Explaining Denial of Service Attacks
Denial of Service attacks (DoS attacks) are rather simplistic in nature and devilishly easy to launch. In their simplest form against a well patched and updated system they don’t usually pose too much of a threat, however like most things they have bigger and more dangerous brothers out there.
Sometimes its hard to explain a denial of service attack, especially to people new to networking. Simply telling them its essentially a computer or piece of hardware running out of resources, just doesn’t seem to clarify it. What we need is a few real world examples of what a DoS attack might look like outside of IT.
DoS Attack – The Phone Analogy
Suppose you’re sat at home and your friend Alice rings you. How nice you think. You answer. While you’re chatting away about the latest Game of Thrones episode, unless you’re a high-flying day-trader or some hot-shot CEO it probably doesn’t matter that you’re on the phone and unable to receive further calls. Bob is trying to call you but can’t get through. It’s okay though, Bob’s a reasonable guy, he decides to put the kettle on and after his cup of tea tries again.
By now you’ve finished talking about how ‘winters coming’ and have hung up on Alice. Bob tries and successfully gets through to you, where you start another conversation about GoT.
A week later, while waiting for Alice to ring you up and discuss the fact winters still not here, you get a cold-phone call from a sales company – ColdCallingCorp. You’re only on the phone a few minutes, but while you are Alice tries and fails to get through. ColdCallingCorp continue with the hard sell and ignore the fact you’re not interested. You hang up.
The phone rings again – its ColdCallingCorp again! You decide not to answer and let it ring off after 60 seconds. Little do you know both Alice AND Bob have tried calling you in the last 30 seconds, both unable to get through.
Once again the phone rings and ColdCallingCorp flashes up on the screen. Angry now, you answer and tell them to leave you alone, before hanging up. However they keep calling, regardless of what you say or do they hog your phoneline.
The whole evening is spent ignoring ColdCallingCorp’s phonecalls. One side effect of this nuisance call is that both Alice and Bob have given up trying to speak to you that evening. Another side effect is you cant dial out to call Alice, everytime you try your phone gets called before it can dial out.
ColdCallingCorp is essentially conducting a denial of service attack on you. While they’re constantly calling you maliciously, no legitimate calls can get in or out!
Note that if you disconnected your phone, the calls will stop, but this doesn’t help your situation.
How about a DDoS Analogy
While ColdCallingCorp are harassing you that evening, you discover your phone provider offers a block-a-phone-number-immediately functionality on their website. You login and enter the ColdCallingCorp number, after a few seconds your phone falls blissfully quiet. ColdCallingCorp is now blocked from contacting you; similar to how a firewall might block a certain IP. (Alice has gone to bed by this point).
Another week passes and you’re ready to discuss the latest Jon Snow / Whitewalker antics with Alice.
Bang on schedule however, you get a call from DodgyCorp. You answer it and immediately recognise its the same guy from ColdCallingCorp! Cheeky, they’ve bypassed the phone-providers filter by calling from another number. Super annoyed you rant at the guy for several minutes. You miss Alice’s call 🙁
You hang up and expect DodgyCorp to call you back. In fact you’ve already typed in your phone providers website to add DodgyCorp to the blocked list. Before you can finish typing it though you get another call, this time from FrustrationCorp.
You let it ring off after 60 seconds.
A further call; GhostCo.
60 seconds later HazardCo tries … then IrritateCo … then MaliciouslyCorp (I couldn’t think of one beginning with J)
You still have the option to block their individual numbers with your phone provider, but they’re not calling you back from the same number so it wont help.
What ColdCallingCorp are now doing is called a DDoS, or Distribute Denial of Service attack.
Whats really happening in a Denial of Service
In the above analogy your phone line has become saturated and you’re unable to use it for legitimate reasons. If your web application can only have one user logged in at a time, this could pose the same problem.
The most simplistic way to stop this happening is to block the offending source of the attack. That doesn’t stop a DDoS though, as BOTNETs now allow malicious use of hundred of thousands of infected PCs to ‘call’ you without ever repeating a source.
You can also counter this problem by throwing more resources at it. Going back to our example, you could get a 2nd of 3rd phoneline installed. While DodgyCorp are ringing one line, you can ignore it and speak to Alice on the other. What we’ve entered there though is a digital arms race. You add a 2nd phone line. They get DodgyCorp and FrustrationCorp ringing you at the same time.
You could set your phone provider (read: firewall) to block all incoming calls with the exceptions of Alice and Bob. That way you don’t get pestered by malicious calls and can still speak about Game of Throne to your favourite buddies. The problem with this approach is that your mates Charlie, Eric and Dave also get blocked. Do’h! All of a sudden you need to whitelist anyone who’s ever likely to call you! If your application or service only gets accessed by a few people this is do-able, but what happens if they are accessing your service from a floating IP. Every time they connect their IP could change. It’d be like trying to whitelist Dave’s number, but he keeps changing his number every day!
Further Reading
Update Jan 2016 – We now have a short article explaining the common TCP SYN flood denial of service attack
Update April 2016 – We’ve just uploaded another short article, this time covering the UDP Flood DoS attack