What Is a Denial-of-Service (DoS) Attack?

How Does a DoS Attack Work?

In a denial-of-service attack, a hacker uses a program to flood a server with malicious traffic. The requests that make up this traffic appear to come from legitimate users, so the server validates request after request. In effect, “service” is “denied” to legitimate users due to the resulting loss of bandwidth and network resources.

The attacked system or data becomes unavailable to users who need it. DoS attacks are often used for extortion because, for example, a business that can't provide its service to customers can lose revenue and suffer reputational harm. In this sense, DoS is similar to ransomware, but the hostage is the victim's service, rather than their data.

What Is the Difference Between a DoS Attack and a DDoS Attack?

Where a DoS attack comes from only one source, a distributed denial-of-service attack, or DDoS attack, streams fraudulent requests from multiple sources at once. Typically, a perpetrator will leverage a group of internet-connected devices, sometimes on a global scale, to flood the target server, which can overwhelm it much more easily than a DoS attack would.

Such a group of infected computers is called a botnet. Botnets operate in a synchronized manner, awaiting instructions from an attacker at a single IP address to launch a flood attack. These attacks are usually scheduled to begin at a specific time and can last hours or even days.

A server facing a DoS attack can simply close the single connection delivering the attack. DDoS attacks are much more dangerous and difficult to mitigate because the influx of traffic comes from multiple sources at once..

What’s more, bad actors are now using internet of things (IoT) devices to make their botnets even more dangerous by cutting down on manual processes. Namely, they can use IoT devices to make it much easier to synchronize their botnet devices, increasing the effectiveness of their attacks.

What Are Some Historically Significant DoS Attacks?

DDoS attacks are much more common than DoS attacks, mainly because DDoS attacks are so much more difficult to close off, and thus can be carried out for a longer period of time.

Cloud service providers often fall victim to DDoS because of their inherent vulnerability to such threats. Here are a few more recent ones that made headlines:

• Amazon: In February 2020, Amazon suffered one of the largest DDoS attacks ever recorded. Using connectionless lightweight directory access protocol (CLDAP) reflection, attackers hit an Amazon Web Services (AWS) customer at a rate of 3.3 terabytes per second (TBps) for three days.
• GitHub: In February 2018, attackers blasted 1.35 terabytes per second into GitHub servers for 20 minutes. "Tens of thousands of unique endpoints” harbored “over a thousand different autonomous systems” that launched the attack.
• Google: In October 2020, Google suffered a six-month-long UDP amplification attack that was mounted on three Chinese internet service providers (ISPs), sending more than 2.5 terabytes per second of junk data to Google servers.

How Can You Identify a DoS Attack?

Infrastructure providers tend not to filter route advertisements, which tell people how to get from one place on the internet to another. More importantly, they also tend not to filter the packets to verify traffic’s source. These two conditions make it easy for bad actors to send attack traffic to a target.

Attackers are generally motivated by three things: hostility toward the target (a typical motivation for hacktivist attacks), extortion, and a desire to pickpocket someone while service is being denied to them. While there is no early warning sign of a DoS attack, a savvy security professional can detect traffic a malicious actor is sending to determine whether you’re a viable target or not.

The actors will send out a large number of requests, such as to different parts of a website, to see if the web servers are vulnerable to a DoS attack. These early web “tremors” are a sign that your organization may come under attack.

With proper network security monitoring in place, your cybersecurity team can analyze network traffic and uncover patterns across packets that are clear-cut signs of attack. To identify whether you’re under attack in real time, you need to observe the metadata from your network devices, i.e., routers and switches—a task more easily done with a quality monitoring tool.

Types of DoS Attacks

There are four main types of DoS attacks that aim your to exploit or extort systems and data:

• Browser redirection: A user requests a page to load, but a hacker redirects the user to another, malicious page.
• Connection closure: A bad actor closes an open port, denying a user access to a database.
• Data destruction: A hacker deletes files, leading to a “resource not found” error when someone requests that file, or, if an application contains a vulnerability that leaves it open to injection attacks, the bad actor can deny service by dropping the database table.
• Resource exhaustion: A bad actor will repeatedly request access to a particular resource, overloading the web application, causing it to slow down or crash by repeatedly reloading the page.

