Every now and then – something goes wrong. Such is the nature of engineering and the best laid plans. Sometimes there is a spanner in the works, sometimes someone has placed many spanners in many works – such is the world we live in. Thankfully we are here to make sure we recover from this as quickly and as painlessly as possible. In this article I am going to discuss in overview a phrase you will hear from time to time – Denial of Service (DoS): What is it? The types? Why? What we can do about it?

What is a DoS?

A Denial of Service is a malicious or otherwise scenario where it is impossible, impractical, or unable to deliver a service. This can involve a network connection, a router, or a service – and may in fact effect all three. In each case the scenario occurs when a resource, or resources are consumed to the point of being unable to operate.

A Denial of Service and a Distributed Denial of Service (DDoS) differ in their source. The latter will have many points it is coming from. This is the big type of *MANY* as opposed to the small type, the many where it becomes impractical to tell what is meant to be there and what is not. DDoS attacks are nearly always malicious.

Types of Attack.

Hugely generalising the types of attack we most commonly see fall into the following broad brushed categories. These can be used in combination, or through one you apply another.

Flooding

Saturating the network or routers is one approach. Bandwidth is what most of us are used to thinking of in terms of limits – but there is also the amount of packets per second that can be dealt with by the hardware involved. It is usually easier to saturate or flood a network with packets per second than it is with physical bandwidth. The picture below shows normal activity on a port, and then the packets per second becoming saturated (the flat top of that graph). In this case a mitigation device has blocked this traffic (shown in red, genuine in green).

POST Attacks

Where a site, sites, or server have their resources chipped away by remote hosts trying to POST to your site. It is almost irrelevant whether they are to valid pages or resources as they will need to be serviced to find out if they are.

GET Attacks

Where a site, sites, or server have their resources chipped away by remote hosts that are GETting content – be that large images, or downloads.

R-U-Dead-Yet?

Surprisingly common these days – RUDY attacks such as the likes of the PushDo and SlowLoris type. These are far more subtle – rather than exhausting resources in terms of uploading or downloading these types of attacks open ports and then speak very slowly indeed, so the session is held open until the service has no more sessions left.

Amplification Attacks

Where a resource is used to make an attack on another party hurt more. The Amplification or Reflection attack is usually done over services that use UDP so that the address can be spoofed (pretending to be someone else). A small request is made for resource that will result in a large answer. The large answer then goes back to the address it pretended to come from. This is going to impact the sender a little, the receiver a lot.

Unintentional Events

It is possible to create a situation where a denial of service is caused in error – such as network loops or autoresponder wars.

Why?

In short this comes down to three things.

Take Down

The goal is to take the resource, resources, related resources or network offline. These attacks will usually go on for 24 hours or more.

Distraction

Drawing attention to one location with a blunt weapon, when a more precision attack is going on elsewhere.

“Because I can”

Because someone has found a new toy, and they are looking for means to test it.

What does Hosting UK do about it?

Monitoring, diagnosis, and mitigation.

Any incident response starts with knowing that an issue is occurring – so monitoring is key.

Diagnosis – engineering staff from systems and networks will take steps to reduce the impact or neuter any given attack – even if that means taking the target offline for the greater good.

Mitigation – specialist (and rather expensive!) hardware that looks for patterns in larger attacks, and then works to block those – leaving genuine traffic to pass through (see image above).

The biggest issue with this kind of attack is collateral damage. Our priority is to minimise this. Network segments, and machines are returned back to full health as quickly as possible.

What can I do about it?

Attacks and tools need to live somewhere. It may come as no surprise that the perpetrators are not super likely to perform these attacks from their own machines. As such yours is as good as any.

Keeping your code patched up-to-date and access and accounts locked down is the first step to reducing the chances of your involvement.

Use of CDN’s means that content can be distributed around the globe. Meaning that attacks that involve pulling data from the website are less likely to be effective.

Some sites find themselves targets. This is usually sadly down to racial, political or religious motivation. In such extreme cases, it may be necessary to engage a full time mitigation service.

In conclusion

When an interruption or outage is described as being caused by a Denial of Service – it is fair to assume this has involved a large amount of work from network and systems engineers in diagnosing and mitigating the attack. It is also not uncommon for the attack to continue for hours if not days after the service has been returned to normal.

While this interruption may have been an inconvenience a larger plan and pre prepared resources have been pulled into place behind the scenes to protect you, your resources, and the ability for that hardware to deliver services for you as quickly as possible.

Working together to patch vulnerabilities and mitigate ongoing attacks we can reduce future impacts to our network and services.

NB. As usual this comes with the caveat of an overview and is not intended to be some great work of pedantic accuracy or reference.