If your website is unreachable, your log files are filling up, and your resource utilization on your server is maxing out, you might be in the midst of a Denial of Service attack. These bothersome attacks can wreak havoc on your marketing operations and affect the availability of your site. If you’re in the midst of a Denial of Service attack or a distributed Denial of Service attack, don’t fear. There are ways to mitigate these attacks and regain control of your digital presence.
A Denial of Service attack is one of the earliest known and most common cyber attacks targeting websites and web applications. It doesn’t matter if you’re a small business or a large Fortune 100 corporation, the technology that serves your website to the public is essentially the same. The size of your business doesn’t matter to attackers when they target you with a DoS attack. Malicious attackers use the same methods to disrupt your business and often have similar motives, no matter how large or small your business is.
In this comprehensive guide to Denial of Service attacks, you will learn the methods attackers use to take down websites and whole networks, how to spot a DoS or DDOS attack targeting your business, how to successfully mitigate it, and provide ways that you can ensure your website stays online for your customers.
What is Denial of Service (DoS)?
A Denial of Service is a cyber attack performed by flooding a system with malicious requests with the purpose of reducing its availability to the intended users. Denial of service is a resource exhaustion attack, which exploits the limited capacity of the victim service to accept and process incoming requests.
DoS attacks are highly versatile and can target various systems, including individual websites and web applications, servers, routers, and even whole networks. Regardless of the target system, a Denial of Service attack will likely cause it to hang or crash due to exhausting the pool of computing resources it’s allocated, such as CPU and memory.
Although DoS attacks are malicious, they are not used to seize control over the victim’s website or servers like cross-site scripting (XSS) or SQL injections (SQLi). Instead, attackers can often use resource exhaustion to facilitate other types of malicious activities, such as brute force attacks. Similarly, other cyber attacks that cause high resource utilization on the victim system can fall under the category of Denial of Service attacks.
How Does a DoS Attack Work?
A Denial of Service attack is performed by instructing a computer, or a network of computers controlled by the attacker, to send large volumes of requests, often malformed, to the target system. This will cause a strain on the web server and other resources, which will prevent legitimate requests, such as those from your customers, prospects, and other site visitors, from being processed, ultimately resulting in a Denial of Service.
If a system is under a DoS attack, any legitimate requests sent to it will likely be queued and eventually discarded due to a lack of computing resources available. When visiting a website, seeing the request timed out error message would indicate that the browser failed to establish a connection to the server due to the web server being overloaded and thus unable to accept any more requests.
When carrying out a DoS attack, the attacker chooses a weak spot in the target system and uses it to craft the requests sent out in a way that will result in a greater bandwidth consumption to congest and slow down the responding website. Depending on the targeted network endpoint or a specific application, Denial of Service attacks can exploit the existing limit of the number of simultaneous requests that can be processed, the amount of memory allocated to a particular service, or the size of receive and output buffers, among other things.
The Purpose of a DoS Attack is Often More Than a Disruption of Service
Denial of service attacks aims to take down websites and online services by flooding them with malicious traffic for many different purposes. DoS attacks target many resources that people depend on daily, including online shops and marketplaces, financial services, and media.
Denial of service attacks are conducted for three main reasons:
- Social activism. Attackers may use Denial of Service as a way to criticize a company’s policies and punish organizations for exhibiting undesirable behaviors.
- Extortion. Attackers may try to profit from the ability to disrupt a company’s services by demanding payment.
- Conquering market share. Employing anticompetitive business practices, businesses may attempt to take out competitor websites to increase their market share, especially during the holiday season.
While the aforementioned reasons are still valid, denial-of-service attacks have evolved and are now used to facilitate other cyber attacks. Similarly, other types of malicious activities can result in a Denial of Service. It is not uncommon for criminals to employ a number of malicious techniques at once to carry out the most sophisticated cyber-attacks.
For example, brute force attacks and carding attacks can lead to resource exhaustion due to many requests sent to the victim’s website to gain unauthorized access or validate stolen data. Most of the time, these types of attacks are carried out from multiple sources, which turns them into distributed Denial of Service attacks.
Denial of Service (DoS) and Distributed Denial of Service (DDoS). What’s the Difference?
Denial of Service rarely involves just one computer as the source of an attack. To thwart defenses that attempt to filter out malicious requests from valid ones, attackers will choose to use multiple IP addresses, systems, and locations to make detection much more difficult. A DDOS or Distributed Denial of Service attack is precisely what it sounds like: an attack that uses distributed systems to target a victim’s website or network. These types of distributed attacks are much more difficult to identify and mitigate, and this is precisely what sets DoS and DDoS attacks apart.
