Firstly, Let’s understand what a DoS attack is. Here’s a Simple Analogy
Imagine you’re at an ATM using dozens of cards nonstop. The machine works, but everyone else in line is queued or blocked.
That, my friend, is a DoS attack. It floods a system with requests, so real users can’t get through.
The bot or hacker is flooding the web server, preventing the user from connecting to it.
Common Ways a User Can DoS a Server
A DoS attack can occur both internally and externally. For instance, a user at XYZ company intent on causing internal disruption might connect an external computer and overwhelm services through various attack methods.
SYN flood
HTTP flood
UDP flood
ICMP (ping of death)
Or abusing misconfigured services.
Below is an animated design I built for you to have a visual understanding. We will break this down into different cases.
Typical Traffic Flow
In this illustration, users connect to an E-commerce server to buy products. The server is running smoothly, and users are happily making up to three requests per second (RPS).
Legit Traffic Going Through the Web Server
Explanation
Users are sending traffic to the web server as they usually should.
Typically, a user creates two to three sessions per second (RPS)
The server is capable of managing 50 requests per second (RPS).
Everything is looking good.
Web Server Being Flooded with SYN Packets
In this illustration, we’re looking at an attacker, also known as a hacker, attempting to take the server offline by bombarding it with 100 requests every second. However, our server can only manage 50 requests per second. If it gets overwhelmed with too many requests, it will surely crash.
The server is busy attending to the hacker’s request, making the system unavailable for incoming users.
Explanation
The attacker is flooding the web server with 100 requests per second (RPS).
The server can only handle 50 requests per second, as an example.
When users try to connect to the server, it becomes unresponsive due to hacker requests.
The attacker crashes the server by sending more requests, making the business unavailable.
The web server is being flooded, but some users are still able to connect, experiencing delays and lags.
This illustration shows that while some users can connect to the server, they experience latency in the response. This delay occurs because the server is overwhelmed with the hacker’s requests, leaving it unable to process user transactions effectively.
Users may see an error like “The server is too busy to attend to your request” and be unable to connect due to limited resources.
Some users are connected, while others are attempting to connect but are unable to do so.
Explanation
The attacker is flooding the E-commerce web server with 100 or more RPS
The server resources can only handle 50 requests per second, as an example.
Some users were able to connect, but the response was laggy.
Other users were unable to connect because the server was busy.
Ultimately, the attacker crashed the server by sending more requests, making the business unavailable.
As shown below, the server is currently down, preventing users and hackers from accessing it.
How to prevent such Attacks?
Strategyis key. Understanding what to secure from one zone to another is essential, whether using firewalls or layer two switches. You might need to activate Storm Control on the switch to manage bandwidth (a Cisco feature), along with optional QoS based on your requirements.
Multiple actions are required with a firewall. For example, if you have a Next-Generation firewall, it should allow you to block DoS attacks by creating a profile that applies a rate limit to protect your zone or server.
Malicious users are attacking the E-commerce web server, but the DoS security profile is dropping traffic from the original IP.
Explanation
A malicious user from an untrusted network is sending harmful traffic to the DMZ server.
The DMZ server has a DoS profile protecting the server; therefore, traffic is being dropped.
Another malicious user from the trusted network is sending malicious traffic to the DMZ server.
The DMZ server has a DoS profile protecting the server; therefore, traffic is being dropped.
Leveraging Palo Alto Firewalls to prevent DoS attack
Denial of Service (DoS) attacks aren’t always complex. They just overwhelm your systems with traffic until nothing works.
When you leverage Palo Alto Networks Firewalls or any other NGFW, you detect and block abnormal traffic before it cripples your environment. You just need to have the math and the skills to make the traffic adjustments.
Here is a strategy to stop DoS attacks.
Have your strategy and identify the servers you want to protect.
Create a DoS (Denial of Service) policy to protect your server from both internal and external attacks. Select classified profile per user IP.
Use App-Id to limit bandwidth-intensive or dangerous internal apps
Have logs alert. If possible, set up a webhook or configure your email for alerts.
Enable User-ID. This will tie the activity to the username if thresholds are crossed.
Finally, use QoS or security profiles to limit how much a user can send per second.
