Get Adobe Flash player
Search
Home Dan's Blog What is a DDoS Attack?

What is a DDoS Attack?

PostAuthorIconWritten by Dan Schaefer
Much has been written in the technical press lately about “Distributed Denial of Service” attacks. In the limited time I have this evening, I thought I’d pass along what I know about this topic.

A classic “Denial of Service” involves the inability of a website to provide a web page within a reasonable amount of time. For example, say you click on CNN’s website expecting to see the news, but instead of news, you get a blank screen. Or perhaps you get a screen that fills very, very slowly. Like most people, you’ll wait a certain period of time – perhaps ten seconds – and then you’ll give up. Maybe you’ll attempt to refresh the page, but if you are again met with a blank screen, you’ll go somewhere else.

The severity of this problem depends on the type of website. Amazon, for example, would lose a lot of money if potential customers get impatient and click away. They stand to lose revenue the instant their website fails to respond to customers. Ureadit.com, on the other hand … ah … I’d love to have the traffic. :-)

DDoS attacks aren’t the only reason websites occasionally become incapacitated. Surely, there are other reasons websites fail. The problem with DDoS, however, is that the disruption is usually the result of an intentional attack, which is meant to cause harm.

How does DDoS work? The modus operandi of a DDoS attack is characterized by an overwhelming amount of traffic that swamps a website’s servers. Websites are designed to withstand a certain amount of “worst case” traffic volume, and when that volume gets exceeded, the servers become too busy to provide adequate service to the intended audience. It’s like standing in a large crowded room where everyone shouts at you at the same time. Normally, you can comprehend one or two individuals talking at the same time, but not an entire room. While humans have enough sense to simply walk away in such circumstances, web servers are not so smart. They will try to service all requests and will quickly become overwhelmed.
The overwhelming traffic comes from a widely distributed source. (Thus the word “Distributed” in DDoS.) During a DDoS attack, web clients over a large area will coordinate to swamp a website with traffic. If the attack were not distributed over a large area, the web master would easily identify the singular source and quickly configure a firewall to block it; however, when the traffic comes from everywhere all at once, the webmaster cannot distinguish between legitimate sources of traffic and those emanating from a nefarious source. Thus, DDoS attacks are very difficult to defend against.

What is the purpose of such attacks? The reasons can vary, but they usually fall into three categories:
  1. Political – A group of people wish to express displeasure with some company or organization by coordinating their actions and bringing down a website.
  2. Malice – Nefarious individuals may take a stab at immortality by conducting a large DDoS attack and then exercising bragging rights afterwards.
  3. Extortion – One or more criminals may orchestrate an attack in an attempt to extort money from a vulnerable target.

There are three major modes utilized in conducting DDoS attacks.
  1. Planned coordination – typically a politically active group may coordinate among themselves to attack a vulnerable site with which they have a grievance. The interesting thing about these types of attacks is that they are not necessarily illegal; individuals are simply surfing to a website and exercising their freedom to do so. The problem arises when everyone chooses to exercise a specific freedom in a specific way at a specific time.
  2. Malware – Individuals may create a computer worm that burrows into a large number of computers, and at a specifically programmed time, cause the host machine to access a target website.
  3. Botnet – Similar to the malware attack, botnets rely on coordinated attacks from compromised machines. Unlike malware, however, botnets actively take orders from a central command headquarters. The connection is usually not direct, so it may be difficult to trace. Because they can be controlled, botnets are more flexible than malware and can adjust their target to fit the requirements of the attacker. More sophisticated botnets can even adjust their profile dynamically so as to make them difficult for anti-virus software to detect.

Because of the distributed nature of DDoS, it is difficult to detect, and it’s even more difficult to prosecute offenders. Large ISPs continue to search for answers, but it really depends on individuals to help police their own computers.

One of my previous blog postings commented on the use of “netstat” to help you determine if all your network connections are legitimate. Even with netstat, however, it may be difficult to catch a DDoS unless you happen to run it at a time when the associated malware or botnet is active. Nevertheless, it is good to check your PC’s network connections occasionally and look for anything suspicious.

This blog posting doesn’t propose solutions for DDoS attacks. If I had such a solution, I could build a very lucrative business out of it. Meanwhile, individual diligence is the best weapon.

Best,

Dan

Trackback(0)
Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 
Advertisements

Artisteer - CMS Template Generator

Copyright © 2012.
All Rights (and some on the Left) Reserved.

Designed by Ruysdael Design.