DDoS In Depth
What Is DDoS?
DDoS stands for ‘Distributed Denial of Service’. ‘Distributed’ because the attack seems to come at you from all over the internet and you can’t tell where it originated.
‘Denial of Service’ because the huge wave of traffic that attacks your service blocks legitimate traffic from your customers and prevents them accessing your resources.
Historically, DDoS attacks used “Botnets” of thousands, often hundreds of thousands of compromised desktop machines which, unknown to their legal owners, could be ordered to send nuisance traffic to a particular target by a “BotMaster”. Botnets are assembled by compromising desktop machines with malware which waits for the BotMaster’s commands.
Botnet DDoS attacks typically tried to send enough traffic to the target service that it overwhelmed the equipment at the customer premise. The equipment might be webservers, firewalls, or routers which were just not designed to handle the high packet or traffic load delivered by the BotNet. This is as if you owned a restaurant which was suddenly filled up by people who took up all the seats and then, when asked for their order, said they’d merely like a glass of water. Your legitimate diners could not sit down because all the seats were taken up with freeloaders!
The question “What is DDoS?” has acquired a new answer in the last 18 months. While all the traditional BotNet attacks still work, a newer and more devastating form of attack has arisen. These attacks, usually executed by groups with political agendas, no longer rely on 100,000 PC BotNets but instead use a few thousand commercial servers to execute their attacks. The attackers have discovered that commercial servers are usually attached to high bandwidth (1Gbps or 10Gbps) connections and therefore it doesn’t take many servers to deliver 50Gbps to 100 Gbps of attack traffic. Since most organizations don’t have 50 Gbps of Internet Connectivity, an attack of this size floods the Internet Access pipe and makes it impossible for legitimate traffic to even reach your location! To return to the restaurant analogy this is the equivalent of having thousands of people jam into the street in front of your restaurant. Even if you’re good at rousting freeloaders out of their seats, your legitimate diners can’t even get on the street to reach your front door!
Originally DDoS attacks were used by computer savvy kids for ‘kicks’, but they quickly evolved into a flexible extortion tool used by mobsters, and more recently a tool of protest for politically motivated “hacktivists.” Today, nation states with deep financial resources have embraced DDoS as a weapon of international warfare.
As the perpetrators of these DDoS attacks have grown, so too has the scale and sophistication of DDoS attack techniques. In some cases, DDoS attacks are so large that they can consume many times the bandwidth of the largest global companies. In others, DDoS attack perpetrators precisely throttle the volume of the attack to avoid triggering the target’s defense systems, yet building up a CPU backlog that eventually compromises the experience for legitimate users. The ease of access to sophisticated DDoS attack tools has advanced to a level where a botnet than can do millions of dollars of damage within minutes, can be rented for as little as $7 per hour.
This convergence of factors has created a perfect storm for ever increasing and damaging DDoS attacks. As we previously noted, the answer to the question ‘what is DDoS’ has changed in the last couple of years. DDoS attacks that once aimed 100,000 compromised PCs at a target, can now do many times as much damage with just a few thousand compromised commercial servers. One Megabit per second attacks a decade ago have increased to a new average of 48 Gigabit per second in Q1 2013, the equivalent of streaming 23,000 simultaneous Netflix movies, and DDoS attack volumes will continue to increase.
The impacts are significant. As bank and ecommerce websites go down, customers lose confidence in entrusting their savings or credit cards with these institutions. Companies lose customers, revenue, reputation and market share. The future answer to ‘what is DDoS’ could well be that attacks will be even more crippling, threatening even the stability of a country as large as the U.S. For example: a massive coordinated attack could simultaneously overwhelm all of the largest players in the U.S. financial system, creating a financial panic. Or DDoS attackers could build a botnet on “the internet of things” with billions of everyday devices (refrigerators, sprinkler control systems, etc.) that are increasingly being connected to the Internet. Those DDoS attacks could be aimed at disrupting infrastructure, such as power utilities and air traffic control.
For the historical answer to the question ‘What is DDoS’ see our DDoS Timeline page. If your question ‘What is DDoS’ morphs into the need for help to stop an attack, see our section How to Stop a DDoS Attack which includes details of do-it-yourself and commercial solutions.