Understanding distributed denial-of-service (DDoS) attacks is important to protecting websites, networks, and personal computers. So what exactly are these things, and how do we protect against them? In this article, we will look first at what denial-of-service (DoS) attacks are, then specifically focus on the distributed version, DDoS. Finally, we will look at how to prevent them. (Note that one way to prevent them has been discovered by the Amish apparently – none of their membership has ever experienced a cyber-attack.)
For basic definition purposes and the average Internet user side, I’m drawing from a piece by Mindi McDowell for the United States Computer Emergency Readiness Team (US-CERT). I will then look at further elaboration and advice for businesses from a Riva Richmond article for Entrepreneur and a piece by Sean Leach for IT Security Pro.
Basic Definition – Denial-of-Service (DoS)
A standard DoS attack, per Mindi, involves a cyber-criminal, well, denying service. They can either target PCs or the network of a website to disallow data to flow back and forth properly between the two locations. An attack such as this can occur for any online service – e-mail, websites, or any other interaction between devices involving the Internet or intranets. As Riva Richmond says, these types of attacks can also be “surgical” – going specifically after a certain application on a computer or network.
DoS attacks typically involve a process whereby the perpetrator overloads a network with digital requests. Hammering a network with requests to view URLs on its server can make it impossible for the server to process requests from its real users. In other words, with the server maxed-out because of the cyber-attack, users trying to access the system are then “denied service.” (Wedding receptions and bar mitzvahs have been known to perpetrate these attacks on restaurants.)
Another example of a denial-of-service attack is conducted via spam e-mails. If there is a limit to the amount of data that can be in your e-mail account at any one time, a DoS can shut down your ability to use the account by sending a large quantity of e-mails and/or ones containing a huge amount of information. Similarly to how users are shut out when a website’s network is attacked, those wishing to send you e-mails will be denied service once your account hits its limit.
Finally, per Sean Leach, denial of service can target DNS – so that when someone types in a URL, it does not forward to the correct IP address, i.e. the site does not load.
Basic Definition – Distributed Denial-of-Service (DDoS)
Distributed denial-of-service is spread out across many different IP addresses, making the attack difficult to defend because it seems to be coming from all sides. The perpetrator can use innocent people’s computers to achieve this by taking advantage of any vulnerable points in your system and taking the reins of your device or network. Once control is achieved, the attacker can use your system to send large amounts of data or requests on your behalf, whether URL requests or spam e-mails. As Mindi iterates, “The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.”
Basic Protection of PCs
Keeping PCs safe from being a part of a distribution is one way to battles DDoS attacks. Here are rudimentary security protections:
- Keep anti-virus software updated on all PCs throughout your network (except the one that Jimmy uses, which isn’t technically connected to the network, despite what you’ve told him).
- Make sure a firewall is installed and set to disallow unrestricted free-flow of traffic into and out of the PC.
- Be careful where you give out your email address, since it can be used on either end of a DDoS attack. Make sure your spam is being filtered so you are less likely to be inundated with dangerous mail.
Recognizing a DDoS Attack in Real-Time
Denial-of-service attacks are obviously not an everyday event (at least not for all Internet users). Maintenance on a network or technical glitches are much more likely to disrupt services than is a DoS attack. Nonetheless, the following parameters can give you an initial sense that a DoS or DDoS could be occurring:
- The network becomes extremely slow. It takes a long time to open files or access various pages of the system.
- Difficulty of going to any online locations.
- Difficulty of getting onto a certain website.
- Huge influx of spam or large spam messages.
- Inability to open or get to the files on your PC.
- Computer makes a groaning or sighing sound that suggests it feels used and abused.
What We are Up Against
Sean Leach states that DDoS attacks are growing in number, becoming more complex, and diversifying their targets. He cites a 2011 VeriSign report in which 63% of those surveyed said they had been a victim of an attack that year, with 51% losing revenue due to the invasion. Protecting against them involves various tiers of protections – in data centers, and, if applicable, in the cloud (such as a foghorn). Note that Sean believes “the cloud approach will help businesses trim operational costs while hardening their defences [sic] to thwart even the largest and most complex attacks.”
Part of the reason these attacks have become so popular is that they are working, for the perpetrators. A better stance against them continues to be a challenge to achieve but necessary to properly maintain a company’s IT infrastructure.
