Introduction: Denial of Service Attacks - AWS Best Practices for DDoS Resiliency

Introduction: Denial of Service Attacks

A Denial of Service (DoS) attack is a deliberate attempt to make your website or application unavailable to users, such as by flooding it with network traffic. To achieve this, attackers use a variety of techniques that consume large amounts of network bandwidth or tie up other system resources, disrupting access for legitimate users. In its simplest form, a lone attacker uses a single source to execute a DoS attack against a target, as shown in Figure 1.



Diagram of DoS Attack

Figure 1: Diagram of DoS Attack

In a Distributed Denial of Service (DDoS) attack, an attacker uses multiple sources—such as distributed groups of malware infected computers, routers, IoT devices, and other endpoints—to orchestrate an attack against a target. As illustrated in Figure 2, a network of compromised hosts participates in the attack, generating a flood of packets or requests to overwhelm the target.

Figure 2: Diagram of DDoS Attack

DDoS attacks are most common at layers 3, 4, 6, and 7 of the Open Systems Interconnection (OSI) model, which is described in Table 1. Layers 3 and 4 attacks correspond to the Network and Transport layers of the OSI model. We’ll refer to these collectively as infrastructure layer attacks. Layers 6 and 7 attacks correspond to the Presentation and Application layers of the OSI model. We’ll address these together as application layer attacks. Examples of these attack types are discussed in the following sections.

Table 1: Open Systems Interconnection (OSI) Model

# Layer Unit Description Vector Examples
7 Application Data

Network process to application

HTTP floods, DNS query floods

6 Presentation Data

Data representation and encryption

TLS abuse

5 Session Data

Interhost communication

N/A

4 Transport Segments

End-to-end connections and reliability

SYN floods

3 Network Packets

Path determination and logical addressing

UDP reflection attacks

2 Data Link Frames

Physical addressing

N/A

1 Physical Bits

Media, signal, and binary transmission

N/A