xTom

What Are Denial of Service Attacks?

Denial of Service attacks can cripple even the most powerful servers by overwhelming resources with malicious traffic. Understanding these threats is the first step to protecting your business.

Publish date: 3/10/2025

Imagine your website suddenly becomes unreachable. Your customers can't access your services, your team can't log into critical systems, and your online presence has effectively vanished. This scenario describes a Denial of Service (DoS) attack – one of the most common yet potentially devastating cyber threats organizations face today.

DoS and their more powerful variants, Distributed Denial of Service (DDoS) attacks, don't aim to steal data. Instead, they make services unavailable by overwhelming servers, networks, or applications with traffic they can't handle. The consequence is almost always lost revenue and upset users/customers.

Understanding DoS vs. DDoS

At its core, a Denial of Service attack bombards a target with excessive traffic or requests until it can no longer function properly. Every server has finite resources – processing power, memory, bandwidth – and when these are exhausted, legitimate users can't access services.

A Distributed Denial of Service (DDoS) attack amplifies this by using multiple compromised systems (often botnets) as attack traffic sources.

These provide attackers with:

  • Greater volume for more disruptive attacks
  • Difficulty in detection due to random distribution of attacking systems
  • Increased challenge in mitigation by requiring multiple systems to be blocked
  • Anonymity for the true attacker behind compromised systems

Modern DDoS attacks can reach staggering sizes, with some recorded at over 3.47 Tbps – enough to temporarily cripple almost any unprotected infrastructure.

Types of Denial of Service attacks

To name a few of the attack types (new attack methods are always being created):

Volume-based attacks

  • UDP Floods: Exploit the connectionless nature of UDP protocols to overwhelm targets
  • ICMP Floods (Smurf Attacks): Send spoofed packets that ping every computer on a network
  • Ping of Death: Sends oversized or malformed ICMP packets that can crash vulnerable targets
  • Amplification Attacks: Use techniques to multiply traffic volume, turning small requests into massive responses
  • Memcached Attacks: Exploit misconfigured memcached servers for amplification (up to 50,000x)
  • NTP Amplification: Use Network Time Protocol servers to multiply traffic (up to 556.9x)

Protocol attacks

  • SYN Floods: Overwhelm servers by sending connection requests without completing the TCP handshake
  • Fragmented Packet Attacks: Send malformed packets that targets can't reassemble
  • DNS Amplification: Leverage vulnerable DNS servers to amplify traffic
  • SACK Panic: Exploit TCP Selective Acknowledgment vulnerability to cause kernel panics
  • Teardrop Attacks: Send mangled IP fragments with overlapping payloads to crash TCP/IP reassembly processes
  • TTL Expiry Attacks: Force routers to generate ICMP time exceeded responses, consuming CPU resources

Application layer attacks

  • HTTP Floods: Overwhelm web servers with seemingly legitimate HTTP GET or POST requests
  • HTTPS Floods: Similar to HTTP floods but with the added overhead of TLS encryption/decryption
  • Slowloris: Keep many connections open by sending partial HTTP requests, eventually exceeding the server's connection pool
  • HTTP Slow POST: Send complete HTTP headers with extremely slow message bodies, tying up server resources
  • R-U-Dead-Yet (RUDY): Target web applications by exhausting sessions with never-ending POST transmissions
  • Slow Read Attacks: Send legitimate requests but read responses very slowly, keeping connections open
  • Challenge Collapsar (CC): Send requests requiring complex time-consuming algorithms to exhaust resources
  • Database/Search Query Floods: Send resource-intensive database queries to consume CPU and memory resources
  • SSL/TLS Renegotiation Attacks: Exploit the computational overhead of repeated handshake requests

