Every time you log in to a website, stream a video or fill in an online form, your device is talking to a server across a network. Most of that traffic is friendly — but some of it is sent by attackers trying to break in, steal data, or knock a service offline. To keep systems safe you first have to understand how these attacks work, so you can spot them and defend against them.
This page looks at three of the classics you need for GCSE: the brute-force attack, the denial-of-service (DoS/DDoS) attack, and SQL injection. For each one we cover the idea — what the attacker is trying to do — and the defence that stops it. We are learning the locks and the burglar-proofing, not how to be a burglar: there are no working attack recipes here, only the concepts and how to shut them down.
A brute-force attack is the least clever attack of all: the attacker simply
guesses passwords over and over, trying combination after combination until
one works. A computer can test thousands of guesses per second, so a short or common password
(1234, password, your pet's name) can fall almost instantly.
The picture below shows the idea: an attacker's program churns through a list of guesses. If the real password is in that list, the door opens. Step through it:
The single most powerful defence is a long password from a big alphabet. Each
extra character multiplies the number of possibilities the attacker must try. If your alphabet
has
Because
The other defences all attack the speed of guessing rather than the number of combinations:
A denial-of-service attack doesn't try to break in at all — it tries to make a service unavailable to everyone else. The attacker floods the server with so much fake traffic that it has no capacity left to answer real users. Imagine one till at a shop and a hundred people crowding the counter just to ask the time — genuine customers can never reach the front.
A DDoS (Distributed Denial-of-Service) is the same idea but the flood comes from thousands of computers at once — often ordinary machines hijacked by malware to form a botnet. Because the traffic arrives from many different places, it is much harder to block. The diagram shows many attacking machines all aiming at one server:
The hard part is telling a real visitor from a fake one. A single attacking machine is easy to block — but in a DDoS the requests come from thousands of scattered, ordinary-looking devices, each sending a modest amount. Every individual request looks almost legitimate, so a filter that's too aggressive would also lock out genuine users. Defence is a constant balancing act between blocking the flood and letting real people through.
Many websites store their data in a database, and they fetch it using a language called SQL. When you type into a login box or search field, the website builds an SQL query from what you typed. An SQL injection attack happens when a site trusts your input too much: the attacker types in cleverly crafted text so that part of their input is treated not as ordinary data but as part of the query itself — potentially reading, changing or deleting data they should never see.
The root cause is always the same: user input got mixed up with the command. Here's a deliberately unsafe pattern (shown so you can recognise the danger — never write code like this):
The fix is to never build a query by gluing text together. Instead, use a parameterised query (also called a prepared statement), where the user's input is handed to the database separately and can only ever be treated as a value, never as a command:
Notice the common thread. A brute-force attack abuses the fact that guessing is allowed — so we limit the guessing and make passwords long. A DoS abuses the fact that the server answers everyone — so we filter and rate-limit the traffic. SQL injection abuses the fact that input is trusted — so we never let input become code. Each attack exploits a different kind of over-trust, and each defence is about trusting less and checking more.
We explain how these attacks work for one reason only: so you can defend against
them. Two ideas do most of the heavy lifting. First,
SQL injection is beaten by never trusting user input — always validate or
escape it, and use parameterised queries so a user's text can never turn into a command.
Second, long passwords make brute-force impractical: because the number of
combinations is