Types of DDoS Attacks

Here are some specific DDoS attack examples to remember:

• SYN flood: An attacker exploits a TCP communication (SYN-ACK) by sending a large amount of SYN packets, consuming the resources of the targeted system
• Spoofing: An attacker impersonates a user or device and, after gaining trust, uses spoofed packets to launch a cyberattack
• Application layer DDoS attack: As the name suggests, this attack, once deployed, will exploit a vulnerability or misconfiguration in an application and deny a user access to or use of the application
• Domain name system (DNS) flood: Also known as a DNS amplification attack, an attacker disrupts DNS resolution of a given domain name by flooding its servers
• Internet control message protocol (ICMP) flood: Also known as a ping flood, an attacker forges a source IP and creates a smurf attack. This method can also be used to send a “ping of death,” wherein large packet causes buffer overflow
• User datagram protocol (UDP) flood: An attacker floods random ports on its target, which then consumes resources and responds with “destination unreachable” packets

Preventing a DoS Attack

DoS or DDoS attacks could strike at any time, but with proper best practices in place, you can ensure your organization has all the necessary tools and protocols for strong defense.

Here are five ways to prevent a DoS attack:

1. Create a DoS response plan. Go over your system and identify any potential security flaws, vulnerabilities, or gaps in posture. Outline a plan of response in the event of an attack.
2. Secure your infrastructure. Effective cloud-based firewalling, traffic monitoring, and threat intelligence solutions, such as intrusion detection or prevention, greatly increase your chances of fending off DoS attacks.
3. Understand warning signs. Look for slow network performance, website downtime, an outage, or a sudden increase in spam. All of these require immediate action.
4. Adopt cloud-based services. Cloud resources give you more bandwidth than on-premises ones, and because your servers aren’t all in the same locations, bad actors will have a harder time targeting you.
5. Monitor for unusual activity. This will allow your security team to detect and mitigate a DoS or DDoS attack in real time. In the next section, we’ll cover ways you can reduce the risk of DoS and DDoS attacks altogether.

How Can You Reduce the Risk of a DoS Attack?

Poor security posture and visibility can open the door not only for DoS and DDoS attacks, but also other threats such as malware, ransomware, spear phishing, and more. To keep your organization secure and maximize your chances of effective DoS and DDoS mitigation, you need proper DoS and DDoS protection. Here are some ways you can lower your chances of getting “DoS’d” or “DDoS’d”:

• Get your security from the cloud. Cloud-delivered security allows you to extend policy across all your users—wherever they are, and whatever their device—and gives you complete visibility over your environment. Plus, with automatic updates and no need to manually patch or tune, you’re always ready to defend against the latest threats.
• Adopt extended detection and response (XDR). XDR is an evolution of endpoint detection and response (EDR) that gives you threat visibility at the endpoint as well as insight into potential data and cloud security risks—all with holistic threat intelligence included. This will stem the tide of false positives a security team normally experiences, freeing them up to be more productive.
• Consider a security operations center (SOC). A cloud-managed SOC allows you to cover bases that your security team may not have the bandwidth to. Namely, provisioning of cloud policy, threat detection and response, data protection, and even compliance, in some cases. Like XDR, a managed SOC gives you and your team the freedom to focus on more pressing matters.
• Implement a zero trust architecture. According to Gartner, at least 70% of new remote access deployments will be served mainly by ZTNA instead of VPN services by 2025—up from less than 10% at the end of 2021. This is because zero trust security only grants access based on context (i.e., user, device, location, and application), ensuring bad actors are kept out under all circumstances.

When it comes to zero trust, only one vendor delivers zero trust that’s born in the cloud. As it happens, it’s the same vendor that partners with the best XDR architects so you can detect threats across all your endpoints, clouds, and data. That vendor is Zscaler.

How Zscaler Can Help

Zscaler is the only security service provider with a platform strong enough to defend against today’s latest threats, including DoS and DDoS attacks. Zscaler Private Access™ (ZPA™) is part of the Zscaler Zero Trust Exchange™, the world’s top-rated and most deployed security service edge (SSE) platform.

ZPA’s unique design is based on four key tenets:

• Connect users to applications without placing users on the network
• Never expose applications to unauthorized users
• Enable app segmentation without network segmentation
• Provide secure remote access without using VPN appliances

ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policies created by the IT admin within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, our Zscaler Client Connector is installed, which ensures the user’s device posture and extends a secure microtunnel out to the Zscaler cloud when a user attempts to access an internal application.

Adjacent to an application running in a public cloud or data center, ZPA places our App Connector, deployed as a VM, which is used to extend a microtunnel out to the Zscaler cloud. The Z-Connector establishes an outbound connection to the cloud and doesn’t receive any inbound connection requests, thereby preventing DDoS attacks.

Within the Zscaler cloud, a cloud access security broker, or CASB, approves access and stitches together the user-to-application connection. ZPA is 100% software-defined, so it requires no appliances and allows users to benefit from the cloud and mobility while maintaining the security of their applications—benefits unachievable with traditional network connectivity methods and legacy, on-premises firewalls.