Denial Of Service

A denial of service attack is one which attempts to deprive the legitimate users of a system of its normal service. The usual techniques involve overconsumption of some resource critical to the operation of the system.

On a FileTransferProtocol server with upload capabilities, a simple denial of service attack might be to continuously upload huge files. If the file store is not correctly managed, there will come a time when the operating system can no longer continue to function because it has run out of disk space.

A more complex attack on a network server of any kind is the "SYN Flood" attack. A client such as a web browser, connecting to a server using TCP (the Internet's reliable transport protocol), indicates its wish to connect by delivering a packet with a certain status bit (the SYN bit) set. The server must respond with a packet that has both the SYN and ACK status bits set, and from then on all packets are expected to have only the ACK bit set. The connection is not fully opened until the server receives a second packet from the client.

The attacker simply generates large numbers of SYN packets from random bogus addresses. Since they represent potential network connections, the server must allocate resources to storing the required state information. Further, because the missing packets might have been delayed, it has to wait some time before releasing them. Needless to say, the attacker never completes any of the connections.

If enough packets arrive in short order, the server will run out of transient storage in its transport layer, and be unable to accept further connections. This can be a difficult attack to detect if carefully executed, since the traffic patterns are very similar to those seen by, for example, a busy web server.

The more recently publicized DistributedDenialOfService (DDoS) attacks, of which the Smurf attack is perhaps the best known, use unwitting third party systems, which are compromised and then used, either immediately or at a later date, simultaneously to flood the target system with large amounts of bogus network traffic.

See a thesis on DOS done in 2003 at


This appears to be a FundamentalFlawInTheWayWikiWorks.


A general way to defend against denial of service attacks is to MakeTheClientPay for each and every service (including the processing of requests) they invoke.

FebruaryZeroSix


  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!
  Denial of service!

One common type of denial of service attack when a repetitive stress is placed on a server or machine to try and take it down.

Technically, that is just one mechanism to achieve a DenialOfService attack... probably the most common one seen today, but signal jamming of all sorts would qualify, as would cutting power to a building (thus denying service to the Internet).

On the internet, a security model may prevent a DenialOfService attack by checking for count requests from a certain IP address or session per a certain time frame. However, the attacker may use proxies or other techniques to hide the attack across multiple IP address.


CategorySecurity CategoryInternet CategoryDistributed


EditText of this page (last edited May 12, 2008) or FindPage with title or text search

Meatball