Imagine logging on to your computer on a Monday to find critical parts of your digital infrastructure are crippled and not working as they should. “How long has it been like this?” “How much business have we lost?” “Why did this happen?” It’s enough to keep you awake at night. Denial-of-service (DoS) attacks are a threat to all organisations, capable of bringing down critical services by overwhelming systems with malicious traffic. From causing website outages to crippling internal networks, the impact can be costly, both in downtime and lost revenue. In this case study, a company in the food industry wanted to stop waking up in the middle of the night in a cold sweat, so asked the experts at OmniCyber Security to attack their system, to test their resilience against DoS attacks. The goal: identify weaknesses before malicious actors can exploit them.
What is a Denial of Service (DoS) Attack?
A denial-of-service (DoS) attack aims to disrupt the normal operation of a service, network, or system, typically by overwhelming it with excessive traffic or exploiting its weaknesses. Successful attacks result in service outages for legitimate users, reduced performance, and in some cases, financial loss.
A DoS attack is characterised by using a single computer to launch the attack. By comparison, a distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from many distributed sources, often in the form of a botnet.
There are several types of DoS attacks, each using different techniques to cripple systems:
- Volume-Based Attacks: These focus on consuming bandwidth by flooding the target with traffic. Examples include UDP Floods and ICMP Floods.
- Protocol-Based Attacks: These exploit weaknesses in the network protocol stack to exhaust server resources, often crashing the system. Examples include the SYN Flood and the Ping of Death.
- Application Layer Attacks: Targeting specific applications, these sophisticated attacks exhaust server resources by overloading certain features or inputs, like an HTTP Flood or Slowloris.
- Resource Depletion Attacks: These attacks deplete server resources like CPU or memory until legitimate users can no longer access the system. Examples include TCP Connection Floods and Application Resource Exhaustion.
- Permanent Denial of Service (PDoS) Attacks: The most damaging type, PDoS attacks aim to cause irreversible hardware damage through bricking or wiping the target’s systems. This can render a device completely unusable.
Case Study: DoS Vulnerability Testing
An external penetration test is designed to identify vulnerabilities in external infrastructure that could potentially impact the organisation negatively if exploited. The team replicates the methods that real cyber criminals use to see how the client’s defences stack up.
In this case, resource depletion turned out to be the particular flavour of DoS attack that the client’s web application was vulnerable to. The main breakthrough came through the central search function on the client’s website. It was vulnerable to DoS attacks with large numbers of requests, even with the client using Cloudflare to mitigate DoS attacks. Cloudflare couldn’t fully block the attack, due to the relatively low number of requests needed to crash the service.
The team sent high volumes of search queries, all made up of 256-character strings. While many of these requests were blocked by Cloudflare managed challenges, enough were able to reach the application to cause it to crash. The team then expanded the test to check smaller search queries, which had the same effect on the application.
In another test, OmniCyber performed a signup attack, exploiting the ability to create variations of an email address in Gmail. Gmail considers ‘johnsmith@gmail.com’ and ‘johnsmith+1@gmail.com to be the same email address, but many applications, including our client, see them as different. This signup process can easily be automated. The client’s rate-limiting defences stopped the creation of tens of thousands of fake accounts in seconds, but the Cloudflare configuration still allowed for thousands of accounts to be created over a few minutes. With an attacker keeping the request rate at or under 40 requests per second, they could cause some serious issues with the client’s database, although probably not a full denial-of-service. Requiring email validation for signups can help prevent automated abuse but must be weighed against the impact on customer acquisition.
Recommendations
Overall, the team judged the client presented a medium security posture against DoS attacks. The following recommendations were sent to the client to improve their defences further, but they can be applied to any organisation that wants to strengthen their defences against DoS attacks.
OmniCyber Security recommends a layered approach to defending against Denial of Service (DoS) attacks. First, applications should be designed to handle both normal and unexpected traffic spikes, ensuring resources are allocated effectively. Additionally, vulnerabilities identified in code, particularly those exposed in high-traffic functions like search parameters, should be patched immediately following vendor advisories.
For better protection, leveraging server-side WAFs, such as Fail2Ban, or third-party services like Cloudflare or Azure Web Application Firewall, offers an extra layer of defence, particularly for Distributed Denial of Service (DDoS) attacks. These solutions can mitigate both volume-based attacks and application-layer resource exhaustion attempts.
Finally, post-remediation testing is essential to ensure that newly implemented protections are functioning as intended. Retesting previously vulnerable areas confirms how well the improvements are working, giving you confidence in their defences moving forward.
The OmniCyber Security Team
OmniCyber Security are a specialist cyber security company providing a full range of consultancy and testing services. Our team is made up of seasoned professionals with years of expertise across a range of cybersecurity disciplines, including compliance, infrastructure protection, and application security. As a team, we constantly refine our knowledge and processes to keep up with the changing landscape of our industry, to keep you as safe as possible. To find out more about penetration testing for your organisation, contact us today.