DoS Attacks: Beyond Service Disruption

TL;DR

Yes, attackers can do much more than just crash a service with DoS (Denial of Service) attacks. They can use them to hide other malicious activity, gather information about your systems, and even potentially gain access. This guide explains how and what you can do about it.

What Attackers Can Achieve With DoS

1. Masking Other Attacks: A large-scale DoS attack creates a lot of ‘noise’ in your logs and monitoring systems. This makes it harder to detect more subtle attacks happening at the same time, like data breaches or attempts to install malware.
   • Example: While everyone is focused on mitigating the DoS, an attacker could be quietly trying to exploit a vulnerability in your web application.
2. Information Gathering (Reconnaissance): Attackers can use different types of DoS attacks to learn about your infrastructure.
   • Port Scanning: Sending traffic to various ports to see which ones are open and what services are running. This helps them identify potential targets for further exploitation.
   • Traffic Analysis: Observing how your systems respond to different types of DoS attacks can reveal information about your firewall rules, intrusion detection systems (IDS), and server capacity.
3. Resource Exhaustion Beyond Availability: While a typical DoS aims for service unavailability, attackers can target specific resources.
   • Application Layer Attacks: These attacks focus on exhausting application-specific resources (e.g., database connections, memory). This can lead to data corruption or even compromise the application’s integrity.
   • State Exhaustion: Some DoS attacks try to fill up your server’s connection tables, preventing legitimate users from connecting.
4. Extortion: Attackers may launch a DoS attack and then demand a ransom to stop it.
5. Bypass Security Measures: A well-timed DoS can distract security teams, allowing attackers to slip other malicious code or actions through unnoticed.

How Attackers Combine DoS With Other Techniques

1. DoS as a Diversion: Launching a DoS attack while simultaneously attempting SQL injection or cross-site scripting (XSS) attacks.
2. DoS and Botnets: Using botnets to amplify the impact of a DoS attack and also distribute malware.
3. Application Layer Attacks with Payload: Injecting malicious code into requests during an application layer DoS (e.g., HTTP flood).
   • Example: Sending specially crafted HTTP POST requests that exploit vulnerabilities in your web server.

Protecting Against These Threats

1. Robust Monitoring and Logging: Implement comprehensive monitoring and logging systems to detect anomalies and suspicious activity, even during a DoS attack.
   • SIEM (Security Information and Event Management): Use a SIEM system to correlate logs from different sources and identify potential threats.
2. Rate Limiting: Limit the number of requests from a single IP address or user within a specific time frame.

   # Example using Nginx rate limiting

   limit_req zone=mylimit burst=10 nodelay;

3. Web Application Firewall (WAF): Use a WAF to filter out malicious requests and protect against application-layer attacks.
4. Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS systems to detect and block suspicious traffic patterns.
5. DDoS Mitigation Services: Consider using a dedicated DDoS mitigation service to absorb large-scale attacks before they reach your infrastructure. Cloudflare, Akamai, and AWS Shield are popular options.
6. Regular Security Audits & Penetration Testing: Regularly assess your systems for vulnerabilities and weaknesses.
7. Incident Response Plan: Have a well-defined incident response plan in place to handle DoS attacks effectively.