Menu filter
IT Career
IT Pathways - Knowledge for a better career
Share |
Custom Search
What is a Denial of Service Attack?

A Denial of Service Attack is an attempt by an attacker to overwhelm an information system to a point where it is no longer able to service legitimate user requests.

Any attack that attempts to exploit the limited capacity of an Information System is deemed a Denial of Service Attack. The following attacks are all Denial of Service but as you will see they each attack in different forms. The common factor is that they prevent the service from being accessed by legitimate users.

These attacks are usually carried out by unsuspecting computers that have been infected with software that is activated by a certain event or control. Sometimes there are thousands of infected computers carrying out the attack and this makes the attack requests difficult to distinguish from legitimate users who want to use the service.

Examples of different types of Denial of Service Attacks.

Transmitting enormous amounts of data towards a single device can overwhelm the network link capacity of the device.

  • Opening a large number of TCP or UDP ports to the point where legitimate users cannot connect because there are no more available ports.

  • Exploiting/Re-arranging network path information known as Routing information.

  • Overloading the service with requests causing the system CPU to peak.

  • Exploits causing the Operating System itself to become unstable or crash.

  • Physical disruption of network components.

Identifying a Denial of Service Attack

Because we have so many different types of legitimate problems with Information Systems, it is sometimes difficult (depending on the type of attack) to identify a Denial of Service Attack as the culprit of poor performance and even a complete loss of service.

  • Historical performance graphs often clearly show Denial of Service attacks in progress because utilisation spikes stand out as anomalies.

  • Alerts can help to pinpoint stressed network or server components.

  • A large number of email notifications can be a sign of an attack in progress.

  • Network monitoring tools and logs can show which components have suffered a loss in availability.

  • Local experience. If you’ve ever worked on a network for a long period of time you know that eventually you get a good grasp of the server/networks’ ‘personality’. Unusual behaviour from a certain section of the network or from a particular server that is normally humming can lead to the detection of an attack.

Prevention

Some Denial of Service attacks are quite difficult to detect because the traffic that they transmit is identical to legitimate users requests. These types of attacks usually originate from multiple unwilling clients who have themselves been compromised. Attacks that originate from multiple sources are known as Distributed Denial of Service Attacks.

Many other forms of attacks can be prevented or alleviated by the use of Firewalls, Intruder Prevention Systems and by maintaining the latest patch levels on operating system software. Other methods such as Blackholing can be applied to divert traffic sent to an attacked system into a ‘black hole’ or bit bucket which essentially drops the packet altogether.

Quality of Service techniques such as rate limiting can also be applied under certain circumstances where illegitimate traffic is distinguishable from legitimate traffic.

Cisco CCNA Training available through TrainSignal.com