16

Can someone explain to me the concept of DoS attacks for web applications? Also, what is the distinction between DoS and Distributed DoS (i.e. DDoS) attacks? Wikipedia says:

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users

which means they are the two different names for the same attack.

But then again, I found out this article from Computer Crime Research centre website titled Network security: DoS vs DDoS attacks. So I am assuming that these are two different types of attacks.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Geek
  • 263
  • 1
  • 2
  • 7
  • Also relevant: [What techniques do advanced firewalls use to protect againt DoS/DDoS?](http://security.stackexchange.com/q/114/33) – AviD Oct 18 '12 at 19:44

6 Answers6

23

A denial-of-service attack is a type of attack that causes legitimate users to be unable to use the service. These come in a few different categories:

  • Resource exhaustion (e.g. consuming all network bandwidth, or server CPU time)
  • Limitation exploitation (e.g. locking a user out of their account by repeatedly attempting to log into it with invalid credentials)
  • Process disruption (e.g. crashing a process that serves user requests, via a bug in the software)
  • Data corruption (e.g. altering all user types to an invalid type, making it impossible for them to log in)
  • Physical disruption (e.g. pulling out the power cable on a server) - thanks to Henning for this one!

The most common type on webapps is a resource exhaustion, which is what most people tend to refer to as a DoS. These are caused by an attacker sending a large number of requests to the server, in order to exhaust one or more resources:

  • Network bandwidth may be entirely consumed by the attack, preventing legitimate user traffic from reaching the server.
  • Each request uses some CPU time, so a large number of requests may cause the CPU to spend all of its time dealing with attacker requests, instead of legitimate requests. Attackers can send expensive requests (e.g. full-text searches, SSL connections, etc.) to the server to increase the impact. There are also cases where vulnerabilities in the server software allow the attacker to craft special requests that eat a lot of CPU time.
  • A small amount of RAM is used for storing the connection state, which might allow for physical memory exhaustion if enough connections can be made. However, database queries can be very memory intensive, in terms of memory usage and memory bandwidth. If an attacker picks his queries well, he might be able to entirely exhaust the physical memory of the system.
  • Logs, database tables, etc. are stored on disk. Sending a huge number of queries over a period of time may exhaust the disk space on the server, causing it to crash.

Note that the requests don't need to be HTTP - they could be DNS, HTTPS, SSH, FTP, SMTP, POP, IMAP, SMB, etc. Any situation where a service is listening for incoming packets is a potential way to achieve a DoS.

There are two primary ways to achieve basic application-independant network DoS attacks: TCP SYN floods and UDP flood.

The TCP protocol involves a three-way handshake. First, a client sends a SYN (synchronise) request, to which the server responds with a SYN-ACK (synchronise acknowledged), which the client then finally responds to with an ACK (acknowledge). However, if a client sends a SYN and does not respond to the SYN-ACK, the server is left with a half-open connection. This consumes a small amount of memory within the operating system, and eats a few CPU cycles. Eventually the connection is dropped, but a flood of SYN packets can be enough to cause serious performance issues on the target. There are a number of ways to mitigate this threat, and the most notable is SYN cookies, which allow the server to send back a response without storing the SYN state.

The UDP protocol doesn't involve any form of handshake. Packets are simply sent between hosts, with no state or connection. This means that an attacker can send a large number of UDP packets to the server, consuming their bandwidth. This requires that the total bandwidth of the client exceeds that of the server. Since the client doesn't need any response, it can spoof the source IP address, making mitigation harder. These types of attack can be harder to block, and often require intervention by the service provider.

The problem for attackers is that servers are designed to cope with a large number of concurrent users, and small denial of service attacks. Sending a huge number of packets from their home network or a rented server is unlikely to cause a significant reduction in availability or response speed of their target. In order to make the attack more effective, they use a distributed denial of service (DDoS) attack. This involves using a number of computers on different networks to flood the site with requests. Often the attacker will infect other computers with malware, to form a botnet, which is then used to perform DoS attacks. The difference is that a DDoS allows traffic to flow from legitimate (but compromised) source IPs, increasing the effectiveness of the attack and making it harder to block.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • I guess it's also important to note that a DDoS can be unintentional - a large influx of users to a site can cause it to exhaust its resources and become unavailable. An example of this is from a few months back when President Obama did an AMA thread on Reddit, and the whole site died. – Polynomial Oct 18 '12 at 19:28
7

A DOS is from a single attacking address.

