Denial of service attacks might seem like old news, something we haven’t thought about much lately. But with recent assaults targeting government and corporate websites by groups like Anonymous, they’re back in the conversation—and more relevant than ever. In this piece, I want to take a closer look at the classic methods behind DoS strategies and toss in some fresh ideas about how to overload a network.
Most DoS attacks fall into two main camps. The first, and the one I’ll focus on here, involves flooding the system with traffic, no exploit code needed. The second relies on exploiting vulnerabilities within applications, which I won’t delve into today.
Traffic-based DoS attacks work by simply flooding the target with data or resource requests, pushing its capabilities to the limit. It’s not about hacking or exploiting weaknesses, just brute force. Here are some common examples:
- Syn Flooding: This tactic involves sending a ton of TCP SYN requests to a server, but never replying to the SYN-ACK responses. The server ends up stuck with half-open connections, waiting for replies that never come, eventually hogging its resources.
- ICMP-Based Attacks: Think of sending a flood of ping requests to a network’s broadcast address using a spoofed source, known as a smurf attack. This tricks the network into sending avalanche-like ping replies right back to the target. Alternatively, attackers can bombard a host with large volumes of ICMP packets from a botnet or send malformed, fragmented packets that cause the system to stumble or crash when trying to reassemble them.
- Application Resource Consumption: Here, attackers harness multiple computers to send endless login attempts, SQL queries, or massive POST requests to exhaust the host’s memory, disk space, or CPU. The goal is to tie up resources until the system stalls.
In recent years, however, these traffic-based methods have become less effective. Modern networking gear now often ignores certain types of traffic, like ICMP directed broadcasts, and firewalls restrict half-open connections and scrutinize unusual traffic patterns. Intrusion detection systems (IDS) have evolved too, inspecting payloads for malicious code, normalizing traffic flows, and blocking anomalies.
Larger organizations or ISPs sometimes use advanced anomaly detection tools. These setups analyze network patterns and can reroute or block suspicious traffic dynamically. But here’s the catch: most defenses are still based on known attack signatures or focus on the traffic toward a specific host. They don’t always see the bigger picture, how the network infrastructure itself processes or mishandles traffic.
One interesting approach I want to mention is called quality of service DoS, or QDoS; the idea leverages how we prioritize network traffic. The concept of Quality of Service (QoS) is pretty straightforward: it allows networks to assign different priority levels to types of data, reserving bandwidth so that important calls or streams aren’t interrupted. A common example involves assigning certain markings, like IP precedence or DSCP values, in packet headers to classify traffic.
VoIP calls and video streams often depend on quality of service to keep calls clear and videos smooth. Now, how could an attacker manipulate this system to cause harm? Here’s the twist: by exploiting flaws in how QoS policies are set up, an attacker might target the infrastructure that manages traffic prioritization, rather than just the victim system itself.
For example, if a network’s quality of service policies are configured improperly, say, based solely on IP precedence or DSCP markings, an attacker could compromise a host inside the network. They’d then craft traffic that looks legitimate but is intentionally marked to receive high priority. If the network trusts these markings without proper validation, the attacker could flood the link with high-priority traffic, overwhelming critical systems or services.
Imagine a system designed to prioritize voice calls being flooded with malicious, high-priority data—effectively drowning out essential communications. Since many configurations rely on simple rules based on packet header values and don’t cross-check the actual intent or source authenticity, this kind of attack can slip through.
So in a nutshell, understanding how traffic prioritization and infrastructure interactions work opens up new avenues for DoS tactics. As with many security measures, clever attackers look for gaps, be it in configurations, assumptions, or static rules—and turn those gaps to their advantage.
