Ask the Cyber Security Expert: What is a denial of service attack?
The Cyber Security Expert is often asked about denial of service, or DoS, attacks. After making some lame reference to the popular Microsoft operating system, and laughing at his own joke, an embarrassed silence follows which he then fills with the following helpful information.
What is a denial of service attack?
A denial of service attack (commonly referred to as a DoS) is an attempt by an attacker to exhaust the resources available to run a particular service, and hence render it unavailable to legitimate users. For instance a website depends on two key resources – the power of the computer running the site, and the bandwidth (the connection to the internet) that is available. Use up all of either and the website cannot serve up content to real users.
So how does this work?
As per the example above the most common target for a denial of service attack is a website. Websites can only cope with a certain number of connections at any one time, limited by their available bandwidth and the power of the web server. When targeting a website the attackers attempt to render the site unavailable by consuming one of these two resources (or sometimes both). If the attackers can do this successfully then legitimate users of the website will struggle to connect, essentially making the website unavailable despite the fact it is up and running – it is just too busy to respond to all requests.
The simplest way to do this is to connect to the website as frequently as possible. For a single attacker this is difficult as websites are easily able to handle all the requests for service a single user can throw at them. To be successful the attacker needs to have many people connecting to the website repeatedly. This can be achieved by recruiting a lot of people to the cause. Recruiting sufficient numbers of accomplices is challenging unless you happen to have an awful lot of friends.
The most common denial of service attacks use a network of compromised computers, known as a botnet (from ‘robot network’). A botnet consists of large numbers of computers that have been compromised and are under the control of an individual or group (know as a bot herder). Botnets can be very large consist of hundreds of thousands or even millions of nodes, however most are much smaller. An attacker wishing to conduct a denial of service can instruct all the nodes in a botnet to repeatedly connect to the target website. Attacks conducted in this manner are known as a distributed denial of service (DDoS), and can be extremely effective.
Does a DoS attack mean confidential data has been lost?
Denial of service attacks do not mean there has been a successful ‘hack’ of the target website or company. Despite media reporting often using phrases like ‘hacked’ or ‘the website was taken down’ the target website is usually still functioning perfectly well but just not able to handle the volume of service requests. Once the attack stops the website becomes available again, with no damage or data loss.
So what can I do about it?
Denial of service attacks are difficult to completely mitigate against, as it can be difficult to distinguish malicious requests to a website from genuine requests, and because it is essentially a resource war with the attackers. There are companies that offer denial of service protection that can be effective, but it comes at a cost.
If you have a website you need to consider how likely it is that you would be targeted in the first place, and what the consequences would be if attack was successful. Websites that do not generate revenue can tolerate a greater outage than an e-commerce site. In other words if you don’t offer services through your website you probably don’t need to worry all that much. If you do offer
If you do offer web services it is you should take some time to consider how you would deal with a denial of service attack. Some web hosting services offer denial of protection services – you should check your hosting package and see what it says on the subject of DoS attacks specifically, and security generally.
A good relationship with your web hosting provider, knowing who to contact and what they can potentially do to help is extremely useful. A well designed website can also help, such as hosting large files in a different location (for instance using a cloud provider) which can make it harder for an attacker to chew through your bandwidth.
For all companies that are concerned having a plan of action for dealing with a denial of service attack, and testing this plan, is strongly recommended. This plan should include:
- An up to date list of relevant contacts both in your company and at other organisations (such as your internet service provider and web hosting supplier).
- Guidance for contacting law enforcement.
- Some prepared steps to take, for instance moving to simplified version of your website, or falling back on a different provider.
- Guidance on invoking denial of service mitigation, should you have it.
- A plan for communicating with your customers.
- A media handling plan including pre-briefings for the relevant people on what a denial of service is, what steps you have taken to mitigate the attack and reassurance for customers.
The Cyber Security Expert