65

A DoS (short for "denial of service") attack is a form of attack used on web services which aims to "crash" the service.

Is there any motive of this form of attack besides crashing the service / website?

For example, I could think of blackmailing/ doing harm to a competitor / political reasons as a direct motive for DoS attack. But are there other, more indirect motives? Would it be possible to get data from the service with a DoS attack? If so, how?

Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
  • 7
    By definition, no. If you're using a DoS attack to "get data from the service", then it's not *just* a DoS attack anymore. – Ajedi32 May 27 '15 at 15:24
  • 1
    If I am your competitor in , by bringing your servers down I am likely to gain some of your customers. – BlueRaja - Danny Pflughoeft May 27 '15 at 18:38
  • 5
    It could be used as a diversion while a more sophisticated attack (aimed at stealing data, etc) is taking place. –  May 27 '15 at 21:40
  • 4
    They can. See my answer here for an example: http://security.stackexchange.com/a/81274/66382 – Mints97 May 28 '15 at 10:31
  • Two popular websites (Feedly and GitHub) were both DOS attacked; the former received a ransom, the latter seemed like a political move (targetting pages that circumvent internet censorship in China). – ashes999 May 29 '15 at 20:34
  • 2
    35 people thought this showed research effort. – Alec Teal May 30 '15 at 01:29
  • 1
    A DoS attack can be part of a larger attack, e.g: Mitnick's attack on Shimomura servers involved impersonating one of the servers, and preventing the impersonated server from interfering on the attack via syn-flooding it. – ninjalj May 30 '15 at 11:47

9 Answers9

74

In general a (Distributed) Denial of Service attack will not provide you with much information directly. However, there are a few scenarios where information could be gleaned as a result of a DoS. The following are a few examples, but this is not at all exhaustive:

  • A load balancer may divulge internal subnet information or leak internal machine names in situations where backing systems are offline.
  • A DoS that shuts down the database first may cause an application reveal the database engine type, connection username, or internal IP address via an error message.
  • A poorly implemented API could result in a "fail-open" scenario--DoS'ing a Single Sign On server may give an attacker the ability to log in unauthenticated, or with local credentials.
  • In Advanced Persistent Threat scenarios, DoS'ing detection infrastructure may allow an attacker to remain undetected during other information-gathering stages.
  • Similarly, DoS'ing the admin interface of a firewall could hinder network administration's incident response efforts.
  • In an extreme case, DoS against a key-revocation service could allow an attacker to continue to use revoked, or known-compromised credentials.

Other motives for a Denial of Service attack become apparent if you consider the users of a system as targets in addition to the system itself: A Denial of Service attack against a website that sells concert tickets may allow an attacker to buy tickets to a event that would have otherwise sold out in minutes. A DoS against a version control system could prevent a development company from delivering software on time. A DoS against a social media site could make coordinating political protests more difficult, or event impossible.

Motoma
  • 1,157
  • 7
  • 13
  • 5
    I would think a DOS might also prompt a server or clients to negotiate less-secure encryption options than they otherwise might, if it causes login attempts with more-secure options to time out, but allows login attempts with less-secure options to suggeed. – supercat May 27 '15 at 15:35
  • 7
    @supercat +1: Browsers/browser plugins that are set to prefer HTTPS over HTTP may fall back to HTTP is HTTPS is unavailable. – Motoma May 27 '15 at 15:40
  • 1
    I'd change that example to an SVN service, as a git server failure would usually be *much* easier to recover from due to its distributed nature. But it's still plausible if we're talking a massive number of repos that would take a very long time to migrate to a new server, so I'm just splitting hairs. +1 – jpmc26 May 27 '15 at 19:56
  • 2
    For further consideration: a DoS can trigger rate-limiting or simply exhaust logging/audit capacity, this can drop or obscure an attackers source or intent. Some services are also susceptible to various guessing attacks, and DoS-ing all but one server may improve the chances of success, e.g. DNS. – mr.spuratic May 28 '15 at 09:02
  • 4
    Also, a totally overloaded server may be more vulnerable to timing attacks because the time diffrence is getting bigger when everything is slowed down by the DoS. – Sebb May 28 '15 at 09:34
  • 1
    _DoS against a key-revocation service could allow an attacker to continue to use revoked, expired, or known-compromised credentials_ "revoked" and "known-compromised", sure… but "expired"? – o0'. May 28 '15 at 12:43
  • 1
    @jpmc26: I was thinking of the "git push to deploy" pattern, but I've changed it to "version control system". Split those hairs, baby. – Motoma May 28 '15 at 15:50
  • *DoS against a version control system...* for an example - GitHub was recently targeted likely by the [Chinese gov't](http://arstechnica.com/security/2015/04/ddos-attacks-that-crippled-github-linked-to-great-firewall-of-china/) because software hosted there. – Wayne Werner May 28 '15 at 22:59
13

In general, DoS attacks are only designed to cause (as their name suggests) a denial of service, i.e. a compromise of the availability of the service.

Other forms of DoS, e.g. triggering a null pointer dereference, might be used to compromise integrity by crashing a service without it having time to cleanly close files, leading to data corruption (loss of integrity). Databases are an obvious target for that kind of thing.

Firewalls and other security services should fail closed if they are effectively DoS'ed. I'm not aware of any case where something like that would fail open. However, I could foresee a scenario where a server behind a load balancer falls to a DoS attack, so the load balancer shifts to a secondary system, which is configured in a weaker manner, thus revealing that vulnerability externally.

