Data Centers

Develop a battle plan to confront denial of service attacks

IT managers face a daily struggle to stay on top of Internet security issues. This article on the dangers of denial of service (DoS) attacks is an example of the information you will receive by subscribing to the Internet Security Focus TechMail.


Preventative Internet security measures include verifying that equipment and services are secured in order to prevent unauthorized access. Most of the time when Internet equipment is compromised and violated, it's due to software flaws or services that have been incorrectly configured. However, there is another aspect to Internet security that is unrelated to simple service vulnerabilities: denial of service (DoS) attacks. DoS attacks are designed to render an entire Internet host or network inoperative.

A DoS attack is more difficult to handle than a service vulnerability because of the variety of ways an attack is accomplished and the simplicity of its methods. Basically, DoS attacks "flood" Internet equipment with Internet Protocol (IP) data, making the equipment inoperative for the duration of the attack.

There are various types of DoS attacks that use any number of combinations of IP data packets. The targets for such attacks are Internet devices, such as routers, specific hosts, and entire networks.

DoS attacks are specifically designed to overwhelm Internet equipment or services. For instance, a specific DoS attack may be targeted at disabling Simple Mail Transfer Protocol (SMTP) e-mail. To do that, an attacker simply initiates a flood of connections to the SMTP port of an e-mail server, disabling legitimate SMTP connections from taking place. That would effectively block e-mail traffic to or from that host until countermeasures could be put into place to stop the connection flood.

Other simple DoS attacks can overwhelm services, such as FTP or HTTP, with similar results. And since legitimate traffic isn't given a chance to connect, the Internet service is disabled.

Distributed denial of service attacks, or DDoS attacks, are the worst of the lot. These attacks have crippled CERT, eBay, Yahoo, and dozens of other companies connected to the Internet.

Want more on Internet security?
Subscribe now to our Internet Security Focus TechMail to receive the latest security news in your inbox.

DDoS attacks are launched from multiple compromised hosts, using a variety of tools written specifically to perform DDoS attacks. Some of the more common DDoS tools include the Tribal Flood Network (TFN) and a newer variation called TFN2K. DDoS tools commandeer compromised equipment on multiple networks and are remote controlled to launch coordinated, multipoint attacks.

Putting a stop to attacks
The question becomes: How do you stop a DoS attack? Stopping an attack from a single host can be as simple as rejecting IP access from that host; however, that in itself might not stop an attack because the target could be a router.

The router still has to process the "garbage" IP data, which means that it's wasting resources. Depending on the router itself, legitimate traffic can either be stalled or stopped. When this happens, upstream Internet providers should put filters on their equipment.

Putting an end to a DDoS attack is a different story. The distributed nature of these attacks and the bandwidth involved make them extremely difficult to stop.

DoS attacks are quite common, and DDoS attacks are on the rise. While there is little a company can do to stop DDoS attacks, companies can do their part by not contributing to the problem. This requires that companies ensure that their Internet equipment is configured properly and securely and that networks are protected with firewalls to deter unauthorized access.

If your company experiences a DoS attack, report it to your Internet service or Web hosting provider. In addition, your company should pursue legal action against the attackers when possible.

Editor's Picks

Free Newsletters, In your Inbox