicates itself, creating a Denial of Service attack.

Sep
1996

A DoS attack occurs in PAINX, where there is an SYN Flood attack. On a Friday evening, the main mail host system of the PAINX is attacked. The attacker forges the source addresses on attack packets, so that it becomes difficult to identify the attacker. On Monday, the attacker starts to attack telnet ports, routers and web services.

Feb
2000

Michael Calce, known as Mafiaboy on the Internet, launches a Rivolta (meaning "Rebellion" in Italian). Rivolta takes place in YAHOO through a DoS attack, which then continues to eBay, CNN and Amazon. The damages from this attack are around $7.5 million and$1.2 billion at the global level.

Dec
2003

A DoS attack occurs from December 10, 2003, 3:20 AM PST to December 11, 2003, 10:40 AM PST. The first attack on SCO Group happens on Dec 10. Their web servers become the target of a SYN flood attack of approximately 34,000 packets per second. This causes their switchboards to flood. On December 11, their web server and FTP servers are SYN flooded, reaching 50,000 packets per second. By 10:40 AM, it is reduced to 3,700 packets per second.

2007

A huge wave of DDoS attacks takes place in Estonia, targeting Estonia's essential infrastructures, telecommunications, name servers, websites, e-mail, and DNS. The attack appears to be politically motivated. Estonia's biggest bank shuts down, causing a loss of $1 million. Oct 2016 A DDoS attack on Dyn occurs due to the Mirai Botnet. Mostly North America and Europe are affected. Major internet platforms including Twitter, Amazon, GitHub, and the New York Times become unavailable. The recovery expenses are estimated to cost each organisation, on average,$2.5 million.

## References

1. Chao-yang, Zhang. 2011. "DOS Attack Analysis and Study of New Measures to Prevent." 2011 International Conference on Intelligence Science and Information Engineering, IEEE Xplore, August 25. doi: 10.1109/ISIE.2011.66. Accessed 2022-09-20.
2. Park, Kihong, and Heejo Lee. 2000. "A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering" Department of Computer Science Technical Reports Paper 1495 Report Number:00-017 , Semantic Scholar, December 03. Accessed 2022-08-28.
3. Yang, Chao, Wen Yang, and Hongbo Shi. 2018. "DoS attack in centralised sensor network against state estimation." IET Control Theory Appl., 2018, Vol. 12 Iss. 9, pp. 1244-1253, Institution of Engineering and Technology, June 01. doi: 10.1049/iet-cta.2017.0819. Accessed 2022-09-24.
4. Agah, Afrand, Kalyan Basu, and Sajal K Das. 2005. "Preventing DoS attack in Sensor Networks: A Game Theoretic Approach." Conference: Communications, 2005. ICC 2005. 2005 IEEE International Conference on Volume: 5, August 15. doi: 10.1109/ICC.2005.1495019. Accessed 2022-09-23.

Author
No. of Edits
No. of Chats
DevCoins
10
3
1634
1
6
712
1534
Words
0
Likes
92
Hits

## Cite As

Devopedia. 2022. "Denial-of-Service Attack." Version 11, November 18. Accessed 2022-11-18. https://devopedia.org/denial-of-service-attack
Contributed by
2 authors

Last updated on
2022-11-18 07:42:45