The term “DDoS” can strike terror in the hearts of network operators, web site owners, gamers, educators, or anyone who relies on Internet service – which today means just about everyone. “DDoS” – pronounced “dee-doss” – stands for Distributed Denial of Service. It refers to a type of Internet attack where the attacker uses many hundreds or thousands of computers (the “distributed” part) to target a single system, with the goal of denying the target’s ability to use the Internet (the “denial of service” part).
Unlike the lone hacker using a laptop to break in to a system, a DDoS consists of a very large number of computers that have been tricked into spreading an attack. If a single piece of junk mail to your mailbox is the equivalent of a regular internet attack, then a DDoS would be one million people from all over the world, each sending one junk letter to your mailbox. The result is a mailbox overflowing with a million letters, with the real letters hopelessly lost in the pile. Similarly, the result of a successful DDoS is an overflowing Internet connection, with communication hopelessly snarled.
Most people don’t own a million computers, so how can this sort of attack be possible? It turns out that criminals hijack other people’s computers into attacking. They can do this by using tools like botnets and reflectors. A botnet (meaning a “network of robots”) is a network of infected computers numbering in the hundreds of thousands or millions, where each bot is connected to a central “command-and-control” server operated by a criminal. Each bot is typically someone’s personal computer that has been infected by malware, perhaps when the user clicked on a link in a suspicious email.
When the criminal wants to perform a DDoS attack, he or she might simply direct the entire botnet to open a connection to the target. Today, a would-be criminal can even buy a DDoS attack over the web, using a credit card. The sheer volume of network traffic coming from the botnet members can easily overwhelm the Internet connection, the firewall, and other services needed by users.
Reflectors are another source of DDoS. A “reflector” is simply any system that will automatically reply to any message it receives over the Internet. Many Internet services run as reflectors by default – Web servers, Domain Name Service (DNS) servers, network time protocol (NTP) servers are just a few examples. By sending specially constructed messages to misconfigured systems, an attacker can force a reflector to send a message almost anywhere on the Internet. Again, the result is the same – messages from reflectors “clog the Internet pipe.”
Why would anyone perpetrate a DDoS attack? The Internet pervades human life and institutions. Someone wishing to attack an institution, or a group, or a message might choose to do so using the Internet as their weapon. DDoS attacks range in nature from political to commercial to social. The desire to win at online gaming can even lead players to try to DDoS their competitors. Whatever the reasons, these attacks are a growing threat to Internet operations.
This is not to say that the fight against DDoS is lost. In fact, there is an emerging set of best practices and tools that network service providers like OARnet and its partners are implementing to protect our networks from attacks including distributed denial of service. In a future post, I’ll discuss what measures network users and operators can take to protect themselves from DDoS disruption.
Until then, make sure you keep updated on cyber security as well as everything happening at OARnet by following us on Twitter at @OARnet, Facebook and LinkedIn.