Similar to a DDoS attack, a denial-of-service (DoS) attack attempts to interrupt service availability and performance by overwhelming a targeted resource—like a computer or server. These attacks are typically small in scale, yet can cause plenty of damage without protections in place.
A denial-of-service attack is considered volumetric since it uses mechanisms such as request flooding to prevent legitimate requests from being processed, versus targeting an application's weak point(s) such as a search page. This occurs when a target's (or network's) resources are exhausted. Available CPU, memory, and bandwidth are critical to high availability and application performance.
How do denial-of-service (DoS) attacks work?
Attackers harness a single machine for DoS attacks. This differs fundamentally from DDoS attacks, which use networks of multiple machines (often called botnets) to orchestrate an attack. It's therefore easier to counteract DoS attacks and deduce their origins, since SecOps teams don't have to sniff out where multiple globally-distributed attack vectors may be hiding.
There are three common types of DoS attacks:
Protocol attacks – An attacker uses something about the protocol to overload devices in the network path, such as SlowLoris attacks where an attacker speaks very slowly to use up connection slots and prevent legitimate clients from connecting. Defending against these attacks usually involves setting system connection limits, request timeouts, and concurrent connection limits (among others depending on the nature of the attack) to stop them.
Application layer attacks – An attacker takes advantage of a slow part of an application or similar (such as a search page) to make enough requests to overload the site's resources and bring it down. Rate limiting or challenging suspicious requests are common countermeasures to keep them from reaching the application.
Volumetric attacks – The attacker sends enough generic packets at a target to overwhelm its network resources. This type of attack occurs directly or while assisted by amplification attacks (where an attacker spoofs the target IP as their IP for sending packets to hosts, which will respond with larger responses such as DNS).
However, these aren't the only indicators that a denial-of-service attack is ongoing. Extended loading times, connection timeouts, and network connectivity issues can signal an active DoS threat.
How does HAProxy address denial-of-service (DoS) attacks?
HAProxy Enterprise ships with a number of multi-layered security features, such as the HAProxy Enterprise Web Application Firewall, HAProxy Enterprise Bot Management Module, and Global Rate Limiting. Together, these provide fast-and-accurate detection of suspicious traffic, stopping those troublesome requests from reaching backend servers. Meanwhile, PacketShield offers powerful, stateful packet filtering to guard against floods.
To learn more about these security features, check out our HAProxy Enterprise 2.9 announcement blog post or our security solution page.