Hackers are capable of bringing down entire web servers by overloading them with data.
A DoS is a “denial of service.” It is an attack used to make computer systems unresponsive or unavailable. Most often, we see DoS attacks used against websites. In these attacks, the webservers hosting the target website are assaulted with an excess of connections, requests, and other data.
Computers can only handle so many tasks at a time. When a DoS attack is underway the goal is to overwhelm a computer with data. In doing so, the attackers deny service to legitimate users. Depending on how serious an attack is, this can cause slow page loads, erratic behavior or even make the website entirely unavailable.
Think about how your computer acts when you have too many programs running. It can be almost impossible to do anything. Inducing that unresponsiveness is the goal of a DoS attack.
A DoS attack is executed with another computer. The attacking computer will try to send a large amount of data to the target through direct (meaning the data originates from the attacking computer) or in-direct (the data originates elsewhere) means. On the internet data takes many forms – you may be familiar with some of these types, such as packets of requests. The attacker will decide the exact form this flood of data will take, but the end result will always be similar.
The severity of a DoS attack is measured in how many bits per second it is sending to the target. Most attacks don’t even begin to register as serious until they are hitting billions of bits per second. A gigabit is one billion bits – expressed as “gbps” when we are talking gigabits per second.
In 2011, Cloudflare CEO Matthew Prince wrote, “a 65Gbps DDoS is a big attack, easily in the top 5% of the biggest attacks we see.” Just two years later and Prince was writing about the largest DDoS attack they had ever seen, which peaked at 300Gbps. In 2015, another record-setting DDoS was measured at 400Gbps.
To put that into perspective, the average US household’s internet connection is under 20 mbps, that’s 2% of just a single gigabit per second. In 2015, total global internet traffic was 20,000 gbps, which makes even the largest DoS attacks seem small. But there are tens of millions of servers connected to the internet, so when hundreds of gbps are targeted at just a single network at a specific time it’s usually enough to overwhelm it. In fact, most small websites and networks can be effectively DoS-ed with under 10 gbps.
DoS attacks can “fail” if the attackers can’t direct enough data to a network. Similar to earthquakes, DoS attacks are actually happening constantly – seriously, right now at least one is occurring – but most are too small to have any impact or even be noticed.
A DDoS, or Distributed Denials of Service, is conceptually the same as a DoS, but in a DDoS the attackers are using multiple computers that are often located all around the world (hence “distributed”). This allows attackers to avoid detection, increases the difficulty of defense, and leverages the combined power of all those computers, making for a bigger attack.
Anatomy of an Attack
To better understand how a DoS attack works, let’s look at both the micro and macro of internet infrastructure.
At the most basic level, you have the copper and fiber optic wire the internet is physically built with. These cables connect every device together – servers, routers, modems, networks switches, etc. At the physical level, data is really energy being sent along said wires, and there is a limit on how much energy you can reliably and safely send at a time. This means there is a maximum speed for data transmission at a physical level (you are probably reading this article on a device connected to the internet using WiFi. The same limitations exist with wireless communications, and are usually much lower than wired communications are).
The computers connected to these cables also have a maximum speed. A computer’s CPU and other hardware has to process that energy and understand what it means in bits and bytes of data. Then it has to act on that data – most data on the internet come in the form of requests that require a response. Most consumer computers are not able to process as much data as the physical cable they are connected with can potentially transmit. In large internet infrastructure, there are computers that can keep up with the cables.
Now let’s jump to the macro. Let’s say you want to connect to your favorite small businesses’ website. You type in their domain name to your browser and hit enter. Using the domain name, your computer looks up their server’s IP address via DNS (the Domain Name System). After successfully getting the server’s IP, your computer will connect to a series of networks, first leaving your home, then traveling across the state, country, and possibly even most of the world, all along different physical cables, to eventually reach the intended site. All of this usually happens in under a second, which belies the complexity of all of it.
Connecting your computer to that server involves all those pieces: your local network, DNS servers, the destination site’s server, and a series of routers and networks in-between. These days, many websites are using services like a CDN (Content Delivery Network) to make their site faster, which introduces even more complexity.
This complex setup makes the internet incredibly fast, and gives us very high availability. But it also means there are tons of failure points.
In a DDoS attack, the goal is to clog one of these key points. Attackers know that bringing down just one of those points can prevent access to a site; and a smart attacker knows that the weakest point is the best to attack.
Usually, the destination server is the weakest point. That’s because these servers are not going to be much more powerful than necessary, so they can’t handle a big spike in traffic. But, that won’t always be the case – if the target is a company like Google or Mozilla, they will be able to handle a lot of traffic and have specific measures in place to mitigate DDoS attacks.
There are different methods needed to effectively attack the various points in a network – one method doesn’t work across the board. Executing an effective DDoS comes down to the individual attacker’s skill and capabilities – just like with every other profession, there are good and bad DDoS attackers.
