How to prevent DoS attacks and what to do if they happen
The worst DoS attacks are like digital tsunamis that put critical business operations at risk. Learn how they work, ways to stop them and how systems can withstand the flood.
A denial-of-service attack is a cyberattack that aims to make key systems or services unavailable to users, usually by overwhelming them with traffic or malicious requests. DoS attacks bombard the target with such massive amounts of data that systems become unable to process legitimate requests and stop functioning.
The most common form of DoS attack is distributed denial of service (DDoS), which sends network traffic from a large number of devices with different IP addresses, making the attack source difficult to filter or block. These attacks often use botnets, networks of hijacked computers or IoT devices. For example, the notorious Mirai botnet and its successors have enlisted thousands of compromised devices -- including CCTV cameras, home routers and baby monitors -- which threat actors have used to launch massive DDoS attacks.
Editor's note: For the purposes of this article, we consider a DDoS attack a type of DoS attack. Note, however, that some experts argue a true DoS attack has only one malicious source, with a single system attacking a single system. Defenders could mitigate such an attack relatively easily by identifying and blocking traffic from the relevant IP address.
In contrast, a DDoS attack involves traffic from many sources, with multiple systems bombarding the target. DDoS attacks are more challenging to prevent and stop than single-source DoS attacks, because they involve many more malicious IP addresses.
Types of DoS attacks
DoS attacks fall into the following three categories:
Protocol attacks. Also target network infrastructure, but rather than simply flooding it with data, these attacks manipulate protocol behaviors to exhaust server resources.
Application layer attacks. Target websites and APIs by generating large numbers of HTTP requests or by triggering resource-intensive application functions, such as complex report generation.
If online services are unusually slow or suddenly unavailable, a DoS attack could be underway.
Consequences of DoS attacks
Successful DoS attacks can disrupt business and devastate organizations. Consequences include the following:
Immediate financial losses. When a business-critical system experiences downtime, the organization typically loses money. For example, even a brief DoS outage at a high-volume e-commerce merchant would result in many lost transactions, adding up to significant financial impact.
Remediation costs. An organization experiencing a DoS attack must respond and get affected systems back online quickly, which can require significant resources.
Reputational damage. A long outage can seriously damage a brand's reputation, prompting customers, shareholders and the public to question the organization's ability to protect its systems.
Successful DoS attacks can devastate organizations.
DoS prevention and mitigation methods
As is so often the case in cybersecurity, an ounce of prevention is worth a pound of cure. Effective DoS prevention and mitigation must begin long before an attack attempt takes place.
Risk assessment
Start by identifying and evaluating all digital assets, especially critical systems and data that might draw attacks. Determine baseline traffic patterns. Assess potential vulnerabilities that threat actors might exploit.
Attack surface reduction
Reduce the attack surface by implementing necessary security patches and removing unnecessary internet-facing systems.
DoS prevention and mitigation services
While possible, it is difficult to defend against DoS attacks without the support of a third-party provider. Typically, organizations rely on content delivery network providers and specialized DDoS mitigation providers -- such as Cloudflare, AWS Shield and Azure DDoS Protection -- for scalable DoS protection. A company that enlists such a service can expect it to do the following:
Provide a defensive layer that sits between an organization's applications and the public internet.
Act as a reverse proxy, with all traffic hitting the mitigation provider's data centers first.
Distribute sudden surges in traffic across multiple provider-owned data centers.
Apply rate limiting -- restricting the number of requests servers will accept in a certain period -- to sources of suspicious traffic.
DoS prevention and mitigation tools
Other defensive mechanisms include the following:
Web application firewalls. WAFs filter out requests targeting specific URLs or API endpoints.
Intrusion prevention and detection systems. IPSes and IDSes monitor network activity to identify unusual traffic patterns that might indicate a DoS attack. These and other tools, such as firewalls, can also automatically block traffic from sources an administrator flags as malicious. Note, however, that IP spoofing can readily circumvent blocklists.
Blackhole routing. Drops all traffic targeting the system. This has a similar effect to the attack itself, however, by taking the system offline.
DoS response plan
Even when an organization has a DoS mitigation strategy in place, its incident response plan should still cover DoS attacks and include the following:
Policies for when, what and how to communicate with internal stakeholders, customers and the public. Social media channels can provide an effective way to reach the latter when other resources are unavailable.
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.
