Search our site for answers
Help Docs Security Overview What Is a Denial-of-Service (DoS or DDoS) Attack?

What Is a Denial-of-Service (DoS or DDoS) Attack?

Denial-of-Service (DoS) attacks flood a server with traffic, preventing legitimate users from accessing a website. Learn to mitigate network-focused DoS attacks in this article.
Security
5 min read

Denial-of-service (DoS) attacks occur when an attacker sends an overwhelming amount of traffic to a server. This overwhelming traffic means legitimate website visitors can’t access your website. Sometimes there are legitimate spikes in traffic that can take a website down: if a blog post or video goes viral, for example. But in a DoS attack, the spike in traffic is meant to be malicious.

There are many types of Denial of Service Attacks, but in this article, we will talk about DoS attacks that target a server’s network and how the effects can be minimized.

Protect your server from DDoS attacks

Types of DoS Attacks

There are two main categories of DoS attacks:

  • Direct DoS attacks
  • Reflection DoS attacks

Direct Attack

A direct attack is when an attacker sends a massive amount of traffic directly to your server. The traffic overwhelms your server’s ability to process requests. When it can’t process any more requests, your websites won’t load anymore.

Reflection Attack

A reflection attack is a bit more complex. An attacker tricks a third computer or network into sending overwhelming amounts of legitimate traffic to your server. For example, it is common for Network Time Protocol (NTP) to be an attack vector. NTP synchronizes clocks between computer systems. Servers use NTP to ask each other what time it is. To use NTP in a reflection DoS attack, the attacker sends time and date requests to a third computer via NTP while spoofing your IP address.

By spoofing your IP, the attacker sends requests, but the response to those requests is sent to your server. This can create a DoS attack because while the attacker’s request is very small, usually a single packet of about 50 bytes, the response has up to 10 packets between 100 and 500 bytes each. The attacker can send a relatively small amount of traffic that bounces back as a huge amount of traffic to overwhelm your server. Other services that are susceptible to these reflection attacks are DNS and SNMP (Simple Network Management Protocol).

Finding DoS Attackers

It is very difficult to find the source behind a DoS attack. Today, having a single IP address directly attack a server is rare. If it is being used, analyzing the traffic and general server logs can find this offending IP. Then the IP can be blocked, which will stop the unwanted traffic.

Unfortunately, this is no longer the preferred DoS attack method. Most attackers will hide behind a botnet. A botnet is a network of computers controlled by a single attacker. The attacker installs malicious software on other computers which lets the attacker control those computers. The attacker then sends commands to the network of bad bots and has them either directly attack an IP or use the reflection method to spoof the attacked IP. To further hide themselves, they’ll usually use a proxy server, sometimes referred to as a “zombie computer”, to send the commands which start the attack.

Attacks that use a botnet or large network of computers are considered Distributed denial-of-service attacks, or DDoS attacks.

Defending Against DoS Attacks

Remember, a DoS attack is a malicious action. There is ultimately no way to keep your server from potentially being attacked, just like there’s no way to guarantee your car is never stolen. If you are the target of a DoS attack, however, there are a number of things Liquid Web can do to end the attack.

Some smaller attacks can be handled by the server-level software firewall. CSF can handle small attacks. If the server is handling DoS traffic, that means the server has to process every packet. Using the software firewall can mitigate larger attacks often impossible for the server to handle.

In a good distributed DoS attack, attackers throw as much bogus traffic at the IP as they can to stop legitimate traffic from getting to the server. This usually saturates the switch port, which connects different parts of a network together. Ports can only physically handle so much traffic. When a port is saturated, the port itself can’t handle more traffic and the server never even gets that additional traffic. This can also cause traffic to spill over into other switch ports, affecting other servers on the network.

When this happens, we will stop the attack by rerouting and dropping illegitimate network traffic. This is called null routing. The only way to mitigate these types of attacks is external to the server, at the infrastructure level. If you think your server is being attacked, contact our Support team right away.

If you are concerned about potential DoS attacks, there are different options to explore. Every Liquid Web server is automatically protected from DoS attacks as large as 2 Gbps. For larger attacks, we offer specific DDoS attack monitoring and protection for your server. We also partner with Cloudflare, a service that distributes network traffic to protect your site.

To learn more about Liquid Web’s range of hosting services, which include everything from bare metal servers to cloud VPS instances to GPU servers, contact us now.

Contact usExplore DDoS protected VPS
Was this article helpful?