In computing, a denial-of-service (DoS) attack or distributed denial-of-service (DDoS) attack is an explicit attempt to make a computing device or a network resource (e.g., an application, a file system) unavailable to its intended users. The perpetrators of DoS attacks typically attempt to temporarily or indefinitely interrupt or suspend services of a computing device connected to the Internet. For example, a DoS attack may attempt to overwhelm a network resource, consume available bandwidth in a network, disrupt or modify configuration information (e.g., routing information) in one or more computing devices involved in a communications path, disrupt maintained state information of computing devices, and/or disrupt physical network components.
One type of DoS attack commonly referred to as a volumetric attack involves overwhelming the target computing device or network resource with such a large volume of network traffic that the target does not receive legitimate traffic, cannot respond to legitimate traffic, or responds so slowly to legitimate traffic that it becomes effectively unavailable. One or more computing devices located outside a network of the target typically originate volumetric attacks by transmitting traffic toward the network or target. Volumetric DoS attacks may directly affect a targeted computing device and/or another computing device (e.g., a network device such as a router or switch) on the same local area network (LAN) as the targeted computing device. Some volumetric DoS attacks create problems outside the LAN of the target device that the target may not even be aware of. For example, the resources of a network device outside of the LAN of the target (but possibly located within a path between the LAN and the Internet) may be consumed by an attack, which will affect the target as well as other computing devices or resources within the LAN. A few types of volumetric attacks include Internet Control Message Protocol (ICMP) floods, User Datagram Protocol (UDP) floods, and Transmission Control Protocol (TCP) state exhaustion attacks such as TCP SYN floods and idle session attacks.
Another type of DoS attack is commonly referred to as an application layer DoS attack, which targets a resource (e.g., a computer application) executing on a computing device. Application layer DoS attacks typically strive to overwhelm network infrastructure and server computing devices by targeting well-known applications such as Hypertext Transfer Protocol (HTTP), VoIP, or Simple Mail Transfer Protocol (SMTP).
One type of application layer DoS attack is known as a Request Flood attack, in which a perpetrator transmits a large number of seemingly legitimate application layer requests (such as HTTP GET or POST request messages, Session Initiation Protocol (SIP) INVITE messages, or Domain Name Server (DNS) queries) to a target server in an attempt to consume or overwhelm its resources. Another type of application layer DoS attack is known as an asymmetric attack, in which a perpetrator transmits a relatively normal rate of requests to a target that cause the target to perform a large amount of work, and possibly consume a large amount of processing time, disk space, memory, or network resources. Some perpetrators of asymmetric attacks multiply their effect by sending such “high-workload” requests to the target using many different TCP sessions from one or more requesting computing devices. Another type of application layer DoS attack is commonly referred to as an exploit attack or application-exploit attack, in which the perpetrator attempts to take advantage of a flaw or vulnerability in an application and thus degrade the target. Examples of application layer exploits include buffer overflow attacks, Structured Query Language (SQL) injection attacks (e.g., injecting a “shutdown” command to a SQL server, injecting a “benchmark” command to a MySQL server), Apache Range Header attacks, and Excessive Double Encoding attacks.
Victims of DoS attacks may suffer tremendous financial loss from the effects of negative publicity, losses of business and/or revenue, losses of productivity, and/or costs of repair or attack mitigation. As a result, many organizations have turned toward placing firewalls and/or intrusion protection systems (IPS) within their networks in an attempt to protect their resources against DoS attacks. However, these systems themselves are often the targets of DoS attacks, and further, such systems often cannot detect certain attacks that are not readily apparent within their network but are affecting the communication path(s) between their network and external users. Additionally, some types of DoS attacks—such as application layer DoS attacks—are particularly difficult to defend against using firewalls or IPS devices because many application layer DoS attacks are perpetrated using seemingly “legitimate” traffic that must be passed through to the target. Some organizations have also turned to the use of external mitigation services to protect against DoS attacks. However, while external mitigation solutions can mitigate some large-scale volumetric attacks, these solutions often cannot detect the existence of such attacks and further cannot protect against application layer attacks.