Denial of Service Attacks

Denial of Service Attacks

Denial of Service (DOS) attacks are a type of cyberattack where attackers attempt to overwhelm a server with traffic so that it cannot provide services to ordinary users ^[1]. Many modern DOS attacks are launched by a network of decentralized devices, these attacks are known as Distributed Denial of Service (DDOS) attacks. DOS attacks have been documented since 1996 and can be conducted by taking advantage of vulnerabilities in any part of the network stack. Due to the rising occurrences of DDOS attacks in recent years, many methods and products have been created to try to prevent them. The motivation for DOS attacks has been varied, including political activism and intimidation, financial blackmail, and acts of revenge^[2].

Technical Background

Networked computer systems communicate using a series of protocols that are stacked on to each other^[3]. The lowest layers (physical and link layers) handle moving data to the next hop on the way to its destination, while the next highest layer, the IP layer contains protocols that move data between different networks. The two highest layers are the transport and application layer, which make sure that the two machines communicating have a reliable connection and move the actual intended data respectively. While originally there was no guarantees of confidentiality, integrity, and authenticity of any of the layers of the stack, over time protocols such as HTTPS/TLS were developed to encrypt and protect the upper layers of the stack, while the lower layers remain unencrypted ^[3] . DOS attacks can happen against each of these layers, depending on where system vulnerabilities lie. A summary of some common attack techniques is given below ^[4].

SYN Flood and TCP-Oriented Attacks

The earliest documented DOS attack happened in 1996 against the Internet Service Provider (ISP) Panix^[5]. The attack method used, known as a SYN flood, took advantage of a feature of the Transmission Control Protocol (TCP), a common protocol used in the transport layer, to crash a server by filling up its memory. All TCP connections between two hosts begin with a three part handshake where the client first sends an initial “SYN” message to initiate a connection with the server, then the server acknowledges that it has received the request by sending back an “ACK” message, and then the client acknowledges the server response by sending a “SYN/ACK” message to the server^[3]. This requires the server to maintain state information about each client so it knows that any client that sends a “SYN/ACK” message did first send a “SYN” message. This was exploited by the Panix attackers by sending large amounts of SYN messages to the ISP’s servers without sending back SYN/ACKs, causing the Panix server’s memory to fill up with state information about each of the attacking machines, which prevented them from providing service to actual users^[4].

This specific type of attack was defeated by measures such as storing the state information on an encrypted client-side cookie instead of the server, but there are still other types of DOS attacks today that exploit TCP such as smurfing and slowloris attacks^[4].

DNS and UDP-based attacks

Another method used to conduct DOS attacks is based on protocols that use the transport layer User Datagram Protocol (UDP), an unsecured protocol used for sending one-time messages or those that do not require an ordered and reliable connectionCite error: Closing </ref> missing for <ref> tag.

Preventing Attacks

CDNs

One way to prevent DOS attacks is for websites to use Content Delivery Networks (CDNs) or cloud providers to host their sites instead of running a server on-premises. Several notable CDNs include Cloudfare, Akamai, and Amazon CloudFront^[6]. CDNs have an easier time defending against DDOS attacks than small web servers because they host large amounts of content across multiple data centers per geographic region, requiring a much larger amount of traffic to shut down a server^[4]. In addition to providing DDOS protection, CDNs offer other services for websites such as automatic load balancing and faster connection time and download speeds for customers located far away from where the company’s servers would otherwise be^[6].

While hosting content on a CDN can be a considerable expense, some CDNs such as Google Project Shield have been established to provide free DDOS protection for content seen as vulnerable such as human rights groups, news media, and election results websites ^[7]. Cloudfare’s Project Galileo provides similar free services, including to COVID-19 vaccination scheduling sites ^[8]. On the other hand, CDNs have faced criticism due to their actions or lack thereof against controversial websites. Cloudfare has admitted to providing services to websites owned by groups seen as terrorist organizations by the US Government as well as drug traffickers^[9]. It also has provided services for neo-Nazi website the Daily Stormer and the online forum 8chan that was notorious for hate speech, although it dropped these companies as customers following the 2018 New Zealand Mosque Attack and 2019 El Paso shooting, abandoning its previous stance against censoring or dropping any websites due to the political nature of their content^[10].

Proof of Work Systems

Notable Incidents

Over the years, there have been several notable incidents involving DOS attacks that have had legal,ethical, and diplomatic implications.

2002 New Hampshire election TDOS

During the 2002 US Senate Election in New Hampshire between Democrat Jeanne Shaheen and Republican John Sununu, several state and national GOP officials hired a telemarketing company to overload the Democratic voter turnout hotline with spam calls, making it effectively useless for its intended purpose. Sununu ended up winning the election by a close margin, but after a Justice Department investigation, Republican officials James Tobin, Allen Raymond, and Charles McGee were convicted of telephone harassment and received and were sentenced to prison in what became known as the “phonegate” scandal^[11]. Since this attack took down a telephone network rather than a computer network, it is an example of a TDOS (Telephony Denial of Service) attack^[12], and was an early example of the potential harms that DOS attacks could cause to the public sphere.

Great Cannon

Mirai Botnet

1. ↑ Understanding Denial of Service Attacks. CISA. (n.d.). Retrieved January 26, 2023, from https://www.cisa.gov/uscert/ncas/tips/ST04-015
2. ↑ Denial of service (DOS) guidance. NCSC. (n.d.). Retrieved January 26, 2023, from https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection
3. ↑ ^{3.0 3.1 3.2} Halderman, J.A and Ensafi, R Networking 101 [Class Handout]. University Of Michigan, EECS 388
4. ↑ ^{4.0 4.1 4.2 4.3} Halderman, J.A and Ensafi, R Networking Attacks and Defenses [Class Handout]. University Of Michigan, EECS 388
5. ↑ Calem, R. (1996, September 14). New York's Panix Service Is Crippled by Hacker Attack. The New York Times. Retrieved January 26, 2023, from https://archive.nytimes.com/www.nytimes.com/library/cyber/week/0914panix.html
6. ↑ ^{6.0 6.1} CDN - MDN Web Docs Glossary: Definitions of Web-related terms: MDN. MDN Web Docs Glossary: Definitions of Web-related terms | MDN. (n.d.). Retrieved January 26, 2023, from https://developer.mozilla.org/en-US/docs/Glossary/CDN
7. ↑ Google. (n.d.). Project shield- FAQ. Google. Retrieved January 26, 2023, from https://projectshield.withgoogle.com/faq
8. ↑ Project Galileo. Cloudflare. (n.d.). Retrieved January 26, 2023, from https://www.cloudflare.com/galileo/
9. ↑ Bort, J. (2019, September 11). Cloudflare, the next big cybersecurity IPO company, says it may have violated US law by doing business with terrorists and narcotics traffickers. Business Insider. Retrieved January 26, 2023, from https://www.businessinsider.com/cloudflare-us-law-terrorists-narcotics-traffickers-2019-9
10. ↑ Prince, M. (2019, August 5). Terminating service for 8Chan. The Cloudflare Blog. Retrieved January 26, 2023, from https://blog.cloudflare.com/terminating-service-for-8chan/
11. ↑ Overby, P. (2006, May 11). Phonegate: Jamming democrats' campaign efforts. NPR. Retrieved January 26, 2023, from https://www.npr.org/templates/story/story.php?storyId=5399282
12. ↑ MS-ISAC security primer telephony denial of service attacks. (n.d.). Retrieved January 26, 2023, from https://www.cisecurity.org/wp-content/uploads/2015/08/Security-Primer-TDOS.pdf