Episode 65 — Handle DoS and On-Path Attacks: Availability, Trust, and Defensive Controls
In this episode, we’re going to tackle two attack families that beginners often think of as totally different, even though they both target something your database needs in order to be useful: reliable communication. A denial of service attack tries to make a system unavailable, meaning it cannot respond to legitimate requests in a reasonable way, while an on-path attack tries to interfere with communication in a way that breaks trust, meaning the right parties may not be sure who they are talking to or whether messages have been changed. Data systems are especially sensitive to both problems because databases are built to serve many requests, coordinate shared state, and keep transactions consistent, and that work becomes fragile when resources are exhausted or traffic is manipulated. The goal here is not to turn you into a network engineer, but to give you a clean mental model of how these attacks work at a high level and what kinds of defensive controls reduce risk. When you understand the mechanics, you can connect symptoms like slowness, timeouts, and strange connection behavior to real causes instead of guessing. By the end, you should be able to explain availability and trust as security goals, describe how DoS and on-path attacks threaten those goals, and describe layered defenses that a data environment can use.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Availability is one of the three classic security goals along with confidentiality and integrity, and it simply means the system is usable when it is needed. For a database, availability is not just whether the server is powered on, it is whether it can accept connections, run queries, and return correct results within an expected time. A system that responds so slowly that users give up is effectively unavailable, even if it never fully crashes. Beginners sometimes treat downtime as an operations problem rather than a security problem, but attackers often choose availability attacks because they can cause immediate business disruption without needing to steal data. Availability also matters because outages create chaos, and chaos is when other security mistakes happen, like bypassing controls to restore service quickly. When a database is unavailable, applications may fail, transactions may be lost, and recovery processes may stress the system further. Thinking of availability as a security objective helps you see why planning and layered controls are part of cybersecurity, not separate from it.
A denial of service attack is any action that intentionally reduces availability by consuming resources or disrupting the ability to process legitimate requests. The resources might be network bandwidth, connection slots, memory, compute, storage I O, or even a shared lock inside a database engine. DoS can be simple, like flooding a service with requests, or subtle, like crafting requests that are expensive to process so the system spends most of its time doing heavy work. Distributed Denial of Service (D D O S) refers to the same idea but launched from many sources at once, which makes it harder to block by filtering a single address. For beginners, the key idea is that DoS does not require breaking into the system; it only requires pushing the system beyond its capacity. Capacity is not infinite, and every database has limits on how many connections, how many concurrent queries, and how much work it can do per second. Attackers exploit that reality by turning normal-looking requests into overwhelming volume or overwhelming cost.
Databases are vulnerable to DoS in ways that go beyond raw network traffic because the database is doing real computation and coordination. A single query can be lightweight or it can be extremely heavy, depending on what it asks for and how the database executes it. If an attacker can trigger expensive queries repeatedly, they may cause CPU spikes, memory pressure, and disk thrashing that slows everything else down. Even without direct database access, an attacker can sometimes overwhelm the application tier, which then overloads the database with retries and connection churn. Connection exhaustion is another common pattern, where too many connection attempts fill the available slots and block legitimate users from connecting. There can also be lock contention issues, where certain operations cause many sessions to wait on shared locks, creating a traffic jam inside the engine. Beginners sometimes think DoS is only about lots of traffic, but in data systems it is often about forcing inefficient work. Recognizing that helps you understand why query controls and resource limits are part of defense.
Now let’s define on-path attacks, because the term is deliberately descriptive. An on-path attacker is positioned so they can observe, block, or modify traffic as it moves between two communicating parties, such as an application and a database. The attacker might be on the same local network, might control a router, might be in a compromised Wi-Fi environment, or might have compromised a system that forwards traffic. The key is that the attacker does not have to be at the endpoints to interfere; they only need to be in the path the traffic travels. This is different from a simple eavesdropper who only listens, because an on-path attacker can also change messages, inject new messages, or selectively drop messages. That capability threatens trust, because the endpoints may believe they are communicating normally when the conversation has been altered. For databases, trust is crucial because queries and results must remain authentic and unmodified, and credentials must not be exposed. If trust breaks, the database might accept a fake request or a user might receive fake results, both of which can cause severe harm.
A beginner-friendly way to think about trust in networking is to ask two questions: are we sure who we are talking to, and are we sure the message arrived unchanged. When those answers are not guaranteed, an attacker can exploit confusion. For example, if credentials travel in a way that can be captured, the attacker might replay them later to authenticate as a legitimate user. If query results can be modified, the attacker might change what an application sees, which can lead to incorrect decisions or corrupted downstream data. If the attacker can redirect traffic, they might send users to a malicious endpoint that looks like the real database service. Even without stealing data, an attacker can disrupt operations by causing intermittent failures, dropped packets, or delayed responses that look like random network glitches. Those symptoms can waste hours of troubleshooting time and may hide more serious manipulation. Trust in communication is therefore a security property that supports both correct operation and confident investigation when something goes wrong.
