Webb on the Web: What's a DDoS Attack? And Why Should You Care - Part One

Not too long ago, one of the websites I maintain was taken hostage by hackers. My site went down for hours, and I received a ransom note demanding $10,000 to stop a "denial of service" attack. Otherwise known as DoS attacks, these are malicious efforts to keep authorized users of a website or web service from accessing it, or limiting their ability to do so.

If you use LiveJournal or Twitter, you probably remember August 6th well. Suddenly, both websites were completely offline. Users couldn't access their accounts, and there was seemingly no explanation. We later learned that hackers had coordinated something even worse than a DoS attack...a "Distributed Denial of Service" (or DDoS) attack. In this case, lots and lots of computers are used to cripple a web page, website or web-based service. A common form of DDoS is a massive number of computers being used to send requests to a web site, overwhelming it to the point where it can't respond to legitimate requests from normal users. That's exactly what happened to LiveJournal and Twitter.

While personal websites and blogs are not generally targeted for DDoS attacks, every organization with a website or web service critical to its operation should be aware of these attacks and be prepared for the possibility of being targeted. Quite obviously, having your site or service rendered inaccessible for even an hour can result in lost revenue; worse, some organizations have even reported blackmail attempts on the part of the attackers.

There are several different ways attackers can bring down a site with a DDoS attack. Some prevent legitimate network connections from being completed by keeping the host's resources busy with bogus requests; others overwhelm a network with a large number of data packets, consuming the available network bandwidth. A site can be rendered unavailable even as a result of large numbers of legitimate requests. One example of this is the so-called "Slashdot effect," wherein the popular "news for nerds" site Slashdot links to another website, and the massive number of Slashdot users clicking on the link temporarily brings down the other site. While this is not considered a DDoS attack, it has essentially the same result. If you've ever heard your staff talking about a site that "got so much traffic" the "servers crashed," she's likely referencing a DDoS issue and not an actual broken server.

Other modes of attack are possible, but increasingly, most DDoS attacks have one thing in common: the rise of botnets.

In this context, a botnet is a collection of computers that can be remotely controlled by an attacker, whether directly or via peer-to-peer communication. Typically this control is accomplished through the use of malware installed on each individual machine. The individual computers are sometimes called "zombies" because they can be controlled remotely without the knowledge of their owners. Such computers are often used to send spam. It's estimated that the majority of spam originates from compromised zombie machines.

A recent example of a botnet was the collection of computers compromised by the Conficker worm, first detected in 2008. The estimated number of infected computers varied widely, but was as high as 15 million at one point. Such a collection of machines could be used to instigate a DDoS attack. In fact, some hackers even "rent out" botnets, offering them for use by others for a fee per machine.

The origin of a DDoS attack is extremely difficult to pinpoint, and without knowing who's behind it, it's hard to determine the motivation for an attack. However, it's reasonable to assume that some attacks are politically motivated, such as efforts to bring down both Georgian and Russian websites during the conflict between the countries in August of 2008. The most recent DDoS attack in August 2009, which brought both Twitter and Facebook down, was actually directed at one person: a Georgian blogger who maintains accounts on Twitter, LiveJournal and Facebook. Political activists were attempting to stop him from communicating, but the attack disabled all three networks for all users worldwide.

On the other hand, some attacks may have no motivation at all. The culprit behind a DDoS attack against popular websites including CNN, eBay, and Amazon in February 2000 turned out to be a Canadian high school student with no clear reason for launching the attack, other than that he could. Some security experts, however, warn that attacks are becoming increasingly financially motivated. For example, there are more and more documented cases of attackers attempting to hold websites for ransom, demanding payment in exchange for stopping their onslaught.

Next week, I'll explain some things you can do to help protect yourself and your digital content.

Read Part Two here. To read all of Amy's columns, click here.

Amy Webb is a digital media consultant and head of Webbmedia Group, LLC. She has also launched Knowledgewebb, a new website for multimedia training. You can also follow Amy on Twitter and delicious. Webbmedia Group is a vendor-neutral company. Any opinions expressed about products or services are formed after testing, research and interviews. Neither Amy Webb nor Webbmedia Group or its employees receives any financial or other benefits from vendors.