Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: DDoS Attacks.
A Distributed Denial of Service Attack, often referred to as a DDoS Attack or simply a DDoS, is a more advanced version of a classic Denial of Service (DoS) attack. To explain what it is and how it works, it might be helpful to look at an analogous situation using the telephone network.
Imagine that you have a single phone line for your business, which is used to answer customer questions and take orders. Now imagine that someone has decided to render that phone line useless by calling it over and over again, and then hanging up when the call is answered. The phone is always ringing, but there is nothing useful on the other end. And worse, legitimate customers cannot get through to talk to you. The customer service provided by the phone line is being denied. Hence, denial of service attack.
Something similar is done in the IP world. A publicly accessible web server that provides information and ordering capabilities to your customers can be attacked by a rogue computer. Using a variety of techniques – I won’t get into the nitty-gritty technical details here, both because there are many different attacks and because they require some in-depth networking knowledge to understand – that server can be flooded with traffic that appears to be legitimate but is not. That means that genuine customer traffic is squeezed out; an actual customer cannot place an order, because the web server is inaccessible to him.
A classic DoS like this is pretty easy to mitigate. With the phone example, you would contact your telephone service provider and tell them to block the number that keeps calling you. Similarly, with the IP networking example, you would contact your web hosting provider or, if you’re hosting your own server, your Internet service provider and tell them to block all traffic from the IP address that is flooding your web server. The nefarious traffic, in either case, is blocked before it gets to your phone or your web server, and customers can connect again.
A Distributed Denial of Service Attack, on the other hand, is not so easy to cut off. (Just ask the people at WordPress, who got smacked with one a few days ago.) The “Distributed” part of the name is the important distinction; rather than coming from a single source, this traffic is coming from all directions.
To go back to the phone example, imagine that your business phone is ringing off the hook – but that each call is coming from a completely different area code and phone number. The phone company will have great difficulty blocking the calls, especially in light of the fact that there is no way to do so without risking a block of legitimate calls as well.
In the IP networking world, a DDoS means that the traffic is coming from multiple sources simultaneously. This both makes it more difficult to block, as in the phone example, but more importantly it means that the hostile traffic is aggregated. Being attacked by a hundred compromised cable modem clients at 10Mb/s each means that there is a 1 Gb/s flood of traffic hitting your web server. An average botnet – that is, a centrally controllable group of compromised machines, often used to launch an attack like this – numbers in the tens of thousands to hundreds of thousands of computers. That’s a lot of traffic.
So how do you deal with a DDoS against a business resource? The first thing to do is make sure that you have some idea of the capabilities of your ISP or hosting provider – you should have, in writing, their policy on DDoS mitigation. There are steps that can be taken upstream to block this traffic, but the capability to do so varies by provider and is often closely correlated with price. You also want to make sure that your infrastructure is being properly monitored using an IDS or a SIEM or something similar, so that you are aware when a DDoS begins. And you need to have a backup plan for what happens if your web site or other Internet resource is unavailable for a short period. Maybe taking orders by phone isn’t completely antiquated after all.