“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.” — Bruce Schneier, security expert
A denial-of-service (DoS) attack is a cyber assault intended to block legitimate access to organizations and servers on the Internet. There are two types of DoS attacks: a standard DoS and a distributed denial-of-service (DDoS).
A classic DoS attack is initiated by only a small number of Internet Protocol (IP) addresses—often the assault originates with a single computer or network.
A DDoS attack uses hundreds, thousands or even millions of IP addresses and systems. On Oct. 21, in the largest attack of its kind, hackers used vulnerable home devices such as DVRs and webcams to flood the services of Internet infrastructure provider Dyn. This DDoS attack overwhelmed the victim’s Domain Name System (DNS) servers and made many well-known Internet domains, such as Netflix and Twitter, unavailable for a short period of time.
The attack against Dyn used a Botnet of web-facing devices under control of hacker software called Mirai. Traditionally, hackers use Botnets made up of compromised home computers, PCs and other general purpose systems. Unsuspecting end users open malicious email attachments or respond to prompts and pop-ups from malicious web sites, thereby infecting their computers and becoming part of the Botnet. Mirai was different; it used smart devices like web-accessible baby monitors, surveillance cameras, printers and other Internet of Things (IoT) devices to flood Dyn’s servers on behalf of the attackers.
Typically a simple DoS attack depends on someone sending a malcrafted message across a network—such as the infamous WinNuke—to a target system or have someone open a poisoned file in an application. This could cause a program to close involuntarily, a Blue Screen of Death in Windows or a kernel panic on Mac OS X.
Malcrafted message DoS are effective as single attacks until the victim strengthens their network or patches their systems, at which point hackers are blocked and the attack fails.
Whether a DoS or DDoS, cybercriminals can use three or four other nefarious attack mechanisms:
- Application floods—servers providing Internet resources are overwhelmed by malicious requests. These could be, for example, against a company’s web servers or against supporting infrastructure. The hacker group Anonymous famously targeted the Church of Scientology with an application flood in 2008, overwhelming their servers and knocking their web site offline for a short time.
- State-Exhaustion attacks—similar to application floods, these render the underlying computer or network software incapable of response by targeting the connections that are initiated to the victim systems. Whether to web servers or DNS, a system that is deluged cannot respond to legitimate connection requests.
- Volumetric attacks—as the name implies, they inundate a company’s customer-facing portal or their ISP with malicious network traffic beyond the victims’ ability to respond.
- Protocol attacks—the objective is to disable complete networks and organizations by misusing normal network traffic, violating the rules for standard communication. This disrupts the ways computers connect to each other or exchange information. Many of the Internet protocols we use today were developed in a far more simplistic time. Hackers can read the Internet standards (called a Request for Comments or RFC) and look for opportunities to use these protocols in a criminal way.
Between the work done by Internet service providers, regulators and the government, efforts are underway to remove the underlying mechanisms used in DoS and DDoS attacks. Part 2 of this blog series will examine how organizations and individuals can avoid becoming victims.