What is a Denial of Service (DoS) Attack and How to Prevent It?
A Denial of Service (DoS) attack is a malicious attempt to disrupt the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests, ultimately causing difficulties for the target system. In the case of a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled resources to carry out the attack.
Generally, DDoS attacks can be classified based on the layer of the Open Systems Interconnection (OSI) model they target. These are most commonly found in the Network (Layer 3), Transport (Layer 4), Presentation (Layer 6), and Application (Layer 7) layers.
DDoS Attack Classification
When considering mitigation techniques against these attacks, it is helpful to group them into Infrastructure Layer (Layers 3 and 4) and Application Layer (Layers 6 and 7) attacks.
1- Infrastructure Layer Attacks
Attacks at Layers 3 and 4 are typically classified as Infrastructure layer attacks. These are also the most common types of DDoS attacks and include vectors such as synchronized (SYN) floods and other reflection attacks like User Datagram Protocol (UDP) floods. These attacks are generally volumetric and aim to overwhelm the capacity of the network or application servers. Fortunately, these types of attacks tend to have clear signatures and are easier to detect.
2- Application Layer Attacks
Attacks at Layers 6 and 7 are generally classified as Application layer attacks. While less common, these attacks tend to be more complex. Compared to Infrastructure layer attacks, they are usually smaller in volume but focus on specific expensive parts of the application, rendering it unusable for legitimate users. Examples include a flood of HTTP requests to a login page, costly search APIs, or WordPress XML-RPC floods (also known as WordPress pingback attacks).
Techniques to Protect Against DDoS Attacks
1- Reduce the Attack Surface
One of the primary techniques to reduce DDoS attacks is minimizing the attack surface. This limits attackers’ options and allows you to focus your protection efforts on a single area. Ensure that your applications or resources are not exposed to ports, protocols, or applications that don’t expect any communication. This minimizes potential attack points and helps concentrate mitigation efforts. Sometimes, this can be done by placing your computing resources behind Content Delivery Networks (CDNs) or Load Balancers, restricting direct Internet traffic to specific parts of your infrastructure such as database servers. In other cases, you can use firewalls or Access Control Lists (ACLs) to control which traffic reaches your applications.
2- Scale Plan
To mitigate large-scale volumetric DDoS attacks, two important factors are bandwidth (or transfer) capacity and server capacity to absorb and mitigate attacks.
3- Transport Capacity
When designing your application architecture, ensure your hosting provider offers abundant redundant Internet connections to manage high volumes of traffic. Since the main goal of DDoS attacks is to affect the availability of your resources and applications, you should locate them near major Internet exchanges that provide easy access even during high traffic volumes. Additionally, web applications can take a step further by using Content Delivery Networks (CDNs) and intelligent DNS resolution services to deliver content and resolve DNS queries closer to your end users.
4- Server Capacity
Most DDoS attacks are volumetric, consuming excessive resources. Therefore, it is essential to be able to scale your computing resources quickly up or down. This can be achieved by running on larger computing resources or those with enhanced network interfaces or advanced networking features supporting larger volumes. Additionally, using load balancers to continuously monitor load and shift traffic among resources helps prevent overload of any single resource.
5- Know What Normal and Abnormal Traffic Looks Like
When detecting high traffic levels to a host, the fundamental goal is to accept only as much traffic as the host can handle without affecting availability. This concept is called “rate limiting.” More advanced protection techniques go further by smartly analyzing individual packets and accepting only trusted traffic. To do this, you need to understand the characteristics of “good traffic” the target usually receives and compare every packet against this baseline.
6- Deploy Firewalls for Advanced Application Attacks
Using a Web Application Firewall (WAF) is a good practice to protect against attacks exploiting vulnerabilities in your application itself, such as SQL injection or cross-site request forgery. Additionally, because of the unique nature of these attacks, you need to be able to easily create customized mitigations against illegal requests that may masquerade as legitimate traffic or come from suspicious IPs, unexpected geographic locations, etc. Sometimes, experienced support is engaged to analyze traffic patterns and create tailored protections, which also helps in mitigating attacks.