Earlier this week, LockerGnome was hit with a Denial of Service (DoS) attack and was forced to shutter its doors for quite some time. Readers couldn’t read articles, and writers couldn’t write them. It is truly a terrible thing to happen to any website, and it prevents people from doing their jobs (the writers) as well as preventing people from not doing their jobs (the readers).
All is well now, but while the attack was ongoing I overheard a few folks in various channels discussing LockerGnome’s downtime, unaware as to what a Denial of Service attack is or how it really works. So now I am taking the time to lay it out in plain and simple English so that next time something like this happens, people know just what the server administrators are dealing with.
To put it simply, a Denial of Service attack does what it says: It prevents people from using a particular website or service. How does it do this, though? Well, a Web server daemon can only accept so many requests from clients at once, at which point all further requests must wait in line for their request to either be served a response or timed out.
One of the most common methods of a Denial of Service attack is known as a SYN flood. A SYN flood occurs when a client sends a large number of TCP/SYN packets, often with forged headers, to a server. SYN is part of the handshake process that TCP goes through, so when a server receives this type of packet, it sends a SYN-ACK in response. Then, the server waits for the client to finally return an ACK reply, signifying that the handshake is complete and the connection is whole. However, in a Denial of Service attack that uses a SYN flood, the attacker never sends the final ACK reply, leaving the server waiting with what is called a “half-open” connection. This prevents the server from utilizing the resources in use by that connection for handling other connections, limiting the number of requests a server can handle.
Denial of Service attacks don’t have to be very complicated. In fact, a large number of clients sending a single request to a server can be enough to bring an unsuspecting server to a stand-still. For this reason, large groups of attackers might try to target a single server in order to bring it down. More complex scenarios involve the use of botnets, where malicious code installed on various computers around the globe is triggered to send many requests to a single location. Botnets of significant size can bring down even the mightiest of networks, so they are truly a force to be reckoned with.
Unintentional Denials of Service
Like I mentioned previously, sometimes all it takes to bring a server down is a large number of requests coming in from individual clients around the world. These sorts of situations are typically attributed to news sites sending a huge influx of users to an unsuspecting users, sometimes referred to as the “Slashdot effect.”
This is one of the reasons the ability for a website or application to scale is such a big issue these days. Tech companies like Twitter and Facebook are now focused on how they can accommodate growing number of users with a limited number of resources, or else their services are doomed to extremely slow loading times.
I hope this clears up some confusion a few of those in the LockerGnome community had in regards to what a Denial of Service attack exactly is. However, this article is in no fashion a comprehensive source on the topic, and I implore those who are interested in further knowledge to consult the Wikipedia article on Denial of Service attacks.