A DDOS is usual from multiple locations which are primarily caused by botnets or an angry internet.

Digital fire
  • 3,156
  • 5
  • 31
  • 44
5

DDOS is a subset of DOS. A DOS attack is any attack that attempt to use some sort of "flooding" technique to overwhelm a host. A DDOS attack is a DOS attack that specifically uses a large, distributed set of clients to get the resources for the attack.

It can be difficult to come up with the resources to flood the target in a DOS attack, the simplest way is to have lots of clients share their resources and them combine to distribute the attack load across them.

B-Con
  • 1,842
  • 12
  • 19
3

In addition to Polynomial's great answer, the main reason DDoS attacks are much more effective than DoS attacks is that DoS attacks can be prevented by simply limiting the access to resources given to a specific IP address.

Simple DoS attacks (i.e. dumb resource exhaustion by a single machine) are pretty much a thing of the past. Today pretty much all servers are protected by a firewall which will blacklist an IP address that makes too many access attempts to the server. But in the Nineties (1990s that is) firewalls weren't ubiquitous as they are today and simple DoS attacks where quite effective.

Due to such firewalls the DoS attack evolved to a DDoS attack. Just like DoS attacks are a things of the past, DDoS attacks are a thing of the present. Today anyone can rent a botnet to deploy a DDoS attack. But botnets are relatively new things and rentable botnets have been around for a less than a decade. DDoS can be crowd sourced, but such crowd sourcing is also relatively new.

So in short a major difference between DoS and DDoS is historical: DoS attacks where common before firewall usage became wide spread and DoS attacks have become common after botnets became widely available. There was actually a period in between (in the middle of the previous decade) in which both forms of attack weren't all that common.

TL;DR: Attackers used to deploy DoS attacks. Servers implemented effective countermeasures. Attackers upgraded to DDoS attacks to circumvent the countermeasures.

David Wachtfogel
  • 5,522
  • 21
  • 35
2

Those are really two different, though similar, attacks.

"Regular" DoS is based on trying crash the webserver/firewall, through some kind of bug or vulnerability. E.g. the well known SYN Flood attacks. Alternatively, there are application-level flaws that would allow DoS at the app level: for example, a loop based on user input, where a very large number could cause a huge number of iterations; or XML Bomb, where a malformed XML document would cause the webapp to consume huge amounts of memory and 100% CPU.
The protection against these, are of course specific to the flaw, and secure coding/design in general.

However, DDoS simply attempts to overwhelm the webserver/firewall by flooding it with masses of apparently legitimate requests. These can be coordinated, often by using a botnet, sometimes by popular political movement. The really big difficulty here, is that it is nearly impossible, short of reputation-based systems, to differentiate between legitimate user requests, and the DDoS attack. There's not even a single IP address shared between them...

AviD
  • 72,708
  • 22
  • 137
  • 218
  • They don't even have to be "apparently legitimate". A huge number of obviously malicious UDP packets being sent to the server is a DDoS, as it exhausts the server pipe's bandwidth. – Polynomial Oct 19 '12 at 12:25
  • @Polynomial sure, it doesn't *have* to be, but the fact that it *could* be, makes it potentially that much harder to detect and/or block. – AviD Oct 20 '12 at 21:00
-2

A simple example:

DoS: an attacker sends a flood of pings from his computer to a website like cnn.com to overload it and crash the website.

DDoS: cnn.com is likely to have load-balancers/firewalls/IDS and other security mechanisms in place to detect when it is being attacked and will automatically block the attacker's IP address. So the attacker hacks into 5000 IoT devices around the world around, making it a botnet, and then floods the website with pings. The security mechanisms in place will have a hard time defending against this because it won't know what traffic is legitimate and what is malicious, since it is coming from so many distributed IP addresses.

crab
  • 17
  • 2