The main difference between a Denial of Service and a distributed Denial of Service is its scale and the number of devices used to perform an attack. To carry out a DDoS attack, an attacker often uses a distributed network of compromised computers known as a botnet.
DDoS attacks can be defined as large-scale bot-driven resource exhaustion attacks that amplify the concept of Denial of Service by using multiple computer systems to conduct an attack against a single target. Not only does it make an attack much more dangerous, but it also makes it almost impossible to discover the attacker’s identity behind it.
How Botnets Became the Center of DDoS Attacks
Botnets are built by infecting a compromised device with the type of malware that will lie dormant in the system until the attacker’s computer, known as the command and control center (C2), sends further instructions. Botnet malware can infect all types of devices and is often hard to identify and eliminate. Moreover, the virus would spread around at a high pace, extending the power of a particular botnet even further.
Botnet owners often rent out the computing power of the networks of compromised devices they built to other attackers on the dark web, which has become commonly known as an attack as a service. This makes conducting a denial-of-service attack easier and more accessible than ever. Although law enforcement has successfully taken down multiple large botnets in the past few years, botnets continue to grow rapidly.
Measuring the Size of a Denial of Service Attack
As DoS attacks represent a sequence of malicious requests sent toward one destination, you can measure their size to understand their scale. The size of a Denial of Service attack is calculated based on the amount of traffic sent toward a victim system and is usually measured in gigabytes.
It is also equivalent to the bandwidth consumed by the target computer network during the data transfer initiated by the attacker. Research shows that the average size of Denial of Service attacks in 2022 was slightly above 5 gigabytes.
3 Types of Denial of Service Attacks
Denial of service attacks can vary greatly depending on the targeted system and the method of execution. Although attackers would often combine different approaches, DoS attacks can be broadly classified into three broad categories – vulnerability attacks, bandwidth flooding, and connection flooding.
A Vulnerability Attack is a DoS attack targeting a specific weak spot in the system. It involves sending a number of well-crafted messages to an operating system or vulnerable application running on a targeted host. With the right sequence of packets, the service can stop, or the whole host can crush. Buffer overflow attacks are one of the most prominent examples of vulnerability attacks.
Bandwidth Flooding targets the bandwidth of the victim system by flooding the infrastructure with requests to exhaust the server’s capacity to accept any traffic from the network. An attacker directs many packets to the targeted system, which results in the target’s access link becoming clogged, preventing legitimate packets from ever reaching the server.
Bandwidth Flooding largely exploits the store and forward transmission principle of packet switching to overwhelm output buffers. Store and forward transmission dictate that routers have to receive an entire packet before forwarding it further to the destination. Each packet is stored in the output buffer, and the amount of buffer space is limited. If the output buffer is full of packets awaiting transmission, it will result in packet loss and make the target system unreachable.
Connection Flooding Denial of Service attacks often target a specific service, such as a web or mail server, that is used to provide functionality to a certain website or web application. The attacker then establishes many connections to the target host so it stops accepting any legitimate requests. SYN, HTTP, ICMP floods, and Slowloris are some examples of connection flooding attacks.
It is important to note that these three categories are not mutually exclusive and are there to separate Denial of Service attacks based on the approach taken by an attacker, the part of the system they choose to target. Those approaches define the route for the criminal to take, each of which will lead them to exhaust the computing resources of the victim system.
3 Main DoS Attacks Targeting WordPress
As a dynamic web application, WordPress relies on the ability of the server to receive and process incoming requests to deliver content to website visitors. And unless an attacker would want to overload the whole server using a lower-level Denial of Service attack such as UDP or ICMP flood, they will target the HTTP server listening for incoming requests on both port 80 (HTTP) and port 443 (HTTPS). This will likely be Apache, Nginx, or LiteSpeed.
There are three main types of Denial of Service attacks used to bring a certain website down or make it extremely slow by taking different approaches: HTTP floods, SYN floods, and Slowloris
HTTP floods take advantage of the limit on the number of HTTP requests that can be processed by the target web server within a certain time. Let’s take a look at how this works in more detail.
All web servers are configured in a way that restricts the number of simultaneous connections they can accept and the number of HTTP requests they can process. More specifically, there is a limit on the number of processes a web server can create and how many requests each can fulfill before a new one is spun in its place.
By default, web servers create a small number of processes, and this number increases if more traffic is received. In addition to high memory consumption, the frequent creation of new HTTP processes, known as request workers, will inevitably lead to increased utilization of CPU time.
