Denial of Service the Series: Part 1 – DoS vs DDoS
Quite a while back I had posted everywhere and contacted everyone I knew regarding a Denial of Service survey that I was conducting. It came out of the frustration of watching people and companies disregard denial of service as a valid security concern. It seemed to be an ongoing debate -- Confidentiality & Integrity vs Availability, instead of all three being treated as important. Anyways I've been under constant hounding to release some statistics from the survey, so I figured I'd do a multi-part series on Denial of Service (ok... so right now it's planned as a 2-part series). This first part is a precursor, since I had numerous people argue on whether or not DoS and DDoS were the same thing or different things and also on whether or not DoS was still valid (more on that to come). Since the survey was part of a conference talk that I wanted to do and the talk wasn't accepted, I figure it's as good a time as any to start posting.
One of the most interesting things that I came across during my initial investigation was that there's no clear definition of Denial of Service. A simple define: denial of service search on Google yields numerous results:
Attacks on wired networks require a far greater deal of computing power, often even requiring the need of distributed computing. Attacks on wired networks of course do not require any NICs or external antennae, yet often does have the need of a (broadband) connection to the Internet. (Wikipedia)
I rather enjoy this one because it has two interesting remarks. The first is that you require a great deal of computing power to perform a denial of service attack. The second is that when attacking a wired network you do not require a NIC.
A type of attack that tries to block a network service by overloading the server. (Ingate - A firewall vendor)
Blocking a network service is definitely one form of a DoS, however a single computer usually doesn't accomplish the task very well and this will usually be a DDoS.
denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. (The Linux Security How-To)
This time instead of "overloading the server" we see "consumes the resources". One again, we seem to be confusing DoS as a whole with a single type of DoS or a DDoS. This confusion seems to occur everywhere. When I was initially distributing the survey link, I had numerous people question why I was even bothering. They claimed that DoS was irrelevant because it was simply a packet flood, that you were "overloading the server" and "consuming the resources". This is not the case at all and, as I've mentioned repeatedly, they were looking at a single piece of the Denial of Service Pie.
So what is a Denial of Serivce? Excellent question. There are actually a few sites that define it more appropriately.
Denial of Service: Result of any action or series of actions that prevents any part of an information system from functioning. (KeyBank)
Denial of Service: Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks (SEQUI)
This is a much more accurate definition of Denial of Service and I'm glad to see that there are proper definitions floating around.
If I were to define Denial of Service, I would say, very simply, "The absence of Availability." I don't think the definition itself needs to go much beyond that. It is very broad, but broad can be good. Some people may argue that it's too encompassing but that definitely isn't the case. Think about the recent Slashdot downtime, while the problem was internal, it was a Denial of Service in the broadest sense of the term. Whether it's a power outage, a tornado, a tank driving through your data center, a packet flood or a malformed packet bringing down a listening server... it's all Denial of Service.
Now DDoS is another beast. Distributed Denial of Service tends to be defined more reasonably most of the time and people are generally clear on what it is. Essentially, it's what everyone I quoted above was describing, a wide-scale, multiple-source attack that consumes resources and renders the device or service inaccessible. Metasploit, and many others, have experienced this recently.
So why is all of this important? It helps you to understand the logic and reasoning behind some of the questions on the survey. Many people left comments stating that the questions were unclear, primarily because they were thinking of Denial of Service in terms of a packet flood. Before I release details on the survey, I want to be sure people have a clear understanding of what I'm talking about. I know what you're thinking, and I should have done this prior to the survey, however I didn't realize that what I considered to be a industry standard definition was not.
That is why I asked questions like, "Is Denial of Service a Vulnerability?" Some said 'no', it's a packet flood and that isn't a vulnerability. Many said 'sometimes', with the logic that some times it's taking advantage of a vulnerability and other times it's a simple packet flood. Personally, I like 'sometimes' as the answer to this question, although the comment that I'd add would be that I consider the majority of DoS to be a vulnerability (in other words, 'sometimes' doesn't need to be a 50/50 split). The answer however, may depend on where you sit within IT/IS or perhaps where you sit within your organization.
I see a vulnerability as any weakness, within reason, that leaves you vulnerable. Some see a vulnerability as a coding flaw or poor protocol implementation, while others see a configuration option as a vulnerability. I've been told that a null pointer dereference shouldn't be labeled as a 'critical vulnerability' but we've all seen what Mark Dowd can do with one. I guess my point is that no answers were cut and dry, that's why I left the ability to comment on the majority of the questions.
So back to my point... my goal was to find out what everyone thought Denial of Service meant, and when they felt the label "Denial of Service" applied. Is a web server crashing on a malformed HTTP request a DoS? If it is, then is a web browser crashing on a malformed HTTP response also a DoS? The opinions on answering this can be quite varied, and in writing this I believe I just talked myself into a third post... a follow up with my commentary to the survey data, especially to this point as the answer really intrigues me. That being said, I invite everyone to comment on this point in particular (of course I always welcome comments on everything). Whether it's a comment below this post, or a blog post of your own... I would love to see full responses (in greater detail than the survey could have possibly allowed for) to those two questions.
I have theories and thoughts that I will expand on as well, as I explore this series (I believe I've just through of a fourth post now)... but up next will be the survey results. I just wanted to be sure that everyone had an understanding of the difference between DoS and DDoS, and that it was understood, or at very least understood that I feel, that a DoS is more than a simple packet flood.