We keep hearing about Denial of Service (DoS) attacks, owing a large part of it to our dependency on the Web. A typical DoS situation could be a website going offline. Also, you may have faced situations where a sudden increase in traffic causes the site to load very slowly. Sometimes the traffic can be good enough to shut the site down completely. A perfect case for Distributed Denial of Service (DDoS).
In short, DoS and DDoS attacks are some of the most inventive hacking practices on the rise bringing down businesses critical services, and inhibiting user Web access and business continuity.
So, the question is what exactly are DoS and DDoS? More importantly, how do we guard our IT assets from them?
Denial of Service
It’s an attack where the attempt is to prevent legitimate users from accessing information or services. It usually targets your system and its network connections, or the network of critical sites that you may often use. The most common type is flooding a network. For example, when you type a URL of a particular website, what you actually do is send a request to access the page. There are only a certain number of requests that the site’s web server can process at a time and hence cannot process your request, precisely “Denial of Service”.
For most hackers, Web servers are the ideal choice for launching attacks as they have more computing and network capacity compared to a home PC. A very similar thing happened with Mt. GOX servers recently. So, to crash a web server, a DoS threat attacks the following services:
- Network bandwidth
- Server memory
- Application exception handling mechanism
- CPU usage
- Hard disk space
- Database space
- Database connection pool
To a large extent, organizations tend to rely on firewalls to defend their networks against DoS attacks. Although firewalls are a key component of an organization's security solution, they are not individually capable enough to thwart a targeted DDoS attack.
Distributed Denial of Service
In a DDoS attack, the hacker is likely to take control of the security vulnerabilities to control your system and use it to attack other systems in the network. A perfect example for this is sending out spam, sending overloaded information to a website. In simple terms, the attack is distributed, where the user uses multiple computers to launch the DoS attack.
Symptoms like slow network performance, sudden spike in receiving spam content, and inability to access certain websites suggest that there are chances your network is under attack. It’s best to be proactive and shield yourself against possible threats. You need to continuously monitor the activities on your web server, firewalls and endpoints. Using a security information and event management software would be an ideal choice. It helps you by monitoring all the logs collected from various entities in your IT environment, and analyzing and correlating events in real time for advanced incident awareness.
If you want to safeguard your IT against DoS and DDoS threats, you need to ensure that your SIEM tool uses active responses to respond to critical security events, and shuts down threats immediately. Some key built-in responses that you might need for sure are:
- Send incident alerts, emails, pop-up messages, or SNMP traps
- Add or remove users from groups
- Block an IP address
- Kill processes by ID or name