Does the amount of bandwidth available on a network determine how strong a DoS attack should be?

Imagine a post office.

It has an entrance, a counter with a clerk who deals with the customers and their packets. The clerk is a multi-tasking talent with a lot of arms to deal with packets on the counter.

The counter has a certain width, so only a certain number of customers can be processed at the same time.

The clerk has a small address book with addresses of where to send the packets. Some pages are blank, and he can input new addresses.

Behind the counter and the clerk are a certain number of shelves, where the assistant of the clerk puts packets until they can be further processed and sent.

There are now several cases for a DDOS / DOS attack in this metaphor.

Case 1 - SW Bug

One mean customer steps forward, leans over to the clerk and shows the clerk the packet with the address "Vietnam" on it - which triggers the clerks PTSD1. This is something only a few people knew about. The clerk starts sobbing uncontrollably, sits in a corner and is of no further use to the post office. It has to close early, until the owner of the office comes, says some magic words and restarts the office.

The word "Vietnam" in this case stands metaphorically for a bug that the mean customer abuses. Since usually only one packet is needed to freeze the office, this might not count as a DDOS, but certainly a DOS.

Case 2 - Bandwidth

The post office has only one door, through which all the customers and the packets have to squeeze themselves, incoming and outgoing ones alike.

If an attacker wants so abuse this, he might gather a lot of unusually big customers and/or packets to enter the post office all at the same time. Now the doors are too tight and new customers can't enter while other customers can't leave the store. This halts the post office, until the clerk puts down a rule at the entrance: "You must be smaller than this to enter".

Everyone trying to enter the office while being too big won't be allowed to enter the office.

The doors here stand for the bandwidth; the more bandwidth you have the more customers can enter / leave at the same time. Since this is pretty dynamically, it's sometimes hard to find the exact point at which the store has to halt.

Case 3 - CPU Load

Whenever a customer comes to the clerk, he has to greet them, take the packet and process it. Usually he has to check if the address is correct, the packet is not purple (purple packets are not standardized packets and therefore bad!). If the clerk is really paranoid, he has to open the packet, look to make sure that no contraband is inside, test if the packet smells like Anthrax, etc.

So depending on the rules for the post office, the clerk has to check a lot of parameters. If an attacker wants to abuse this, he can gather a lot of people with a lot of small packets. The clerk has to process EVERY packet, which can create a lot of overhead.

Because of this, the customers outside start to pile up, and some even start to curse and leave the line, since they don't have all the time in the world to wait in this line forever.

So CPU load usually has to do with processing in this metaphor.

Case 4 - Memory

The clerk works for quite some time in the post office, so he has memorized several addresses. He also has some addresses written in his address book.

A attacker can abuse this by gathering a lot of people and tell them to write unusual addresses on their packets.

So each time the clerk processes one of those mean customers, he has to write down another addresses into his book. This soon gets filled and now he is in trouble. How should he process new addresses? Kick out old ones? He has no idea and maybe stops his processing altogether.

The address book stands for the memory, which is finite.

Case 5 - Connections

The counter has a mentioned width. Since the clerk is a multi-tasking talent, he can deal with 3000 customers at once, but not more.

The attacker can abuse this fact by gathering a lot of people and tell them to try to rush to the counter. Now there are 5000 people, demanding to get their packet processed, causing a lot of stress for the clerk with his just 3000 arms.

Case 6 - Disks (and other resources)

The clerk has to store the packets into a shelf behind his counter. This is the job of his assistant. Some assistants are faster than others, so sometimes it can happen, that the clerk can deal with 3000 customers at once, while the assistant has to slowly move himself and the packet to the correct part of the shelf.

So while the clerk certainly is fast enough, the poor assistant is not. The assistant in this case can be the server disks or other components.

Conclusion:

DDOS / DOS attacks can use a lot of different methods and parameters to stop or slow the service of a server / server-cluster. Therefore it depends on a lot of factors: Which software you use, how much bandwidth you have, the CPU, memory etc.


[1] PTSD is no joke, but it fits this metaphor nicely. I apologize for using it in a jokingly fashion.


First you have to be clear that there are different kinds of denial of service attacks. Some of them don't require a lot of resources, they use vulnerabilities in software to block the server client communication. Brute-force DOS attacks are most of the time DDOS attacks.

To answer your question: No, it's not only the bandwith that can cause DOS attacks. Routers or Webservers have configs that limit the amount of connections (apache2 default 10.000). As soon as they are filled up and another client wants to connect, it will get refused (dos).

Tags:

Ddos