It helps to connect these two attack families by noticing their overlap in real-world symptoms. Both DoS and on-path attacks can produce timeouts, slow queries, connection resets, and unexplained errors. The difference is often in intent and pattern: DoS aims to overwhelm, so you may see volume spikes and resource saturation, while on-path interference aims to manipulate or observe, so you may see strange routing, mismatched certificates, or unusual negotiation behavior. Beginners sometimes assume every outage is a DoS, or that every strange network error is a random glitch, but building a disciplined mindset means you look at evidence. Evidence can include whether traffic volume increased, whether the same request suddenly takes longer, whether failures correlate with certain network segments, and whether authentication anomalies are present. In data systems, the clearest evidence often comes from combined logs, such as database connection logs alongside network telemetry and application error rates. While you do not need to know the tools, you do need to know that multi-layer visibility is how you separate overload from interference. That habit is part of handling these attacks effectively.
Defensive controls for DoS start with the idea of reducing exposure and distributing load so a single choke point cannot be overwhelmed easily. At the network edge, filtering and rate limiting can block obvious floods and limit how many requests a source can make within a time window. In front of database services, you can also use gateways or proxies that absorb connection churn and protect the database from being directly hammered. Within the database environment, resource governance matters, meaning you can limit how much CPU, memory, or concurrency certain workloads can consume. Query timeouts and limits can prevent a single expensive request from running forever and starving other work. Connection pooling in applications can reduce repeated connection creation, which lowers overhead and makes capacity more predictable. Another important control is capacity planning, because a system with no headroom is vulnerable to even small spikes, whether malicious or accidental. The beginner lesson is that DoS defense is not a single switch, it is a set of controls that shape demand, protect critical resources, and keep the system responsive under stress.
Defensive controls for on-path attacks focus on protecting communication so that even if traffic is observed, it is not readable, and even if traffic is modified, the modification is detected and rejected. Encryption for data in transit is central here, and it is most often implemented with Transport Layer Security (T L S), which provides confidentiality and integrity for network sessions. The key beginner idea is that encryption is not only about hiding content, it is also about ensuring messages are not quietly altered. Authentication of endpoints is also essential, because the client needs confidence it is talking to the real server and not an impostor. When endpoint authentication is weak, attackers can redirect traffic to a fake service and capture credentials or feed back malicious responses. Another control is network segmentation and secure routing, because limiting who can be on the path reduces the chance an attacker can position themselves between the endpoints. Monitoring for anomalies, such as unexpected certificate changes, unusual connection renegotiations, or traffic that suddenly routes through unexpected places, helps detect on-path behavior early. The overarching goal is to make the path untrustworthy by default and then add cryptographic trust that does not depend on the path being honest.
Handling these attacks also involves operational readiness, because defenders need to act quickly and confidently during disruption. For DoS, response often includes identifying whether the problem is volume-based or resource-cost-based, then applying rate limits or blocking sources while scaling capacity or shifting traffic. For on-path suspicion, response includes validating endpoint identity, checking whether encryption is enforced, and verifying whether routing and network devices are behaving as expected. Beginners should understand that a rushed response can create secondary failures, such as blocking legitimate users or disabling encryption to get things working temporarily, which can invite further compromise. Good environments prepare by defining what normal traffic looks like, where the critical bottlenecks are, and who is responsible for each part of the response. They also practice escalation paths so the right teams can coordinate, because availability events are cross-layer problems that touch network, application, database, and sometimes third-party services. Even without advanced tooling, the principle is that preparation reduces panic, and reduced panic reduces mistakes. Handling is therefore not only technical controls, it is controlled decision-making under pressure.
A key concept that ties back to trust is that availability attacks can sometimes be used as cover for other actions. When systems are overloaded, logs may be noisy, monitoring may be delayed, and teams may focus on restoring service rather than watching for suspicious access. An attacker may use a DoS event to distract responders while attempting credential theft, data extraction, or configuration changes elsewhere. Similarly, an on-path attacker might selectively degrade availability in ways that push users into unsafe behavior, like repeatedly retrying logins or switching to less secure access methods. Beginners can think of this as steering behavior, where frustration causes shortcuts. This is why layered controls matter, because you want to preserve both availability and safe operation during stress. Maintaining strong authentication, maintaining encryption, and maintaining clear access boundaries should remain priorities even during outages. The goal is to restore service without expanding the attack surface, which is a mindset that separates mature handling from reactive scrambling.
To bring this back to what you should be able to explain clearly, DoS is about exhausting resources so legitimate work cannot get done, and on-path attacks are about interfering with communication so endpoints cannot fully trust what they see. In database environments, DoS can show up as connection exhaustion, heavy query storms, or internal contention that slows everything down. On-path interference can show up as credential exposure risk, altered results risk, or weird connection behavior that suggests traffic is being observed or manipulated. Defensive controls for DoS include reducing exposure, shaping traffic with rate limits, protecting the database with buffering layers, and governing resource usage so one workload cannot starve everything else. Defensive controls for on-path interference include encrypting traffic, verifying endpoints, limiting who can sit on the path through segmentation, and monitoring for anomalies that suggest tampering or redirection. When you combine these controls with readiness and disciplined response, you protect both the availability of data services and the trustworthiness of the data moving through them. That is the real point of handling these attacks: keep systems usable, keep communication authentic, and keep recovery from becoming a new vulnerability.