DDoS – Deeper Understanding
In 2002, the largest DDoS attack was 2 GB per second. Now there are attacks on record as large as 100 GB. The average website has a bandwidth of about 1 GB. As you can see, these attacks are, in a word, overwhelming – infrastructurally, financially, and emotionally.
DDoS’s are implemented via a botnet, basically an army of hijacked PCs. How do computers become bots? They pick up a virus or other malware by visiting a website or opening an e-mail that is contaminated. The overall botnet is controlled by a central computer operated by the perpetrator that issues attack details to the “army” of PCs. Per Sean, the prevalence of social media and general increased usage of the Web has “helped provide the perfect environment for DDoS attacks to grow both in size and complexity.”
An example of an attack would be having a thousand or a million different bots all click on an “Add to Cart” button at the same time. This kind of activity would max out the bandwidth of the site so that no real shoppers would be able to complete transactions. (It’s kind of like when all of these posers are swarming Colin Farrell to get his autograph, when clearly you’re the only one who understands how to love him – wholeheartedly.)
Case Study — Growthink
Riva Richmond teaches us about DDoS attacks by example. Growthink, a company based in LA that does business development, content, and consultation, was a victim of a DDoS attack two years ago. Since they are a small company, the attack caught them off-guard, but their experience can be helpful to assist other companies in avoiding threats moving forward.
In September 2011, the company’s network suddenly started getting deluged with an unexpected influx of traffic, knocking the site off-line for days. When the company contacted its host, the site was quarantined to protect other companies using the service. Growthink ended up hiring a security company specializing in denial-of-service, BlockDos, which was able to identify the negative traffic that was a part of the attack and siphon it off. This is essentially the crux for fighting DDoS: How does a site filter the traffic – which shoppers are legit, and which ones should be disregarded?
Growthink, as you can imagine, switched its hosting provider as soon as the attack was under control – but some damage was already done. The firm estimates its losses due to the event at $50,000.
Growthink is still unsure who went after them. Riva explains that businesses with a heavy reliance on e-commerce or that are generally reliant on the Internet for revenue are most often targeted. Small companies tend to be the victims of “unscrupulous competitors and extortionists, although disgruntled former employees, vandals and ‘hacktivists’ … are also known culprits.” (Disgruntled former employees would include Jimmy, a year from now.)
The General Climate – Denial of Service on the Rise
Riva cites CloudFlare, a security and Internet performance company, as saying it witnessed a 700% rise in DDoS traffic during 2012. Small companies are becoming more likely targets because it is now less expensive to perform the attacks and sizable enterprises have become more adept at thwarting them. Regarding cost, security company Incapsula says it is possible to rent a botnet containing a thousand PCs for $400 per week.
How to Protect Your Company
Here are several steps you can take to protect yourself from DDoS attacks:
1. Find a quality hosting service that won’t let you down.
If you’re in a shared hosting environment, you may experience the same problem that occurred with Growthink. Their website was on a shared server with various other companies. When the attack hit, the hosting company chose to mitigate the overall damage rather than ensuring Growthink received the best possible service.
Make sure you understand what your hosting company will do if an attack occurs. Read your contract. Will they help you defend yourself, and will there be an additional cost? Additionally, will you potentially have to pay for the excess traffic and its effect on your bandwidth usage, even though it was illegitimate (kind of like child support laws)?
2. Add protection against DDoS.
If you need something beyond what your current hosting company offers, check out the offerings of CloudFlare – different levels of protection ranging from $0-$200/month, Incapsula, and Prolexic, the last of which is specifically focused on security against and recovery from these types of attacks.
3. Make wise choices with your software.
Be sure you always have the most updated versions of your CMS, shopping cart, and other plug-ins running. DDoS attacks that target applications can exploit weaknesses of older versions. Businesses might want to look for companies (such as Radware or those similar to them) that can provide security services that can provide hybrid DDoS protection solutions that can be tailored to their needs and threat profile. Additionally, CloudFlare CEO Matthew Prince, per Riva, recommends nginx servers – he believes the software is well-designed to withstand denial of service assaults.
DDoS attacks, unfortunately, aren’t going anywhere. Internet security professionals are learning from them, though. By taking advantage of their expertise, and by working with your hosting company to find the best possible solutions, you can make sure that you are as protected as possible against these persistent threats to online functionality.
by Kent Roberts and Richard Norwood