Denial of service is a common form of attack and can be initiated from the network or on a local system. These attacks exploit a design's failure to address the negative events in an application. Applications should be developed with an understanding of the functionality they provide and the functionality they do not provide. This allows the developer to build safeguards into the application that protect it from denial of service. These attacks come in several flavors—network bandwidth saturation, system resource utilization, and application flaws.

Network bandwidth saturation results when the entire capacity of a network link is filled with data, preventing new communications from proceeding and slowing down those already in progress. This occurs when the network hardware, which is a specialized computer, is unable to process new network data quickly enough. Therefore, the network hardware is overcome, causing delays in new network traffic or even its complete cessation.

System resource utilization is similar to network bandwidth saturation, except the saturation occurs on the individual system instead of the network wire to which it attaches. System resources—memory, disk storage, processor utilization, and operating system–specific features such as processes and files all have limits; physical limitations of the hardware naturally reflect on the limitations within the operating system. Examples of physical limitations to a system are the amount of memory and disk storage available, and how fast a processor can execute instructions. Examples of operating system–specific limitations that are dependent upon the hardware configuration are the number of files and processes that can exist and the number of users who can work simultaneously.

System-based denial of service exploits the confines of these limitations by using all of the available resources of the target. These attacks come in many forms. Many operating systems stop functioning properly when all of the disk storage space or memory is used. Users can be denied access if the maximum number of users is exceeded. A processor can be completely utilized by endless complex functions, causing all other functions to slow or halt. An application that creates multiple processes can cease to function if the process limits of the system are met.

Developers can be misled into believing that these network and system limits make it impossible to avoid or prevent denial of service attacks, but this is not the case. Strong design and implementation of an application can overcome and protect against denial of service and many other forms of attack. There are caveats, however—the nature of the Internet creates situations wherein factors beyond the control of the developer are present. It is impossible to completely eliminate all possibilities for attack because of the Internet's dependencies on external environments. The goal then becomes to establish an environment that makes it difficult for an attack to succeed. Forethought and analysis in the design and development of an application limit the situations in which an attack succeeds.

To help safeguard against denial of service in networked applications, it can be useful to set high-watermarks within the application that limit and detect abnormally frequent connection attempts, such as 20 connections-per-second for a given service. These abnormalities might be signs of denial of service if an attacker is attempting to starve the resources of the system. Other protections include resource monitoring and limitation that give the application complete control of its execution.

Tip

To protect against denial of service attacks, begin to consider where potential vulnerabilities exist in an application. Start early in the design phase and continue the analysis through the completion of the application.