Denial of Service (Wiki)

The content of the Security Analogies wiki is now available here, under the GNU Free Documentation License 1.2.

Thanks to Moreilly and others for the content of the page.

A Denial of Service (DoS) attack can be a serious problem. It's the networking equivalent of "too much of a good thing".


A Denial of Service is an event, or series of events, which overwhelm part(s) of an infrastructure such that the infrastructure can no longer accomplish its intended function.

The Phone Analogy

It's equivalent to asking 1000 people to call the same individual's phone number, over and over and over. That person—let's call her Alice—would be completely unable to use her phone, as the volume of calls would overwhelm the line.

One comment I've gotten when using this analogy is "Why doesn't Alice just not answer the phone unless she recognizes the number? Or just turn the phone off?" so rather than stretch the analogy adding that caller ID doesn't work or that she can't turn it off I change it a bit: make Alice the receptionist at an office. She can't stop answering the phone without losing her job and not only is her phone useless she can't greet people who walk in the door, tell them where the bathroom is, file papers, notify her boss that an appointment is there, etc.

The Baseball Analogy

In baseball, a pitcher throws the ball to the batter, which the batter then tries to hit. For the purposes of this analogy, we're going to assume that the batter is practicing, and the pitcher is an automated machine which is trying to send "hittable" balls to the batter.

So long as the pitching machine throws only as often as the batter can hit (swing, reset the bat, swing, reset the bat), the system works. But suppose the machine starts sending balls too fast? This is the beginning of the denial of service, and fortunately the easist type to fix—the batter simply starts ignoring every other ball from the machine, or simply stops hitting the balls the machine throws. The DoS is then no longer effective.

Now let's consider a "Distributed" Denial of Service (DDoS) attack. For this analogy, we're still using the batter, but there are nowthreepitching machines, each randomly timed to send a ball to the batter. This still works fine so long as the machines don't overload the batter. But let's stretch the analogy just a bit for a moment—the way the Internet works, there could be10 000machines each sending balls. None of them send enough for the pitcher to completely ignore them (the way she would deal with a normal DoS attack), but there are still so many balls coming at her that she is most certainly overwhelmed. This is the essence of a DDoS attack.

The Motorway Analogy

On a long-distance car journey, you probably start out on a small road, turn onto a main road, then join a motorway for most of your journey. When you get near to your destination you repeat the pattern in reverse, turning onto successively smaller roads until you arrive at your destination. Your route starts along a narrow, low-capacity link, transfers to a high-capacity link, and then back to a low-capacity one near your destination. Normally, this is ok because although there are a lot of cars on the motorway, they are all going to different places, so there are only a few cars using each of the smaller roads.

When there is a big music festival on, though, a large number of cars from the motorway all decide to leave at the same junction and take the same route along minor roads to the same destination, causing a traffic jam and preventing locals from reaching their homes in nearby villages. This convergence of traffic from many points on the network is like a distributed denial of service attack online. The problem comes at each point where a wide pipe (a motorway or internet backbone) feeds into a smaller one (a country road or an individual company's internet connection). If the wide pipe feeds the narrow one more traffic than it can accept, then congestion occurs. (On the road, the cars wait in queues, on the internet the packets will be discarded if they cannot be fed through in a reasonable time-frame).

This is why a DDoS attack can be so hard to prevent, because the problem occurs not just in one place, but at multiple interfaces across the internet infrastructure, over which you as the victim have no direct control.

DoS: Intent or Accident?

It's important to note that DoS attacks are not only caused with malicious intent; denials of service can happen as a result of many otherwise benevolent causes as well. The "Slashdot Effect" is a well-known Web-DDoS problem. A traffic jam is a real-world example of a DDoS attack which is not caused (in most situations) by malicious activity, just an overwhelming of the roadway.

WebSanity Top Secret