If the number of incoming requests surpasses the web server’s total capacity, some of them will be queued and eventually dropped, which will result in seeing a connection timeout error in the browser. In an HTTP flood, an attacker can send thousands of HTTP requests to the victim’s website per second.
SYN flood is a DoS attack that overwhelms a web server by exploiting the three-way handshake employed by TCP – the underlying transport layer protocol used by HTTP and HTTPS. Since HTTPS relies on TLS to enhance TCP, which adds an additional layer of security to the process of establishing the initial connection significantly extending it, most denial-of-service attacks are conducted via HTTP.
While HTTP floods are used to overwhelm a server with requests, the main goal of an SYN flood is to get the system to allocate resources to half-open connections to the point where it becomes too overwhelmed to fulfill legitimate requests. To achieve that, an attacker would send a series of SYN segments to the web server.
Most of the time, the attacker’s host would refer to a totally different system as the one the request is coming from to trick the victim server to send the acknowledgment packet to a different destination rather than the computer that initiated the connection. This way, after the server would respond with an acknowledgment packet, the third step of the handshake would never be completed.
With this deluge of SYN segments, the victim server’s resources quickly become exhausted as they are allocated for a large number of half-open connections, whereas legitimate website visitors are denied service.
In modern systems, this vulnerability is partially addressed by the implementation of Syn Cookies, a mechanism that prevents allocating resources to a connection before it receives an acknowledgment segment and verifies that it comes from the host the request was initially sent from. This mechanism, however, does not fully prevent Syn floods from happening, and those attacks still remain a threat to websites and web applications.
Slowloris is another type of application layer Denial of Service attack targeting WordPress websites. It effectively slows down a web server by establishing multiple HTTP connections from the same IP address and holding them open for as long as possible.
By default, a web server will terminate an HTTP connection if no requests are sent for a certain period of time. To prevent this and keep the connection open, the attacker periodically sends incomplete or malformed requests. Prolonging the duration of each malicious connection, Slowloris attacks can easily overload the system and significantly slow down the victim’s website.
How to Detect a Denial of Service Attack?
In contrast to other cyber attacks, Denial of Service attacks are relatively easy to detect, regardless of the targeted resource. Here are the three common groups of indicators of an ongoing DoS attack targeting a website, server, or network.
Website Level Indicators
If your website is under a Denial of Service attack, you will see a notable performance drop, accompanied by a sudden spike in traffic coming its way. A website may take a very long time to load or throw error messages such as “ERR_CONNECTION_TIMED_OUT” or “503 Service Unavailable.”
Server Level Indicators
If you have access to the server hosting your website, upon login, you will see that it’s under high load, which means that there are more processes actively demanding CPU time than the server can currently handle. The load number represents how many processes await the CPU’s attention.
With a WordPress site under attack, upon further inspection, you may notice an excessive amount of HTTP and PHP processes running. Note that your database server uses a lot of CPU time to process queries.
Network Level Indicators
Network monitoring and maintenance fall under the scope of responsibilities of a hosting provider, who needs to ensure that core routers can process all incoming traffic without any notable latency. Smaller DoS attacks are rarely noticed and acted upon from their site. However, if a massive Denial of Service attack targets a website or server and it begins to affect other hosts, your hosting provider will take action.
One of the most effective ways to mitigate an attack affecting the whole network is to null-route the attacked host until the malicious activity subsides. Null routing a server means temporarily removing it from the network by dropping all packets coming its way so it is no longer reachable over the internet.
How to Mitigate a DoS Attack in 3 Steps
Denial of Service attack mitigation involves analyzing incoming traffic and blocking malicious requests by enabling more aggressive firewall rules and denying access to certain IP addresses and IP ranges manually. Combining these two approaches is an industry standard for dealing with ongoing resource exhaustion attacks. Let’s review the process step-by-step.
Analyze Incoming Traffic
Analyzing incoming traffic in real-time can help you evaluate the situation and identify the type of Denial of Service attack used to bring your server down. It is best to have system access to the server hosting your website, but you can also use other even sources such as the logs cloud-based Web Application Firewalls keep.
With root access to the server, you can use network diagnostic tools such as Socket Statistics (ss) and tcpdump, as well as the domain logs (domlogs) your web server keeps. This approach will help you understand the amount of malicious traffic sent to the server and what websites and specific URLs on them are targeted by the attacker.
In the event of a Distributed Denial of Service attack, malicious traffic will be coming from multiple sources. However, most attacks will still be performed from a relatively small number of devices. In most cases, you should be able to identify a few offending IP ranges.
When it comes to WordPress sites, Denial of Service attacks commonly target the WordPress admin login page and XML-RPC. Analyzing recent web server activity, you will see many GET and POST requests directed to wp-login.php, wp-admin, and xmlrpc.php.
