Emerging Threats

What are Denial of Service (DoS) attacks? DoS attacks explained

A “denial of service” or DoS attack is used to tie up a website’s resources so that users who need to access the site cannot do so. Many major companies have been the focus of DoS attacks. Because a DoS attack can be easily engineered from nearly any location, finding those responsible can be extremely difficult.

A bit of history: The first DoS attack was done by 13-year-old David Dennis in 1974. Dennis wrote a program using the “external” or “ext” command that forced some computers at a nearby university research lab to power off.

DoS attacks have evolved into the more complex and sophisticated “distributed denial of service” (DDoS) attacks. The biggest attack ever recorded — at that time — targeted code-hosting-service GitHub in 2018. We’ll discuss DDoS attacks in greater detail later in this article.

Attackers include hacktivists (hackers whose activity is aimed at promoting a social or political cause), profit-motivated cybercriminals, and nation states.

Denial of service attacks explained

DoS attacks generally take one of two forms. They either flood web services or crash them.

Flooding attacks

Flooding is the more common form DoS attack. It occurs when the attacked system is overwhelmed by large amounts of traffic that the server is unable to handle. The system eventually stops.

An ICMP flood — also known as a ping flood — is a type of DoS attack that sends spoofed packets of information that hit every computer in a targeted network, taking advantage of misconfigured network devices.

A SYN flood is a variation that exploits a vulnerability in the TCP connection sequence. This is often referred to as the three-way handshake connection with the host and the server. Here’s how it works:

The targeted server receives a request to begin the handshake. But, in a SYN flood, the handshake is never completed. That leaves the connected port as occupied and unavailable to process further requests. Meanwhile, the cybercriminal continues to send more and more requests, overwhelming all open ports and shutting down the server.

Crash attacks

Crash attacks occur less often, when cybercriminals transmit bugs that exploit flaws in the targeted system. The result? The system crashes.

Crash attacks — and flooding attacks — prevent legitimate users from accessing online services such as websites, gaming sites, email, and bank accounts.

How a DoS attack works

Unlike a virus or malware, a DoS attack doesn’t depend on a special program to run. Instead, it takes advantage of an inherent vulnerability in the way computer networks communicate.

Here’s an example. Suppose you wish to visit an e-commerce site in order to shop for a gift. Your computer sends a small packet of information to the website. The packet works as a “hello” – basically, your computer says, “Hi, I’d like to visit you, please let me in.”

When the server receives your computer’s message, it sends a short one back, saying in a sense, “OK, are you real?” Your computer responds — “Yes!” — and communication is established.

The website’s homepage then pops up on your screen, and you can explore the site. Your computer and the server continue communicating as you click links, place orders, and carry out other business.

In a DoS attack, a computer is rigged to send not just one “introduction” to a server, but hundreds or thousands. The server — which cannot tell that the introductions are fake — sends back its usual response, waiting up to a minute in each case to hear a reply. When it gets no reply, the server shuts down the connection, and the computer executing the attack repeats, sending a new batch of fake requests.

DoS attacks mostly affect organizations and how they run in a connected world. For consumers, the attacks hinder their ability to access services and information.

Other types of attacks: DDoS

Distributed denial of service (DDoS) attacks represent the next step in the evolution of DoS attacks as a way of disrupting the Internet. Cybercrimininals began using DDoS attacks around 2000.

Here’s why DDoS attacks have become the weapon of choice for disrupting networks, servers, and websites.

The attacks use large numbers of compromised computers, as well as other electronic devices — such as webcams and smart televisions that make up the ever-increasing Internet of Things — to force the shutdown of the targeted website, server or network.

Security vulnerabilities in Internet-of-Things devices can make them accessible to cybercriminals seeking to anonymously and easily launch DDoS attacks.

In contrast, a DoS attack generally uses a single computer and a single IP address to attack its target, making it easier to defend against.

How to help prevent DoS attacks

If you rely on a website to do business, you probably want to know about DoS attack prevention.

A general rule: The earlier you can identify an attack-in-progress, the quicker you can contain the damage. Here are some things you can do.

Method 1: Get help recognizing attacks

Companies often use technology or anti-DDoS services to help defend themselves. These can help you recognize between legitimate spikes in network traffic and a DDoS attack.

Method 2: Contact your Internet Service provider

If you find your company is under attack, you should notify your Internet Service Provider as soon as possible to determine if your traffic can be rerouted. Having a backup ISP is a good idea, too. Also, consider services that can disperse the massive DDoS traffic among a network of servers. That can help render an attack ineffective.

Method 3: Investigate black hole routing

Internet service providers can use “black hole routing.” It directs excessive traffic into a null route, sometimes referred to as a black hole. This can help prevent the targeted website or network from crashing. The drawback is that both legitimate and illegitimate traffic is rerouted in the same way.

Method 4: Configure firewalls and routers

Firewalls and routers should be configured to reject bogus traffic. Remember to keep your routers and firewalls updated with the latest security patches.

Method 5: Consider front-end hardware

Application front-end hardware that’s integrated into the network before traffic reaches a server can help analyze and screen data packets. The hardware classifies the data as priority, regular, or dangerous as they enter a system. It can also help block threatening data.

How Symantec and Norton can help mitigate against DoS attacks and DDoS attacks

Symantec Complete Website Security with DDoS protection can provide significant protection against DoS attacks and the more destructive DDoS attacks.

Symantec’s protection is easy to implement and does not require any on-site hardware or software and no changes need to be made to your hosting provider or applications. Symantec Complete Website Security’s DDoS protection stops attacks at Symantec’s network and screens out the bogus traffic, while your legitimate users maintain uninterrupted access to your website.

What’s more, Symantec Complete Website Security’s DDoS protection provides comprehensive protection against a variety of DDoS threats such as brute force attacks, spoofing, zero-day DDoS attacks and attacks targeting DNS servers.

If you operate on a smaller scale — say, you operate a basic website offering a service — your chances of becoming a victim of a DDoS attack is probably quite low. Even so, taking certain precautions will help protect you against becoming a victim of any type of attack by hackers.

Here are a few things that can help.

  • Keep your security software, operating system, and applications updated. Security updates help patch vulnerabilities which hackers may try to exploit. Consider a trusted security software like Norton Security.
  • Consider a router that comes with built-in DDoS protection.
  • Look for a website hosting service with an emphasis on security.

Taking simple precautions can make a difference when it comes to your online security. For large organizations, the precautions become far more complex.

Victim of a data breach? LifeLock monitors for identity theft and threats.

Norton joined forces with LifeLock, we offer a comprehensive digital safety solution that helps protect your devices, connections and identity.


Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.