Denial of Service Attacks, What Are They?
Imagine your system is running smoothly, but then an overwhelming amount of requests bombard the applications, limiting your system’s ability to respond effectively to incoming requests. This type of attack is known as a Denial of Service - or DoS attack.
A foundational understanding of what a DoS attack means for your business is vital to understand what can be implemented to prevent DoS attacks. When your applications fall victim to a DoS attack your systems are unable to respond to requests in a timely manner, and eventually your applications will become so overwhelmed that instead of providing a delayed response, they will deny the request all together. These attacks also exposes your system to hackers and exposes the data you've collected. Below are important details about Denial of Service attacks and a few key points we use to help you choose the right cloud provider services and mitigate the different types of DoS attacks.
A Denial of Service (DoS) attack generates large volumes of packets or requests overwhelming the target system. DoS attacks are segregated by which layer of the Open Systems Interconnection (OSI) model they target. For visual learners, it is helpful to visualize both TCP/IP and OSI Models. DoS attacks are mostly seen at the Network (Layer 3), Transport (Layer 4), Presentation (Layer 6), and Application (Layer 7) Layers.
TCP/IP Model and Open Systems Interconnection (OSI) Model:
Infrastructure Layer Attacks (Layers 3 & 4):
Infrastructure Layer attacks are the most common DoS attacks. Some of their most common characteristics are:
- Synchronized (SYN) floods and User Datagram Packet (UDP) floods
- Large in volume, their target is to overload the capacity networks and application servers
- Clear signatures that are easy to detect
Application Layer Attacks (Layers 6 & 7):
Application Layer attacks are the least common type of Denial of Service attacks. Some of the most common characteristics of these more sophisticated attacks are:
- Target application to make it unavailable for end-users
- Very expensive impact on the business
- Most common examples: HTTP requests to a login page, expensive API search
What Can Be Done? DoS Protection Techniques:
We are often asked, what can you do to improve your Cloud Security Posture? We usually start with evaluating our clients' environment while keeping DoS protection top of mind, and surprisingly, basic techniques are rarely implemented. In most cases, we implement different techniques and explore to see if an opportunity to optimize clients’ security emerges, then we quickly implement security processes. Here we share the top two best practices and procedures used with clients' Security Assessment and Evaluations.
1. Reduce Potential Attack Surface Area
First and foremost, we recommend you minimize the surface area of application and compute resources by opening ports and protocols on which communication is expected (Firewalls, LB, ACL, SG). Additionally, here some more ways to help reduce your attack surface area:
- Place resources behind Content Distribution Networks (CDNs) or Load Balancers
- Restrict direct internet traffic to Virtual Private Cloud (VPC) by implementing Internet Gateways for public subnets and NAT Gateways for the private subnets
- Ensure that database servers are in private subnets or VPN only subnets
- Make sure all cloud-native storage services are not publicly accessible
- Implement Cloud Managed services as a first option for Firewall, CDN, Load Balancers
- Implement ACL and SG to control inbound and outbound traffic to applications, databases
2. Ensure HA When Demand Increases, Plan for Scale!
In speaking with anyone in Information Technology, they will tell you to always plan for bandwidth, transit capacity, and compute the increase. Additionally, here are some more ways to plan for scale at a basic level:
- Monitor and log activities on Firewalls, Load Balances, and Content Distribution Networks (CDN) to be ready to scale up and down
- Implement native and third-party tools for reporting and incident detection (monitoring traffic and IPs as well as unexpected geographies to block or offset)
- Implement Web Application Firewall (WAF) for SQL injection or cross-sit request attacks
- Implement auto-scaling for compute resources
- Architect for fault-tolerant applications with high availability (multi-region and multi-availability zones(AZ))
Cloud top services preventing against Denial of Service (DoS)
AWS detailed services preventing Denial of Service (DoS):
Denial of Service (DoS) is one of the most common attacks for security IT professionals, but there are many great ways to prevent these attacks. If you are having issues with Denial of Service (DoS) attacks, reach out, and we can help you implement all the best practices that keep your applications safe.
- What is a DoS Attack?
- AWS Best Practice for DoS Resiliency
- Azure DoS Protection - Designing Resilient Solutions
- Google - Best Practices for DoS Protection and Mitigation on Google Cloud Platform