In order to bring substance to a discussion of denial of service attacks, I cooked a brief attack taxonomy:
- Crash / non-resource attack
- DoS vulnerability exploitation for crashing or otherwise degrading IT capabilities.
- Resource consumption attack
- Network resource exhaustion of all available upload/download bandwidth across the link that connects the organization to the Internet or other networks.
- Infrastructure device resource exhaustion (e.g. router/firewall state table overflow) or exhaustion of a particular capability of a network infrastructure components.
- Target resource exhaustion of a few particular kinds:
- OS or network layer (e.g. SYN flood) resource exhaustion affects an operating system and typically occurs at transport or internet layer
- Application layer (e.g. Apache DoS via partial HTTP requests) that affects an application and typical uses application layer of a network communication. Application layer attacks present an extremely wide category, discusses further in the paper
- Business logic “layer” (e.g. add too many items to a web shopping cart to make the server non-responsive to others) that affects an application and typically utilizes some legitimate application functionality, leading to excessive resource consumption
An astute reader familiar with denial of service attack taxonomies presented in academic research or in vendor literature will note absence of a few types of attack such as “DNS flood”, ACK flood, GET flood, reflexive DoS, amplified DoS, etc. What’s the story with that?
In most cases, the victim really does not care whether the flood hitting its Internet facing servers is launched by an army of bots or amplified by misconfigured systems. In essence, I think that such fine-grained categorization does not add anything to the problem of choosing defense strategies. The above taxonomy is optimized for that problem alone rather than for academic categorization of all possible denial of service attacks.
Finally, please remember that whatever the attack type, one cannot “check the box” for DoS! Most of the DoS defense practices and technologies are about mitigation, not prevention (even though there are things one can do to make their organization more resilient to such attacks).
Related posts about Denial of Service: