I was having a conversation with a person who runs a company which depends on IT systems. He was saying that, his company was affected by a DoS attack sometime back and had spent a lot of money in protecting his servers from a possible next attack. He was also saying that they really couldn’t initially understand what type of a DoS attack it was, and whats this Layer 4 DoS attack and Layer 7 DoS attack. That made me write this very brief blog post on clarifying what a DoS attack is and what are the differences between the Layer 4 and Layer 7 attack.
What really is a DoS?
As the name implies, Denial of Service (DoS) is an attempt of making a resource (Ex: a web server) unable to provide it’s intended services to legitimate users. In other words, DoS is an attempt of making an online service unavailable or inaccessible for it’s intended legitimate users. Attackers achieve this by sending a huge number of traffic to the target making it unable to process what it should be processing. We’ll talk about this in a little while.
There are few types of DoS attacks, but two of the main methods are Layer 4 attack and Layer 7 attack. What does that really mean?
Layer 4 DoS Attack
The Layer 4 DoS attack actually takes place at the Transport Layer of the TCP/IP protocol architecture. The DoS attack done in the Layer 4 is also called a SYN Flood attack. The name SYN Flood came from a scenario called 3-Way Handshake. So, what’s that? Okay we’ll put it this way.
3-Way Handshake is a method used in a TCP/IP networks to establish a connection between a Client and a Server. This is how it work. The client initiates the handshake by sending a data packet with a request called “SYN” to ask for a establishment of a connection. If the server is okay with that request, the Server sends the acknowledge back saying “SYN/ACK” to the client, indicating that “I am Okay to have the connection”. In return to the SYN/ACK packet, the client sends back a packet with “ACK” saying that “Okay, Cool”. After the completion of these 3 steps, the connection between the server and the client is established. Then both the client and server starts sending data using the Application Layer or Layer 7. Simply saying, the connection is established in Layer 4 after completing the 3-Way handshake. Once the establishment is done, the data is transferred through Layer 7.
Now let’s look at the SYN Flood attack. Attacker sends multiple number of SYN requests to the server and just ignore the SYN/ACK returning from the server. This is simply flooding the server with SYN requests. This makes the poor server wait for the ACK response from the client till a configured amount of waiting time is passed. To keep the connection open while waiting for the ACK response eats a huge amount of resource of the server (cause, there is a lot of concurrent request waiting for the ACK) causing it unable to serve a legitimate user’s request which may come among the attack requests. So, when a legitimate user tries to connect to the server, it’s unavailable. This SYN flood is one of the most popular methods of DoS attack. But bad news for the attackers. SYN Flood attacks can be easily identified and blocked by the latest security products.
Layer 7 DoS Attack
As I had mentioned earlier, the data is transferred through the Layer 7 (after completing the 3-Way Handshake). The main idea of the Layer 7 DoS attack is taken from that concept. In the Layer 7 attack, the attacker completes the full 3-Way Handshake, and requests a huge amount of files/objects from the server through a HTTP GET request. The major difference in this attack is, since the handshake is completed, the security devices cannot differentiate the fake and legitimate requests. All the requests look like a legitimate request. A request from a single person is not sufficient enough to make a server to a DoS situation. Attackers need more requests, from more people. How does this achieved?
A group of organized hackers may involve in performing the attack at a the same target at the same time. There is another method which is used very frequently. Attackers plant a piece of software namely BOT, in peoples computers without their knowledge (social engineering methods are used to plant them). Once it is done, in a predefined time and date, all the BOTS perform the attack from several hundreds of computers. Simply saying, the attack is distributed among multiple computers to target a very huge amount traffic against the server. This type of DoS is called Distributed Denial of Service (DDoS). In terms of getting caught to a security device, the probability of Layer 7 DoS is lesser than the Layer 4 DoS. It’s difficult to differentiate the legitimate and fake traffic.
There are two main kinds of Denial of Service (DoS) attacks are in the wild. One is Layer 4 DoS attack and the other is Layer 7 DoS attack. Layer 4 attacks can be controlled easily and controlling Layer 7 attacks is little difficult. Security device manufacturers are trying their best to provide a proper solution to clearly identify Layer 7 attacks. We too hope to see DoS free Internet. Hope this was informative!