Here is a visualization of leveraging Palo Alto to protect your servers against DoS attacks.
In the future, I will elaborate on various types of cyberattacks, including Distributed Denial of Service (DDoS) attacks and Botnets, as well as strategies for mitigation using Next-Generation Firewalls (NGFWs), such as those developed by Palo Alto Networks, Fortinet, and Cisco.
Although I could share more attack vectors, let’s focus on those most relevant to today’s applications. I hope this information has been helpful for anyone wanting to understand Denial of Service (DoS) attacks and how to mitigate them.
Firstly, Let’s understand what a DoS attack is. Here’s a Simple Analogy
Imagine you’re at an ATM using dozens of cards nonstop. The machine works, but everyone else in line is queued or blocked.
That, my friend, is a DoS attack. It floods a system with requests, so real users can’t get through.
Common Ways a User Can DoS a Server
A DoS attack can occur both internally and externally. For instance, a user at XYZ company intent on causing internal disruption might connect an external computer and overwhelm services through various attack methods.
Typical Traffic Flow
In this illustration, users connect to an E-commerce server to buy products. The server is running smoothly, and users are happily making up to three requests per second (RPS).
Explanation
Web Server Being Flooded with SYN Packets
In this illustration, we’re looking at an attacker, also known as a hacker, attempting to take the server offline by bombarding it with 100 requests every second. However, our server can only manage 50 requests per second. If it gets overwhelmed with too many requests, it will surely crash.
Explanation
The web server is being flooded, but some users are still able to connect, experiencing delays and lags.
This illustration shows that while some users can connect to the server, they experience latency in the response. This delay occurs because the server is overwhelmed with the hacker’s requests, leaving it unable to process user transactions effectively.
Users may see an error like “The server is too busy to attend to your request” and be unable to connect due to limited resources.
Explanation
Ultimately, the attacker crashed the server by sending more requests, making the business unavailable.
As shown below, the server is currently down, preventing users and hackers from accessing it.
How to prevent such Attacks?
Strategy is key. Understanding what to secure from one zone to another is essential, whether using firewalls or layer two switches. You might need to activate Storm Control on the switch to manage bandwidth (a Cisco feature), along with optional QoS based on your requirements.
Multiple actions are required with a firewall. For example, if you have a Next-Generation firewall, it should allow you to block DoS attacks by creating a profile that applies a rate limit to protect your zone or server.
Explanation
Leveraging Palo Alto Firewalls to prevent DoS attack
Denial of Service (DoS) attacks aren’t always complex. They just overwhelm your systems with traffic until nothing works.
When you leverage Palo Alto Networks Firewalls or any other NGFW, you detect and block abnormal traffic before it cripples your environment. You just need to have the math and the skills to make the traffic adjustments.
Here is a strategy to stop DoS attacks.
Here is a visualization of leveraging Palo Alto to protect your servers against DoS attacks.
In the future, I will elaborate on various types of cyberattacks, including Distributed Denial of Service (DDoS) attacks and Botnets, as well as strategies for mitigation using Next-Generation Firewalls (NGFWs), such as those developed by Palo Alto Networks, Fortinet, and Cisco.
Although I could share more attack vectors, let’s focus on those most relevant to today’s applications. I hope this information has been helpful for anyone wanting to understand Denial of Service (DoS) attacks and how to mitigate them.
Cheers,
What’s Asymmetric Routing? Let’s start at the beginning. Asymmetric routing…
Read MoreWhat is Palo Alto’s shared Gateway? Shared Gateway It’s an…
Read MoreThoughts I am sure some of you who have never…
Read MoreWhat’s fragmentation It’s the approach of breaking down data packets…
Read MoreFirstly, Let’s understand what a DoS attack is. Here’s a…
Read MoreWhat’s multi-factor authentication? Multi-factor authentication (MFA) is a security method…
Read MoreWhat’s Palo Alto Auto Tagging? Auto-tagging in Palo Alto Networks firewalls is an advanced…
Read MoreWhat Are External Dynamic Lists (EDLs) In simple terms, it…
Read MoreBrief Analogy You know. There was a time when every…
Read More