(D)DoS attack - How does it work and how will BitNinja stop it?
Nikolett Hegedüs

(D)DoS attack - How does it work and how will BitNinja stop it?

100% server uptime... Every hosting company is dreaming about it as nowadays when there are countless service providers, customers will choose the one which grants reliability. What happens when a website is inaccessible? It’s always painful for the website owner, the visitors and for the hosting company. There could be many reasons behind it, but maybe the most annoying is when it happens because of a DoS attack.

What is DoS?

DoS stands for Denial of Service: it’s a type of attack that could render web servers unresponsive - meaning they won’t be able to serve HTTP requests. So users can’t visit web pages hosted on them. Hackers achieve this by overwhelming the web servers’ resources by issuing a lot of connections all at once.

Imagine this scenario, it's similar to when several people call the ambulance service at the same time. The dispatcher will then have to talk to everyone who calls and send an ambulance to every location. But there’s a limited number of vehicles at a certain station and in a city, and what if most callers are not really in danger. If one person really needs the service, and the ambulance can’t get to this person fast enough, their life will be in danger. As the resources - the ambulance, the paramedics, the tools they’re using and the skills they have - are “being used” by other people who don’t really need them, so they’re blocking the service.

Maybe no lives are in danger when your website is not available, but it does cause harm to your business.

When issuing DoS attacks, the hackers aim to prevent legitimate use of a service. They could do it to hurt a business rival, to block banking and financial services, to make the most visited websites unavailable, etc.

Types of DoS

There are two types of DoS: those that crash services, and those that block services.

Certain tools exist on the web that can be used by attackers to issue DoS attacks. For example, Slowloris is a type of denial-of-service attack tool: it tries to keep many connections open to the target web server and keep them open for as long as possible. It sends partial requests, and never finishes them. It will periodically send HTTP headers, but will never complete them so the servers will keep the connection open, filling their maximum concurrent connection pool.

Then there are denial-of-service attacks, and the aim is to slow a service down. It is called a degradation-of-service DoS attack. For example, the web service will be available, but the web server will fulfill the requests very slowly because of the high resource usage caused by the DoS attack.

The list of the DoS types could be extensive, but the most popular DoS type, which most people fear, is the DDoS. It’s an acronym of Distributed Denial-of-Service, which is basically large scale DoS, and it is a very serious type of attack.

But what is the difference between DoS and DDoS, and why is it so hard to protect your servers from DDoS attacks?

When an attacker mounts an attack from a single host, it would be classified as a DoS attack. In fact, any attack against availability would be seen as a denial-of-service attack. On the other hand, if a hacker uses many machines to launch attacks against a remote host simultaneously, this would be classified as a DDoS attack.


For system administrators and cybersecurity personnel, it’s hard to discern normal traffic from malicious traffic when trying to prevent and detect DDoS attacks. Botnets are used in very large scale to issue DDoS attacks against servers. Often, upgrading the bandwidth would not help, because the attackers could use even more machines to attack.

More attack machines (used in botnets) are harder to track down and harder to shut down. That's why DDoS attacks are hard to prevent.

How can BitNinja protect you from DoS and DDoS attacks?

BitNinja provides DoS protection at the application level.

BitNinja DosDetection module will detect if there are over 80 connections from an IP address simultaneously, and will block the IP (put it on the blacklist) for one minute. After the one minute, BitNinja will put the IP on the greylist.

The number of minutes an attacking IP is blacklisted, and the number of connections required to trigger the DDoS detection module can be configured on the server on a per-port-basis. So you can set different thresholds for SMTP and IMAP ports, etc.

This image shows how a DoS attack looks on the BitNinja Dashboard. This malicious IP address was targeting the open 80 port of a victim web server.

As I mentioned above, it’s quite hard to catch and block DDoS attacks, but there’s something we shouldn’t forget about: attacker IPs are already part of a botnet in most cases, and BitNinja is very effective in detecting botnets.

BitNinja utilizes the IP reputation module to prevent attacks, and it has over 3 million IP addresses in its’ greylist - at the time of the writing of this article.

A large portion of these IP addresses is infected machines that can be used as part of botnets issuing DDoS attacks.

We’re always looking for ways to implement solutions to keep the hackers away from your servers. For example, when our AI-based Attack Vector Miner service discovers new attack patterns, we’re already looking for a solution to help you block these attacks with BitNinja. When the Hello Peppa botnet emerged, our tech team came up with a WAF rule to keep out these botnets. You can find the details about this attack in our first Hello Peppa article.

BitNinja also uses the Log Analysis module called SenseLog to ban malicious requests. There are typical attack patterns, and when these are discovered, we can write security rules to defend against them. For example, malicious requests often come from really old user agents, e.g. Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

Stop (D)DoS attacks with BitNinja!

Providing reliable service to your customers is essential if you want to make your business grow. (D)DoS attacks have very visible symptoms, and of course, nobody wants to see their websites down because of such attempts.

Still struggling with (D)DoS attacks? Why don’t you try out BitNinja which will protect your servers in EVERY phase of the attack cycle and not just against this special type of attack? Learn more about the all-in-one BitNinja protection system.

Share your ideas with us about this article

Previous posts

Troubleshooting - Manually or Automated?
Time is a limited resource for all IT teams. They must be quick, effective and focused on the right goals. However, when the house is burning - let’s say hackers infected your servers, often you have to throw your projects away and start fire fighting to prevent further damage. But are you? Shouldn’t a server security software do all this instead of long hours of manual work? Hacked servers = Losing business 87% of unhappy customers won’t complain to you about any problem with their websites or servers. They just stop doing business with you and move on to your competitors. Confrontat...
The Most Famous Vulnerabilities - Cross-Site Scripting (XSS)
It’s been a while since I wrote the previous episode of my blog series. If you are interested in Remote Code Execution, then I definitely recommend reading the previous part. So, here we are again, the moment has come for my final article about cross-site scripting (XSS). What is Cross-Site Scripting (XSS)? Usually, XSS vulnerability occurs when there are untreated inputs and bad cookie usage. So, please let me tell you about a case that happened in 2005 on Myspace. A MySpace user found an XSS vulnerability on the site, and he wrote a payload called „Samy Worm.” This payload was a...