Denial of Service (DoS) attacks overwhelm systems and networks with fraudulent requests. Threat actors launch these attacks to prevent users from performing routine tasks, like accessing their email or interacting with web-hosted content. 

In most cases, DoS attacks do not directly result in data loss. Usually, the goal of the attack is simply to disrupt operations and cause downtime. This forces the organization to dedicate time and resources to restore business operations. 

Two categories of DoS attacks and how they work 

There are many different types of DoS attacks, but they generally fall into two broad categories. Depending on their ultimate goal, attackers will choose one of these tactics over the other. 

1. Buffer overflow attacks 

Buffer overflows are the most common type of DoS attack. Threat actors identify a web-based asset and drive an overwhelming volume of requests towards it. This pushes the machine’s buffer usage far past its maximum operating capacity, causing the web-based service to crash. 

One example of this kind of attack is the stack overflow attack. In this scenario, attackers instruct an application to use memory space that has already been allocated to other services. This causes the application to fail. 

2. Flood attacks 

Flood attacks are characterized by a massive volume of network traffic targeting a single IT asset. When a server receives too much volume to effectively manage, it will slow down and eventually stop working altogether. 

One example of this is the ICMP flood attack. In this scenario, threat actors exploit misconfigured network devices to send fraudulent ping requests. The massive influx of ping requests can cause network service outages and downtime. 

What do threat actors gain through DoS attacks? 

In the past, random DoS attacks were motivated by internet vandalism or unintentional releases like the Morris Worm. Now, DoS attacks are more often motivated by criminal intent, political activism, or nation-state influence campaigns.  

In many cases, denial of service is just one element of a larger, more elaborate cyberattack. For example, a threat actor may launch a DoS attack the moment their ransomware payload activates on a victim’s network. This maximizes the damage of the payload by preventing users from contacting IT support when their computers stop working. 

The DoS attack strategy can readily be combined with multiple channels for maximum effect. A threat actor might flood an organization’s network with ICMP ping traffic while also tying up its phone lines with thousands of fraudulent automated phone calls. This can dramatically increase the complexity of mitigating an otherwise simple cyberattack. 

DDoS: Distributed Denial of Service (DDoS) attacks explained 

Distributed denial-of-service (DDoS) attacks are a more sophisticated version of the DoS attack. Instead of launching the attack from a single device or network, threat actors can distribute the attack from multiple compromised systems all over the internet. 

This makes the attack much harder to detect and respond to. In a traditional DoS scenario, a security practitioner might configure the organization’s firewalls to drop traffic from the malicious IP address.  

This doesn’t work in a DDoS attack scenario. There may be an entire botnet sending fraudulent requests from a constantly changing set of IP addresses. There is no way to manually update the firewall configuration fast enough to keep up. 

How to prevent DDoS attacks 

Firewalls are the first line of defense against DDoS attacks. Advanced DDoS attacks can overwhelm simple network defenses, but next-generation firewalls have additional features for mitigating DDoS traffic. 

For example, some next-gen firewalls respond to TCP connection requests by generating a SYN cookie and send it back to the source. If the source doesn’t respond, the firewall drops the connection. Legitimate sources will respond to the cookie, while malicious ones will ignore it. 

Firewalls can also prevent DDoS attacks by enforcing traffic filtering rules and limiting simultaneous connections. These rules must be calibrated to avoid dropping legitimate traffic during peak usage, which requires in-depth customization from experienced security professionals. 

How to detect DDoS attacks 

Mitigating DDoS attacks requires gaining deep visibility into your network and being able to distinguish valid traffic from malicious traffic.  

Network Detection and Response (NDR) technology offers valuable insight into network traffic patterns, and can trigger alerts when IT assets receive suspicious volumes of requests. 

Unlike firewalls, load balancers, and intrusion prevention systems, NDR platforms perform out-of-band DDoS detection. That means they observe NetFlow, J-Flow, or IPFIX data and analyze it for signs of unauthorized activity. 

When integrated with Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM), these three technologies form the SOC Visibility Triad. This gives security teams a starting point for detecting and responding to complex security threats that leverage DDoS attacks alongside other cyberattack methods. 

Once the security team detects an attack, it must act quickly to neutralize it. Security Orchestration, Automation, and Response (SOAR) technology helps optimize the process, ensuring DDoS attack attempts are mitigated rapidly. 

Protect your organization from DDoS attacks with Lumifi 

Deploying a comprehensive suite of security technologies and dedicating expert personnel to security operations is the best way to mitigate DDoS attack risks. Managed detection and response vendors like Lumifi make industry-leading cybersecurity accessible to organizations of all sizes. 

We offer rapid incident response services powered by our own proprietary SOC automation service, Shieldvision. This gives security teams unlimited visibility into their tech stack while enabling deep customization of detection rules and investigation workflows.