Denying Denial of Service (What is DOS?)

What is DoS?

Have you ever been to the gym, had plans of hitting a killer arm day, only to find the dumbbell rack empty? Instead, there's that one guy in the corner, sitting on his phone with 10 sets of dumbbells at his feet. You know the "it's for my superset" bro? In a weird analogous way, a DoS attack is similar to that. DoS stands for denial of service. It's an attack focused on flooding a target with enough malicious traffic to crash or congest an application, service, or server to deny any legitimate traffic – hence the name, denial of service.

 

You might ask yourself, why would anyone want to perform a DoS attack? Think about what could be gained from blocking access to a resource. Maybe an attacker is a hacktivist and doesn't want people to interact with a company. Maybe it's sabotage from a competitor. Maybe it's to hold a service hostage for ransom. Or maybe, it's a distraction from the real attack. Regardless of the reason, it's an effective and dangerous method for a target to lose time, money, and trust.

 

Real World Example:

"Following Russia's invasion of Ukraine on 24 February 2022, likely Russian threat actors conducted several disruptive and destructive computer network attacks against Ukrainian targets, including Distributed Denial of Service (DDoS) attacks and the deployment of wiper malware against various sectors, including government, financial, and energy."

– Canadian Centre for Cyber Security

 

Types of DoS attacks

The number of ways to perform a DoS attack is outside the scope of this article. For now, let's just cover the high-level overview of DoS and how it works.

 

At the most basic level, there are two ways to achieve what is considered a DoS attack: crash the system or flood the system. Those that crash the system do so by maxing out memory (hard drive, RAM, or CPU) until it all comes crashing down. Those that flood have a battle of bandwidth – using up all available connections on a target so nothing else can get through.

This can be done using a single machine, which is a standard DoS attack, or by using a network of devices controlled by the attacker – known as a botnet. When a botnet is involved, it's considered a DDoS attack: distributed denial of service. Whether it's DoS or DDoS, the attack will fall under one or more of these 3 categories:

 

• Application Layer attack

An application layer attack – also known as a Layer 7 attack, referencing layer 7 of the OSI model – works by exhausting server resources with requests that appear legitimate on the surface. This is done by bombarding the server with requests to endpoints that trigger heavy server-side processing, things like database queries, validation checks, and complex calculations. Individually, these requests look normal. At scale, they overwhelm the server.

An example of an application layer attack is an HTTP Flood. In the network analyst DoS simulation, this is the method we are using in the DoS simulation of the Network Analyst lab.

• Protocol attack (Network)

A protocol attack is designed to abuse the limitations of network protocols that operate on layers 3 and 4 of the OSI model. Every networking device – servers, firewalls, load balancers – can only manage a limited number of connections at any given time. Protocol attacks aim to exhaust those connection resources, blocking any new legitimate traffic from getting through.

A classic example is the SYN flood attack. In the transport layer (layer 4 of the OSI model), TCP is used to create reliable connections on the network. TCP relies on a 3-way handshake – the host sends a SYN packet to open a connection, the server responds with a SYN-ACK to accept and acknowledge, and the host sends a final ACK to complete the handshake. Here's the key: when the server sends that SYN-ACK, it allocates resources and holds a spot open while it waits for the final ACK. In a SYN flood, the attacker sends a massive wave of SYN packets and never completes the handshake. The server is left holding all those half-open connections until they time out – and if enough pile up, no new connections can be made.

Signs of this specific attack include a spike in half-open connections on the target.

• Volumetric attack

Volumetric attacks aim to overload network bandwidth – think of it as dropping a nuke on the network. These attacks, measured in Gbps, flood a target with such a massive volume of traffic that the network's bandwidth is completely saturated, effectively choking out any legitimate traffic before it can even reach the server. These attacks are the easiest to detect with their massive spikes in traffic.

DNS amplification is an example of a volumetric attack. It works by the attacker spoofing the target's IP and sending a small DNS query to an open DNS resolver, which then sends a much larger response to the target. The amplification happens when a 60-byte DNS query turns into a 4,000-byte response from the resolver – and at scale, with enough requests, that flood of amplified responses can completely overwhelm the target.

If your network is large enough, anycast network diffusion could be a way to mitigate an attack like this. We'll talk more about what that is in a bit.

 

If you’d like to read more about these attacks, check out here

 

How are these threats advancing?

Application layer and network attacks are making a resurgence with the advent of AI, larger botnets, and DDoS-for-hire services – up 101.4% and 168.2% respectively year over year (source). These attacks are evolving with new tactics designed to avoid detection, like Yo-Yo attacks that target cloud services with autoscaling, or short burst attacks meant to slip past human-in-the-loop defenses.

So how do you actually detect this? Look for sluggish networks or services unexpectedly going down. Those are your first red flags.

 

How to mitigate DDoS attacks

It can be difficult to weed out the bad traffic from the good, especially when threat actors will generally do their best to blend in to avoid detection. However, that does not mean we are out of luck! Prevention methods like these can be employed:

 

• Blackhole routing

The concept of blackhole routing is to take the malicious traffic and route it to an endpoint that does nothing – the black hole. Though you need to be careful to not send legitimate traffic to the blackhole as well.

 

• Rate limiting

Rate limiting is designed to limit the number of consecutive requests to an endpoint in a certain timeframe. If that limit is exceeded, the IP sending the requests is flagged and the following requests will be denied until the flag is removed. 

 

• Web Application Firewalls

Web application firewalls (WAF) operate at layer 7 of the OSI model, and are used to filter and monitor HTTP traffic. Like a standard firewall, rules can be set in place to allow or deny connections, only WAF lives in front of the application itself as either a network-based (physical network), host-based (hosted on the application server), or cloud-based defense. 

 

• Anycast Network Diffusion

Anycast network diffusion disperses high volume traffic amongst the network with the goal that enough resources are available to absorb the incoming traffic. Cloudflare used this as one of their primary methods to combat a month-long “hyper-volumetric” DDoS attack the peaked at 3.8 Tbps in 2024 (source)

 

I can just implement rate limiting and I’ll be fine, right?

Though adding any defense is better than no defense, no one solution is going to solve the problem. Defense in depth is going to be the strongest strategy for dealing with threats. 

 

Want to see what a DoS attack actually looks like in real-time? The Rouge Operations lab lets you trigger a simulated DoS attack against a live Nginx server, watch the logs flood in, and practice detecting the pattern as a real analyst would. You can also read more about DoS/DDoS tactics using resources available at OWASP