Advanced attack types

  • Advanced Persistent DoS (APDoS): Sophisticated, multi-vector attacks that persist for extended periods
  • Multi-Vector/Mixed-Mode Attacks: Combine multiple attack vectors (e.g., SYN flood + DNS amplification + HTTP flood) to overwhelm different defense layers simultaneously
  • Yo-yo Attacks: Target cloud-hosted applications with autoscaling, causing resource wastage and financial drain
  • Degradation-of-Service: Use intermittent, pulsing attacks to slow services rather than crash them
  • Permanent DoS (PDoS/Phlashing): Damage systems by corrupting firmware, requiring hardware replacement
  • Markov-modulated Attacks: Disrupt control packets using hidden Markov models (common in online gaming)
  • Telephony DoS (TDoS): Flood phone systems with calls to prevent legitimate communication

Reflection & amplification methods

  • SSDP Reflection: Exploit Simple Service Discovery Protocol to reflect and amplify traffic
  • UPnP Attacks: Use vulnerabilities in Universal Plug and Play to bypass security and flood targets
  • CoAP Amplification: Exploit Constrained Application Protocol for 10-50x amplification
  • Memcached Reflection: Send small requests to exposed memcached servers, triggering massive responses (amplification factor up to 50,000x)
  • SNMP, CLDAP Reflection: Exploit misconfigured services that respond to small queries with large responses
  • ARMS, Quake, and BitTorrent: Various protocols that can be abused for reflection attacks
  • ARP Spoofing: Associate attacker's MAC address with victim's IP to redirect traffic

Attack tools and mechanisms

Botnets and malware

Cybercriminals leverage networks of compromised devices to launch massive distributed attacks. A botnet is a network of internet-connected devices (often compromised without their owners’ knowledge) that attackers control as a unified group. These devices—referred to as “bots” or “zombies”—are typically infected by malware that allows a central operator or “botmaster” to issue commands to them.

Botnets are commonly used to launch large-scale cyberattacks, such as Distributed Denial of Service (DDoS), send spam, or perform automated tasks on a massive scale.

For example, the Mirai botnet, which primarily infected IoT devices with default credentials, demonstrated the devastating potential of these networks. In 2016, Mirai botnet attacked Dyn (an ISP for Twitter, Netflix, and other major sites), causing widespread outages.

Attack tools and services

Again, to name a few popular attacking tools (because there are a practically unlimited and always increasing amount of attacking tools and services):

  • LOIC (Low Orbit Ion Cannon) and HOIC (High Orbit Ion Cannon): Popular tools that flood targets with HTTP, TCP, or UDP requests
  • Custom Scripts: Advanced attackers deploy targeted scripts to exploit specific vulnerabilities
  • Metasploit Modules: Allow integration of DoS attacks into broader exploitation frameworks
  • DDoS-as-a-Service (Booters/Stressers): Commercial services that allow technically unsophisticated attackers to launch powerful attacks through web-based interfaces
  • Stacheldraht: Classic DDoS tool using a layered structure where handlers control zombie agents

Amplification techniques

Attackers leverage protocols like DNS, NTP, and SSDP to send small requests with spoofed IPs, causing servers to respond with much larger replies to the victim. Some amplification attacks can achieve ratios exceeding 50,000:1 with misconfigured memcached servers. The Mitel MiCollab vulnerability allowed for an extraordinary 2.2 billion times amplification factor.

Detecting DoS attacks

Warning signs

  • Sudden traffic spikes without legitimate explanation
  • Abnormal patterns from repeated requests or suspicious geographic origins
  • Service degradation (slow responses, timeouts, or complete unavailability)
  • Resource exhaustion (maxed CPU, memory, or bandwidth)

Monitoring approaches

Real-time traffic analysis helps detect attacks by identifying irregularities in data packets. Advanced systems can differentiate between legitimate traffic surges and actual attacks by analyzing patterns and user behavior.

Machine learning algorithms enhance detection by establishing normal baseline behavior and flagging deviations, allowing for quicker identification and response.

Tools for real-time analysis

  • NetFlow & sFlow: Network traffic collection and analysis.
  • Snort, Suricata, Zeek: IDS/IPS tools for detecting abnormal traffic patterns.
  • AWS Shield, Cloudflare, Akamai: Cloud-based DDoS protection and monitoring services.

Tools leveraging machine learning

  • Splunk, Elastic Stack: SIEM platforms with anomaly detection capabilities.
  • Darktrace, ExtraHop, Vectra: ML-driven network monitoring solutions for spotting unusual behaviors.

