We hear the term “DDOS”, or Distributed Denial of Service attack, with astonishing and frightening regularity. We’ve seen major banks, government websites (including the CIA), news sites, and many more fall to this technical-sounding attack. We know that the site gets taken down, but what’s happening to make that occur? And why is it so hard for these sites to avoid and recover from this problem?
Denial of Service (DOS) Attacks
Since the 1990’s, researchers and bad guys have been finding ways to perpetrate so-called “denial of service” attacks. These are attacks designed for no reason other than to prevent access to a service, generally a network-based service.
The attacker takes advantage of some intrinsic flaw or weakness in a service to cause the service to consume system resources to the point where it can no longer respond to requests. Flaws may be bugs in a system which cause the system to request a system resource. However, it does not return the resource to the system after an operation completes. Or it may be allowing users to make requests that are too resource-intensive. An example would be one or more large, long-running queries.
It’s difficult for programmers to think through all the possible ways a network-based service may be used. It’s even more difficult to lock them down so that no single user can consume too many system resources. It’s more difficult still to ensure that a service is sufficiently scalable to both meet the needs of legitimate users and fend off attackers. However, this is what must be done to harden a service against a DOS attack.
DOS attacks can be stopped relatively easily. Since they come from one location on the Internet (one source IP address), they can be blocked by a firewall without much effort. You block the attack at your firewall, and continue with your day.
Distributed Denial of Service (DDOS) Attacks
Unfortunately, in the early 2000s, attackers came up with the idea that it would be much more difficult to stop an attack that:
- Came from many changing directions (source IP addresses) at once
- Looked like normal user requests
While early DOS attacks generally exploited some rather esoteric requests of servers to cause resource consumption, attackers realized that if a defender couldn’t easily distinguish between legitimate and illegitimate IPs, or between acceptable and unacceptable requests, it would be very difficult for someone to stop such a DOS attack.
Carrying Out A DDOS Attack
Attackers today generally rely on a large number of compromised hosts on the Internet to carry out a DDOS attack. Known as a botnet, these are computers compromised though multiple attacks, like viruses, drive-by downloads, and phishing attacks designed to install illicit control code on a computer. The computers vary from home computers, to phones, tablets, and servers. Once a hacker has installed his code on your computer, he can control it without your knowledge.
Hundreds of thousands of compromised hosts are then commanded by the hacker to make large numbers of successive requests against your website. It’s difficult to isolate them from your real website traffic because these hosts are spread across the Internet. It’s also hard to tell good traffic from bad since they often make requests that any other client would make.
As a result, a DDOS can be incredibly difficult to stop. So much so that some websites have little choice but to throw enough hardware at the problem that they can withstand the load of DDOS attacks while they continue their daily business.
What Can I Do About It?
The solution to a DDOS most often involves one of the following:
- Adding enough processing capacity to withstand the deluge of requests while still processing legitimate traffic.
- Blocking the requests if they can be distinguished from other web traffic.
Adding capacity may mean adding more servers to shoulder the processing load, increasing the network capacity to your servers, or adding a service designed to withstand and filter DDOS traffic, for example, CloudFlare. Enterprise-level ISPs, such as Verizon Business, offer DDOS protection offerings, but they don’t come cheap.
Because the attack is decentralized, attackers can sometimes saturate the network links to your server. When this happens, you’re stuck. Even if you had the processing capability to serve other requests, you have no network bandwidth on which to conduct transactions. To solve this issue, you can do one or more of the following:
- Ask your upstream Internet provider to block the traffic before it can reach their network – this keeps your network pipes clear of the majority of bad traffic, so your servers can keep up with the load. This is only possible when you can distinguish real traffic from the attack traffic. As I mentioned above, this has become very difficult to do.
- Purchase very large network pipes – and increase your server capacity to handle the increased load
- Decentralize your server infrastructure – perhaps through the use of a Content Data Network (CDN) like Akamai or CloudFlare
Since websites are the new storefront, DDOS mitigation is unfortunately becoming almost a normal cost of doing business on the Internet. DDOS attacks are expensive to recover from. And they can generate bad press quickly because your services can be shut down for hours or days at a time while you put in place the necessary infrastructure.
Taking Steps To Prevent Breaches
Here at JumpCloud, we encourage companies to not only take the necessary steps in preventing breaches from happening, but we are also encouraging companies to be prepared to detect breaches quickly and respond to them effectively. Our Directory-as-a-Service platform is a complement to other security approaches including anti-DDOS technology.