Denial of Service
What is a
Denial of Service (DoS)?
Denial of service (DoS) attacks target, and attempt to fully
consume, limited system resources. As with other systems, websites are
potentially vulnerable. DoS attacks can be used render a system completely
inaccessible, to selectively deny access to particular parts of the system, or
to prevent particular users from gaining access.
What makes a
site vulnerable to denial of service attacks?
Website denial of service attacks are possible when a service
provided by the website uses up a resource of which there is a limited supply. The
attacker can deny other users access to the service by causing the website to
use up all of the resource to service of the attacker’s requests. The result is
that there are insufficient resources left to service the legitimate user
requests. The types of resources required by services include time, money,
internet bandwidth, CPU time, database connections, etc. In a
recursive request
DoS attack the attacker requests a URL which causes the site to repeat the
request, ad infinitum, maxing out the permitted connections.
Impact of the
attack
Denial-of-service attacks prevent legitimate users from accessing
parts of a website. Their impact varies according to how many users are
affected, for how long and how much of the site is affected. A mild DoS attack
may block a user from accessing his account until he calls support and has his
password reset. A severe DoS attack may bring down the entire site for an
extended period of time, preventing any access to it whatsoever. From the
website owner’s point of view, the main impact may be a loss of revenue or
influence for the time during which the site is down.
Example of a
denial of service attack
An example of a denial of service attack can occur when a website
allows its users to upload images to the website. Since websites only have a
limited amount of space to store data, if it is filled the site will no longer
be able to allow image uploads. The attacker can exploit this by uploading very
many, or very large images to the website to fill up all available space. Once
this has been achieved, no other user will be able to use the website’s image
upload facility.
Distributed
denial of service attacks
A variation on the standard DoS attack is DDoS, or distributed
denial of service. In a DDoS attack the attack originates not from a single
source but from many. These sources are typically coordinated. This introduces
two additional problems for the target website. First, due to the increase in
the number of systems involved in the attack, there will be more requests and
the resources will be exhausted more easily. Second, because the requests
originate from many different sources it will be harder to distinguish
legitimate requests from malicious ones.
Preventing
denial of service attacks
It can be difficult to fully prevent denial of service attacks, but
there are some strategies which can help. The website can attempt to identify
malicious requests and refuse to carry them out. For example, thousands of
requests coming from the same user in the space of a couple of seconds may be a
good indicator of a possible attack, if this is unusual behaviour for your
users. The website can also attempt to control DoS attacks by assigning user
quotas. Each user may be given access to a limited portion of the disk space
available for uploads, for instance.