Why DIY protection often falls short

Many organizations attempt to implement DoS protection themselves, but face challenges:

  • Scale: Modern DDoS attacks can exceed terabits per second
  • Complexity: Multi-vector attacks combine different techniques
  • Expertise: Effective mitigation requires specialized knowledge
  • Infrastructure: Most organizations lack the distributed network capacity to absorb large-scale attacks

The xTom approach to DoS protection

At xTom, we've developed a comprehensive, multi-layered approach to DoS protection tailored to your specific infrastructure needs.

With the evolving threat landscape featuring increasingly sophisticated attacks, our protection strategy incorporates:

  • Advanced traffic analysis to identify and filter malicious traffic patterns in real-time, detecting both classic flood attacks and sophisticated application-layer threats
  • Distributed network architecture that can effectively absorb and diffuse attack traffic, even during multi-vector attacks
  • Hardware-level protection for customers that guards against resource exhaustion attacks
  • Virtualization security for V.PS customers that prevents resource exhaustion and isolates neighboring virtual machines from attacks or abuse
  • 24/7 security monitoring to identify and respond to emerging threats
  • Custom mitigation strategies designed for your specific infrastructure requirements and application profile
  • Upstream filtering capability through our IP transit services to mitigate attacks before they reach your infrastructure

Whether you're running mission-critical applications on our dedicated servers, using our scalable NVMe powered KVM virtual private servers, or our colocation services, we work with you to implement the necessary level of protection for your business needs.

Conclusion

Denial of Service attacks remain among the most common and disruptive threats today for any digital business. As these attacks evolve with new techniques constantly emerging, attempting to combat them alone becomes increasingly challenging.

Understanding attack mechanisms is the first step in protection, but effective defense requires specialized infrastructure and expertise.

If you're concerned about your infrastructure's ability to withstand DoS attacks, contact xTom for a consultation. Our team can assess your current vulnerabilities and recommend appropriate protection strategies using our dedicated serversNVMe-powered V.PS virtual serverscolocation services, or IP transit services.

Frequently asked questions about Denial of Service attacks

What's the difference between DoS and DDoS attacks?

A DoS attack comes from a single source, while a DDoS attack uses multiple compromised computers. DDoS attacks are harder to block because traffic comes from numerous sources.

How can I tell if I'm experiencing a DoS attack?

Look for unusually slow network performance, service unavailability, excessive resource consumption, and sudden, unexplained traffic spikes.

Will a basic firewall protect against DoS attacks?

Standard firewalls provide limited protection against simple DoS attacks but are insufficient against large-scale or sophisticated DDoS attacks.

How long do DoS attacks typically last?

Duration varies widely from hours to weeks. Some attackers use intermittent attacks to avoid detection or exhaust responders.

Can small businesses be targeted?

Absolutely. Smaller businesses are frequent targets because they often have fewer protections in place.

What steps should be taken after detecting a DoS attack?

Contact your hosting provider immediately, document attack patterns, consider temporary alternatives if available, and implement appropriate filtering measures.

How effective are cloud-based anti-DDoS services?

They can be highly effective due to massive network capacity and sophisticated traffic analysis systems that can mitigate attacks closer to the source.

What makes certain websites more vulnerable?

Vulnerabilities include insufficient bandwidth, lack of redundancy, outdated software with known exploits, misconfigured networks (such as exposed memcached servers), inadequate monitoring systems, and applications with resource-intensive processes like complex database queries that are particularly susceptible to application-layer attacks.

Are IoT devices a significant factor in modern DDoS attacks?

Yes, insecure Internet of Things devices have become a major contributor to DDoS attacks. With often minimal security protections and default credentials, these devices can be easily compromised and incorporated into botnets. The Mirai botnet, which launched some of the largest DDoS attacks in history, primarily consisted of compromised IoT devices like cameras, DVRs, and routers.

Tags:#Security#DoS#Denial of Service#Denial of Service Attacks#DDoS Protection#DDoS#Network Protection#Cybersecurity#Server Security