"Denial of service" or "DoS" describes the ultimate goal of a class of cyber attacks designed to render a service inaccessible. The DoS attacks that most people have heard about are those launched against high profile websites, since these are frequently reported by the media. However, attacks on any type of system, including industrial control systems which support critical processes, can result in a denial of service.
When a website suffers a DoS attack, the apparent effect will depend on your perspective. For the average user, it appears that the site has simply stopped displaying content. For businesses, it could mean that the online systems they depend upon have ceased to respond. The symptoms of a DoS attack against industrial control systems may include the inability to retrieve sensor data, or control critical processes.
DoS attacks can range in duration and may target more than one site or system at a time. An attack becomes a 'distributed denial of service', referred to as “DDoS”, when it comes from multiple computers (or vectors) instead of just one. This is the most common form of DoS attack on websites.
A typical denial of service attack
DoS events are often brought about by a service's underlying systems being overloaded. We'll use a simple web-based example to clarify exactly how overload-based DoS attacks work, so let's imagine a shopping website you visit is under attack.
Ordinarily, when you visit an online shopping site, your requests pass through your Internet Service Provider's network, through one or more exchanges and out, onto other providers' networks. From there your clicks pass onto the hosting service used by the shopping site, and finally onto the site's own infrastructure.
Within the shopping site, a number of servers will each handle a small bit of the work needed to generate the page you see. This will include database servers that provide lists of products, application servers that interpret that product information and web servers that create the pages you are browsing.
However, much like a human, each server can only do so much work in a given period. So, when too many users are requesting pages from the shopping site at one time, the site's infrastructure or servers may not be able to handle everyone's requests in a timely manner.
Depending on how the shopping site is set up, this results in some or all users being unable to view the site. To put it another way, they are denied access to the service.
As the shopping site example suggests, a Denial of Service can be caused by perfectly legitimate use. For example, Black Friday sales, when thousands of users are clamouring for a bargain, often cause a denial of service. But they can also be malicious. In this case, an attacker purposefully tries to exhaust the site's resources, denying legitimate users access.
Malicious attacks can take one of two general forms: Denial of Service (DoS) or Distributed Denial of Service (DDoS).
The difference is:
- A Denial of Service attack uses only a small number of attacking systems (possibly just one) to overload the target. This was the most common type of attack in the early days of the Internet, where services were relatively small in scale and security technology in its infancy. However, nowadays, a simple DoS attack is often simple to deflect as the attacker is easy to identify and block. One notable exception here may be industrial control systems, where equipment may have a low tolerance to bogus traffic, or may be connected via low bandwidth links that are easily saturated.
- In a Distributed Denial of Service attack, the attacker enlists the help of (many) thousands of Internet users to each generate a small number of requests which, added together, overload the target. These participants may either be willing accomplices (such as attacks initiated by loosely organised illegal "hactivist" groups) or by unwitting victims whose machines have been infected with malware.
The key difference between legitimate denial of service (eg, Black Friday browsing) and an attack is that an attack generally happens with no warning. Therefore, the service cannot plan to handle the increased load.
Two types of overload-based denial of service attacks
The online shopping example above explores an attack that attempts to overload the available resources of a website in order to cause a DoS condition. These overload-based DoS attacks can target different types of resource. The majority fall into one of the following two categories:
- Overload DoS attacks at the network layer: These DoS attacks typically attempt to consume all available capacity on network links, or to cause network hardware or software to fail due to overload.
- Overload DoS attacks at the application layer: These DoS attacks typically attempt to consume the compute resources of the service by exercising compute-expensive functionality, or by generating many more application sessions than the service has been designed to cope with.
You can read more technical details about specific types of overload attacks and how you can reduce their impact in the Center for Internet Security's Guide to DDoS attacks.
Other forms of denial of service attack
DoS events can be caused by system overload, but there are other ways that an attacker may deny access to your service:
- Destruction of physical equipment: An attack which causes physical damage through digital means. Saudi Aramco suffered an attack of this kind which disabled tens of thousands of user workstations. But probably the best known example is Stuxnet, where malware subtly change an industrial control process in order to destroy centrifuges.
- Denying the ability to fix: An attacker may execute a denial of service attack and then purposfully disrupt your ability to resolve the issue. This may be through over-writing firmware, deleting accounts, or blocking administrative access. For example, an attacker may turn off remote process control equipment and then damage the firmware, or more subtly, update network routes in network infrastructure, to prevent administrators from being able to access equipment.
- Theft of public identifiers: An attacker may hijack your domain name, Twitter account or other essential online accounts. If using cloud services, an attacker who is able to gain access to your account can disable your infrastructure whilst preventing you from gaining access to revert any changes.
- RF interference: An attacker may use radio jamming to interfere with local WiFi or longer range wireless connections to remote sites (such as sensor installations). This type of attack carries significant risk on the attacker's part, due to their need to be physically close to the target location.
Understanding attacker motivation
Attackers may have a range of motivations when initiating a denial of service attack. These range from "fun" to extortion or even furthering state goals. Some objectives include:
- Hackers may simply find it fun to bring down a service, often to show off their skills to other hackers gaining kudos. Attacks may be carried out using "off-the-shelf" tools or, if an attacker is skilled, bespoke attacks may be carried out to demonstrate new techniques or tools they have developed.
- A group of 'hacktivists' will use their hacking skills for social or political goals, for example launching a DoS campaign against a company which carry out activities they do not agree with. The attackers are unlikely to be determined in this scenario and the attack likely to be short-lived. The attack is usually a oS attack on publicly facing websites, although some groups may attempt "web defacement" of poorly protected servers.
- A desire to create bad publicity for an organisation with which the attacker has a grievance. The grievance may be ideological (such as animal testing or politics), or personal (disgruntled ex-staff, for example). Again, they are likely to be short-lived DoS style attacks, however a motivated attacker could persevere with the attack. You should work out the business impact of a loss of service for different periods of time.
- Organised criminals may attempt to extort money based on either the threat of a denial of service or by a short attack to prove their capability. If the adversary is able to execute such an attack, it is likely to be longer in duration and severity. Some organised crime groups may move beyond simple DoS and look to gain unauthorised access to your system, either to increase the severity of the attack or execute the attack itself.
- High capability attackers, possibly with state sponsorship or involvement are likely to attempt the most serious attacks. These may involve physical effects (such as the Ukrainian power grid failures) or be very long lasting, with a large amount of resource behind them. The objectives in this case can be diverse, but you should not presume that these attackers will only target governments. They may use denial of service attacks in order to undermine confidence in high profile services such as banking or critical infrastructure. They may also aim to undermine public confidence more generally, through attacks on household names such as retail outets, weather or broadcast services.
- Also, be aware of high capability actors using a DoS attack to distract attention from an attempt to compromise your system. Do not become so focussed on defending against a DoS attack that you ignore other security monitoring.