What is DDoSing? It’s something every system administrator and security professional needs to be concerned about. You can expect to see this concept on certification tests and get questions about it in job interviews. So let’s look at the concept of DDoS, and why I think this is going to get worse before it gets better.
What DDoS stands for
Let’s start with the fundamental question: What does DDoS stand for? DDoS stands for Distributed Denial of Service attack. It’s a cheap way for an attacker to bring down a web site he doesn’t like.
Now let’s unpack that.
The name suggests it’s related to DoS, or Denial of Service. Denial of Service just means taking a system down. A regular denial of service usually requires some kind of vulnerability or misconfiguration that an attacker can exploit to, say, shut down a web server. Frequently a regular DoS involves sending a specially crafted packet to the server.
It’s fairly common for the monthly updates that come out for Windows and other operating systems to correct Denial of Service issues.
Distributed Denial of Service attacks are different. Instead of taking out the service by sending a specially crafted packet, a DDoS just overwhelms the server with traffic, hoping to eventually either slow the server down to the point of being unusable by running the CPU up to 100 percent, or cause something to crash due to the load.
You can think of DoS as a surgical attack, and DDoS as a kind of brute force attack. And since the attack originates and comes from the Internet at large, the attacker doesn’t have to gain any kind of a foothold on the target network.
The roots of DDoSing
Like most computer-related things, the concept first appeared in phones. If a phone number got too many calls at once, everyone would get a message saying that all circuits were busy and a request to try again later. Weaponizing this usually required a great deal of coordination. But in effect radio stations did this to themselves every time they give something away to the 12th caller.
America Online, the old dialup information service, in effect did this to itself in the mid 90s when the Internet started becoming popular. It didn’t have enough circuits to handle all of its subscribers who wanted to dial in during the busiest hours, so for a time it was known for busy signals.
Carrying out a DDoS attack
Typically the attacker hijacks large numbers of home computers with broadband connections and builds them into an army called a botnet. To carry out a DDoS, the attacker sends instructions to the botnet to all send traffic to the target at once, like a flash mob.
DDoS can go after any service that’s exposed to the Internet. Most frequently it goes after web services, which means ports 80 and/or 443. An attacker can also launch a DDoS attack against DNS, which can indirectly take down web services and disrupt other parts of an organization as well. DDoS attack against other ports and services are less common, but theoretically possible.
A DDoS is similar in concept to the old concept of Slashdotting. In days of yore, when a web site would be featured on the popular site Slashdot, the thousands of resulting visits often knocked the site offline. Slashdotting was innocent. DDoS is weaponization of this innocent concept.
Surviving Slashdotting became a rite of passage for system administrators around the turn of the century. Surviving DDoS can be a similar rite of passage today, but it’s a somewhat harder problem to solve. Both cases are essentially an arms race, but it takes much more to win today than it did then.
Motivations for carrying out a DDoS attack vary, but generally only slightly.
Motivations for DDoS
Sometimes people take down web sites out of revenge, or because they don’t like the site’s message or purpose. This can fall into the category of hacktivism, or personal vendetta.
Sometimes an attacker will DDoS for money. You can’t directly make money from DDoS, but some attackers will launch a DDoS, then threaten another attack unless the target pays a ransom.
But there can be another motivation for DDoS. Frequently a professional attacker will DDoS a target while doing other things. The DDoS works as an effective distraction against whatever other attack they are carrying out. The idea is that the security team and system administrators will scramble to bring the web site back online, and while they’re distracted doing that, it will be easier to steal data from somewhere else or carry out some other campaign affecting the same company.
Motivations for DDoS are generally the same as for any other kind of hacking, but generally speaking, it comes down to money more often than not.
How to remedy DDoS
Stopping DDoS attacks can be difficult, and that’s what makes this a popular job interview question. You can expect to be asked, “What is DDoSing?” when interviewing for an entry-level job. For a more senior-level job you can expect to be asked what to do about DDoS.
Use a Content Distribution Network
The most practical and effective remedy is to front your webpage with a content distribution network, such as Cloudflare, which caches your site and then serves up the cache from a number of servers sitting on different connections to the Internet. Effectively, you’re meeting the distributed traffic with a distributed cache.
DDoS works because you can overwhelm an individual server. But it’s difficult to build a botnet big enough to take on something like Cloudflare.
Use load balancing
On a smaller scale, organizations will try to counter DDoS with load balancing. With old-school load balancing, you build multiple web servers, then place a load balancing device, such as an F5 BigIP, in front of the servers to split the load up between them. This keeps any single server from getting overwhelmed.
The problem with doing your own load balancing is that the load balancer itself could get overwhelmed, or your upstream connection can get overwhelmed. So these days you typically see load balancers in use internally, to prevent the old Slashdot-style problem. But in spite of their overwhelming popularity and sales volume, load balancers alone generally aren’t enough to stop a large DDoS attack. They are much more useful for distributing and controlling legitimate volumes of network traffic.
Firewalls can be effective against some DDoS attacks if you catch them early enough. You have to write the rules quickly. But the idea of DDoS is to use large numbers of machines. It’s much harder to write firewall rules to block hundreds of incoming connections. Perhaps using automation tools like Demisto or Phantom would make this more practical.
The tricky thing with this method is distinguishing between DDoS traffic and other legitimate high-volume traffic. Search engines’ bots have a tendency to send large numbers of connections in to you as well, but you want those, because those lead to more visitors coming to your site.
DDoS is what I like to call a caveman-type attack. And fighting it off just with firewall rules is kind of a caveman-type defense. There is a time and a place for caveman-type defenses but I’m not sure DDoS is one of them.
Last and least, changing web servers to Nginx, or deploying Nginx as a cache in front of an existing web server, could be enough to fight off a mild DDoS attack.
Why DDoS may get worse
Distributed Denial of Service attacks became practical in the late 1990s when broadband connections became common. Broadband service has gotten incrementally faster over the years, but not at the rate that CPU and graphics card speeds have increased.
A couple of years ago, 100 megabits was a really fast connection. We’re getting to the point now where connections faster than 100 megabits are becoming more affordable and easier to get. Even gigabit Internet is becoming more common.
New technology is great. Gigabit connections are great. I have one and love it. The problem is that gigabit upstream connections would be extremely useful for a DDoS attack. A bad guy could carry out an attack with 1/10 as many computers as before, or conduct an attack with 10 times as much intensity.
With great power comes great responsibility. Keep your systems up to date. Some people object to Microsoft making updates on home versions of Windows difficult to disable, but it’s the only way to keep home computers with very high speed connections from becoming weapons. If an update causes your system to malfunction, Microsoft will help you and they won’t charge for it. Microsoft provides a free tool and walkthrough to get you started.
Internet providers and router manufacturers also bear some responsibility. Router manufacturers rarely update their devices. I expect that when the problem becomes big enough, Internet providers will ultimately have to start providing routers and ensuring they get periodic updates to keep them from becoming members of botnets and thus becoming DDoS weapons.
What is DDoSing: Final thoughts
DDoSing will remain a problem for some time to come, because it’s a cheap attack and doesn’t require a great amount of skill to carry out. Knowing what DDoS is and what to do about it is important both for the security and operational sides of IT.
Ultimately, DDoS is both a security and an operational issue. It’s usually the operations side who carries out DDoS protection for an organization. Some organizations place network security on the operations side of the organization and some place it in the security side. But even when an organization places network security on the operations side, the security department may provide some oversight, or, more importantly, help in getting funding.