Enable Rate Limiting and More Aggressive Firewall Rules
Firewalls act as a first line of defense for your website on different levels of the open systems interconnection (OSI) networking model. Enabling more aggressive firewall rules will help you successfully mitigate a Denial of Service attack.
The general approach includes enabling rate limiting – putting a limit on the number of connections opened by an IP address in a specific amount of time and filtering out incoming traffic based on a number of other parameters, such as an IP address’ reputation score, country of origin, and more.
Mitigate a Denial of Service Attack Using ConfigServer Firewall
If you are using ConfigServer Firewall (CSF) – an iptables-based software firewall, you can rate limit incoming traffic by setting the CT_Limit configuration to the desired value. Setting CT_PORTS to 80 and 443 will only restrict rate limiting on the ports your web server is listening to. CSF also allows you to configure SYNFLOOD_RATE – the number of SYN packets allowed per IP address a second.
Please note that aggressive rate limiting will inevitably result in blocking legitimate requests and thus should only be implemented when your server is under attack and disabled shortly after successful mitigation. It is best to have an experienced system administrator configure any specific firewall rules.
Use Cloudflare WAF to Mitigate a DoS Attack
In addition to this, Cloudflare can filter out malicious traffic based on a number of managed rulesets and IP reputation scores collected from Project Honey Pot. Setting the Cloudflare Security Level to High to block all incoming traffic coming from IP addresses with a Threat Score over 0.
Block Malicious Bot Traffic
While newly implemented firewall rules should successfully filter out the vast majority of malicious requests, blocking offending IP addresses and IP ranges will force the system to drop all packets coming from specific sources without having to make the firewall inspect each request. Blocking malicious traffic by denying access to the server for certain IP addresses will save server resources and help get your website fully functional much faster.
How to Prevent Denial of Service? Top 3 Recommendations for WordPress
WordPress sites remain a high priority for hackers and often become targeted by Denial of Service and brute force attacks. And while the system provides a high level of protection from malware-based and data injection attacks, you need additional security measures to defend against resource exhaustion attacks.
Below, we are providing the top three WordPress security recommendations to implement to prevent Denial of Service. Installing robust managed firewall rulesets, configuring HTTP/2, and limiting access to WordPress login and XMLRPC will significantly reduce the probability of falling victim to HTTP floods, SYN floods, and Slowloris attacks.
Configure Robust Managed Firewall Rulesets
Both host-based and cloud-based Web Application Firewalls (WAF) support installing different managed rulesets developed specifically for defending against Denial of Service and other dangerous cyber attacks. Managed rulesets are maintained by known security vendors and receive regular updates.
One of the most robust managed firewall rulesets is OWASP Core Rule Set developed by OWASP Foundation. The ruleset is compatible with most host and cloud-based WAFs, including ModSecurity – the most popular host-based Web Application Firewall (WAF) installed on Linux servers.
HTTP/2 is a new specification of the HTTP protocol aimed at reducing latency and speeding up content delivery by addressing some shortcomings of its predecessor. HTTP/2 eliminates the need for opening multiple connections to deliver a single web page by allowing the webserver to send multiple responses for a single request.
Using HTTP/2 can provide a significant reduction in the utilization of server resources, which results in major performance improvements. This can help withstand small denial-of-service attacks without the need to invoke any additional protections.
Reduce the Attack Surface
Website security matters and website-level security measures are extremely important.
You can defend against most cyber attacks, including Denial of Service, by limiting access to the critical areas of your WordPress website, such as XMLRPC and WordPress login. As we have discussed earlier, those are the two most common targets of both DoS and brute force attacks on WordPress sites.
WordPress security best practices include disabling XML-RPC and restricting access to WordPress login to a list of trusted IP addresses and IP ranges. Enabling two-factor authentication is equally important to prevent malicious actors from gaining unauthorized access to your website and taking it down.
Complement Your Defenses With iThemes Security Pro
iThemes makes WordPress security accessible for everyone. iThemes Security Pro provides thirty ways to protect your WordPress site from all known cyber attacks. With advanced on-the-clock security monitoring and vulnerability scanning, iThemes Security Pro will automatically take action on your behalf to stop automated attacks, block malicious actors, and protect critical areas of your website.
If you manage multiple WordPress sites, iThemes Sync Pro helps automate routine administrative tasks by providing a single management dashboard with uptime monitoring and advanced analytics. And while you have these personal website assistants on your team, iThemes Training will help you become a WordPress expert and take your business to the next level.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.