DoS (Denial of Service)

DoS, or Denial of Service, is a specific type of online attack making a site inaccessible (denying other people access to its services) by flooding it with connection requests. DoS attacks can be used on several layers of the Internet, ranging from the deep ICMP and TCP/IP layers, to a load of website requests. The point is to spend an amount of bandwidth that exceeds the victim site's aggregated bandwidth, thus spending it all at once so that nobody else can connect.

There is also a more sophisticated version of the DoS attack called DDoS (Distributed Denial of Service) in which the attackers are distributed across the Internet, so that each of their small amounts of bandwidth still target just one victim. DDoS is extremely effective, and coupled with some Internet vira/worms, it led to the complete breakdown of both Microsoft Windows Update and the SCO Group websites as worms kept spreading and DoS'ing the two single sites. The reason DDoS is effective is that it does not require a big Internet connection, but can do with a lot of medium and small ones, some of which can be obtained access to illegally through worms and spyware.

Another yet more effective way of DDoS'ing is that of http://www.pentics.net/denial-of-service/white-papers/smurf.cgi smurfing.

Resisting a Denial of Service attack

Resisting a Denial of Service attack is much like resisting a jackhammer. Some software, and even hardware firewall/router equipment, is especially bad at dealing with hard attacks of this kind, and it may result in their breakdown, which is worse than simply having their bandwidth stolen. For software, some stress testing programmes, such as the http://httpd.apache.org/docs/2.0/programs/ab.html Apache Benchmark ('ab') tool can be used to overload websites for testing purposes. For hardware, it is a good choice to investigate which hardware deals better with stress, as there is a factor of quality involved in this.

As this type of Internet violence can be extremely effective, the only way to avoid getting hit badly is to avoid spending more bandwidth than possible. Exactly how to do this varies depending on the network layer you are preventing it at. But the primary rule is that the more data you send back to an attacker, the more the attacker has gained. Therefore, a good idea is generally to block or redirect data requests. This could mean to ignore all ICMP requests, or to HTTP Redirect bad IPs, or to simply drop TCP packages from certain hosts. Some of these solutions can be accomplished in the webserver, and some have to be adjusted at router level.

-- SimonShine - 01 Sep 2005