Outside the CIA triad, you might find that DoS attacks are used to divert attention and staff resources away from a more subtle attack.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
13

Yes, DoS attack can be useful to an attacker.

(By the way, it's not an attack only against web services. It can be directed against any network device).

The point of DoSing a device in such cases is to make it respond slower or later than it would normally do. From the top of my head, I see:

  • DNS cache poisoning (Kaminsky's attack) - This relies on attacker's ability to deliver a DNS reply sooner than the authoritative DNS server, which might be accomplished by DoSing the authoritative server.
  • NSA's Quantum insert attack relies on replying sooner than the legitimate server
  • TCP/IP address spoofing is also helped by slowing the legitimate reply
  • OCSP (certificate status) servers are so unreliable and overloaded, that some web browsers do not check them by default, opening avenue to fake certificate attacks

On a different note, DoSing clearnet servers (e.g. by a classical dos, or just by cutting network access) could be used to verify Tor's hidden service identity - e.g. it might have been used in pinpointing Silk Road's server.

In the similar vein, the Nazis during WW2 used a kind of DoS (switching off electricity in city quarters and streets) during la resistance radiostations' transimissions to find out their locations.

Edheldil
  • 885
  • 5
  • 9
  • 1
    I think in our digital age we rarely think about DoS being useful in a physical attack vector as well. Like smashing/disabling an RFID tag reader. – Wayne Werner May 28 '15 at 23:02
  • Great answer! I wish i could up this more than once. Nailed it in the bullet points a an awesome anecdote. – Motoma May 31 '15 at 01:11
5

A DoS (short for "denial of service") attack is a form of attack used on web services which aims to "crash" the service.*

Not exactly. As the name implies, the aim is to make the service unavailable for legitimate users. The most common way to do this for an Internet service such as a web server is to saturate the connections so that nobody else can connect. This can be done e.g. via a SYN flood.

Edit: as @RoryAlsop commented, an attacker might also try to crash the service in order to make it completely off-line.

Would it be possible to get data from the service with a DoS attack? If so, how?

No, that's a completely different type of attack — which, however, could be carried out in conjunction with a DoS, the latter having the aim to saturate the resources of a security-related appliance e.g. an IDS, a firewall, or even a logger.

Angew is no longer proud of SO
  • 374
  • 1
  • 4
  • 10
dr_
  • 5,060
  • 4
  • 19
  • 30
  • 6
    dr01's post is correct, however we do see DDoS attacks used as parts of wider attacks, either as a precursor, to saturate support/response staff and monitoring tools so the theft (for example) is not spotted, or as a blunt force tool to knock out defensive functions. – Rory Alsop May 27 '15 at 13:57
  • @RoryAlsop that should be an answer. – Luc May 27 '15 at 13:59
  • 1
    @RoryAlsop: Good point, added that to my answer. – dr_ May 27 '15 at 14:01
4

One result from a DoS attack that I believe was failed to be mentioned in any of the other answers, is the possibility that a particular action may result in data being stored, even if just bytes. For example, If visiting a particular URL may log something in a file, the attacker's goal could be to fill the hard drive.

This could create havoc for clearing the drive space, especially if the data is created in separate files, with possibly random names, or if the data is added to a database with legitimate data.

user530873
  • 140
  • 4
2

While a DoS cannot normally be used to cause damage other than simply knocking the server offline, in certain circumstances (most commonly due to poorly configured systems), they can lead to severe consequences, such as data leakage.

One famous example is the ACS Law website information leak. The poorly configured server, when restarted after the DoS attack ended, somehow lost its original settings and allowed its directory root to be viewable publicly.

“Their site came back online [after the DDoS attack] – and on their frontpage was accidentally a backup file of the whole website (default directory listing, their site was empty), including emails and passwords,” a leader of the attacking group told TorrentFreak. “The email contains billing passwords and some information that ACS:Law is having financial problems.”

This later led to serious financial and reputation repercussions for ACS Law.

March Ho
  • 1,675
  • 1
  • 12
  • 15
2

I think of non-technical gains for the attacker:

  • Extracting ransom money from the attacked service for stopping the DoS attack
  • Gaining public attention for a political cause (the anonymous group used DoS attacks in the past this way)
  • Getting commercial advantage from bringing the competitor's website down (an attacker can offer this as an illegal service)
jk - Reinstate Monica
  • 1,658
  • 1
  • 11
  • 18
1

Most answers on here mention side-effects of DOS-attacks. However, I think there's also the reverse option possible: that the DOS-attack is not the cause of the side effects, but instead is itself a side-effect of another attack. For example, a DOS-attack might be a side-effect of a botnet brute-force enumerating email addresses through a forgot password screen, slowing down the service or even crashing it.

The motive of this form of attack is not to take down the system, but instead to get a list of users of the service, where the method used to get the list of users has the side-effect of taking down the system.

Nzall
  • 7,313
  • 6
  • 29
  • 45
0

Usually, but not necessarily. It all depends on what happens next when the intended service fails due to the attack. Imagine that the effect of the attack is to overload the user authentication for a site, and that the effect of the failure is to allow service instead of deny it. Probably not the intended behavior, easily one that could be missed in normal testing.

ddyer
  • 1,974
  • 1
  • 12
  • 20