The Lumber Cartel, local 42 (Canadian branch)
 |   |   |   |   |   |   | 

Glossary - Denial of Service (DoS) attack

A DoS attack (which has a lower-case letter "o"), not to be confused with DOS (Disk Operating System, which has an upper-case letter "O"), is a malicious attack on another computer by a single computer that is so overwhelming that it effectively denies access to other users.

Although the target computer may be capable of handling the high number of requests, the network connection may not be.  Either way, it doesn't really matter to the attacker as long as the objective is achieved.

Distributed Denial of Service (DDoS)

The DDoS attack is the same as the DoS attack, except that the attack is launched from multiple sources simultaneously.  When a regular DoS attack isn't effective, an attacker may coordinate and execute a DDoS attack to achieve their malicious objectives.

Sources tend to be unsecured computers connected to the internet throughout the world.  Although the unsecured computers are sometimes infected by viruses or SpyWare (which is often also the cause of the insecurity), there are also many businesses that unknowingly maintain open proxy servers, etc., that are continuously open to anonymous use (and abuse) by unknown third parties (who are often spammers and DDoS attackers), and all because they failed to hire adequately qualified professionals to set up their systems.

Preventive measures like blacklists (DNSBLs) that focus on identifying unsecured computer systems provide systems administrators with access to their databases.  These databases are often used for blocking purposes to protect against high-volume spam and DDoS attacks that utilize the unsecured systems that are known to the database.

The SlashDot effect

One of the challenges of internet security is that sometimes what seems like a DDoS attack can actually be caused by a large amount of legitimate traffic.  There have been many instances where internet web servers failed after one of their web sites was featured in a famously popular online publication called SlashDot (

Although SlashDot obviously doesn't intend to cause these types of problems, they are known to occur from time-to-time because of the sheer number of users who read the articles and follow the links to the featured web site addresses.  In some scenarios, there are even reports of servers that have crashed mostly due to either running out of disk space (and errors in some software then caused data corruption by overwriting other good data), overheating (due to the extra unexpected workload on machines that were probably not properly maintained in the first place), etc.

Network overload

Sometimes the effects of a DoS attack are achieved by saturating the network (or networks) that provide access to the targeted computers.  When too many requests are sent over a network connection, then the extra requests are ignored and the user will see an error to that effect (after any automatic attempts to re-send the request also fail).

For example, if a network connection is capable of handling traffic for a maximum of approximately 3,000 requests and responses per minute, then a DoS attack that sends more than 30,000 requests per minute will effectively create a "digital traffic jam" that causes other requests to be dropped/ignored/lost (including requests initiated by the DoS attacker, which the attacker may interpret as confirmation of success).

Process overload

When the network connection is capable of handling more traffic than a DoS (or DDoS) attack can generate, then the DoS attack must overload the target computers to succeed.  There are a number of different ways that a computer can get overwhelmed with requests, such as:

  • Too many simultaneously connections
  • Exploitation of errors in the software that cause memory leaks
  • Causing "full disk" scenarios
  • Exhausting resources by repeatedly triggering high-utilization processes
  • ...and many more...

If too many processes are active on the server at the same time, then errors can occur (this is usually limited by the use of techniques such as request backlog options in the TCP stack).  A common approach taken to prevent such problems also involves using a "queue" that all high-utilization processes are submitted to on behalf of user requests, so that the maximum number of simultaneous instances of these processes can be controlled.

There are many other approaches used as well, such as dynamically placing limits on high-usage sources (which, unfortunately, is often defeated by DDoS attacks that originate from a very large number of sources), etc.

See also

[Home] [Profile] [Glossary] [Library] [Resources] [Tools] [FAQ] [Site map] [Contact us]

Copyright © Inter-Corporate Computer & Network Services, Inc.  All rights reserved.
All trademarks are the property of their respective owners.