Cloudflare is one of the world’s largest CDNs. One of their jobs is to protect their clients from DDoS attacks. They are very good at that job. In fact, they are so good that one DDoS attacker realized there was an easier target: the internet itself.
Back in 2013, a persistent DDoS attacker realized that they just couldn’t overwhelm Cloudflare. So instead, they went around Cloudflare and started attacking a “Tier 1” network. Think of these like the core of the internet. They are networks that keep the entire globe connected. Slowing one down, or knocking it offline, could affect a continent.
This particular DDoS attack was so big it threatened to exceed the maximum capacity of the physical fiber optic cables being used in this Tier 1 network.
Who is at risk.
To get in-depth information about DDoS attacks, we have to look to companies like Akamai, Arbor Networks, and Cloudflare, which specialize in DDoS mitigation products. Because these companies are “downstream” (compared to an ISP which sees more traffic) we get a less complete picture of DDoS activity. They all have their own clients, and therefore their own data – so what one company sees may not match another – but there is a general consensus.
Geographically, the United States is by far the largest target country, coming under attack nearly a third of the time, according to Arbor Networks. China is a distant second at 10.5%.
You may be surprised to hear that the United States is also one of the largest sources of attacks according to Akamai – likely due to the sheer number of computers in the US. The sources of attacks also changes frequently. Akamai reports that the number one source of attacks has changed nearly every calendar quarter for the last year – China, Turkey, and the U.K. have also taken the top spot.
It’s important to note that “this indicates where the largest number of compromised computers and misconfigured servers are located, not where the attackers are based.” Determining where the human attacker is located is significantly harder, and often requires cooperation with ISPs and getting law enforcement involved.
Arbor Networks runs a monitoring service known as ATLAS that collects information on DDoS attacks. The majority of DDoS attacks they monitored were very short – 91% lasted less than one hour. This can actually be part of an attacker’s strategy – they will segment and launch attacks from multiple locations at multiple times in order to make detection more difficult.
Sustaining a large DDoS attack isn’t easy. After a few hours, attentive victims will have time to respond by identifying and blocking sources of the attack. Large organizations and service providers may bring extra servers online to keep their services running smoothly despite the attack, or have other ways to spread out the effects of the attack.
But let’s go back to our small business example. What kind of protections do they have? Likely, they have the smallest possible server necessary to keep their site online, and may not have even heard of a DDoS attack – so probably no measures in place to defend from one.
The networks and hosting providers that many servers operate on are interested in stopping DDoS attacks because they can cause problems for users of unrelated services that share the network, and the high use of the network can cost the providers money. However, they are usually protecting their own interests, and they may handle a DDoS by just turning off the targeted server until the attack looks to be over, which prevents everyone – both attackers and legitimate users – from accessing the site.
Better protection, which doesn’t involve simply shutting off your server, is often more expensive and requires renting or buying hardware that inspects the traffic coming to your server or network. Some providers, like Cloudflare, do offer sophisticated DDoS protection for free.
Let’s not forget, the internet is more than just websites! Internet-connected servers are critical infrastructure for all sorts of uses. Digital crypto currencies like Bitcoin use web servers to resolve buy/sell orders. A DDoS attack can significantly slow, or entirely stall, transactions from being made. The internet of things promises to enhance our lives with “smart” appliances, cars, and tools. But imagine a DDoS network leveraged against centralized servers that some devices will rely upon for proper operation or updates.
How Attacks Get So Big
In the previous section I outlined all the different pieces of a network and how sites can become inaccessible if their capacity is exceeded. Luckily, attackers face the same restrictions. If the attacker’s goal is to flood a network with a huge amount of traffic, then the attacker needs a way to send that much traffic. You can’t just start sending hundreds of gigabits of traffic from your laptop at home.
So, how are these attacks getting so big? There are quite a few methods that attackers use to generate server-crushing bandwidth.
One method involves “botnets”. These are collections of computers that have been infected by a specific type of malware which allows them to be remotely controlled. Botnets are a multi-purpose tool – they are one of the most popular resource for any type of malicious behavior. Think of them like a raw material of the hacking and cybercrime world.
Infected computers in a botnet will often be harvested or monitored for any financial data or user credentials, while others are used as weapons to further harm other computers. In a DDoS attack a botnet is the attacker’s infantry.
Attackers grow their DDoS capacity by building a bigger botnet. Botnets make defense and detection difficult because those computers will be scattered all across the world, and they may give no indication where the human attacker is actually located. The use of botnets is one of the main ways DDoS attacks are “distributed”.
Another method used to mount massive attacks is “amplification”. This is one of the few times that a computer networking term matches up with its everyday definition. With amplification the attacker is literally increasing the capacity of their attack.
Without getting too technical, I will try to sum up one example of this known as NTP amplification. Computers need help keeping synchronized time with each other and they use a protocol known as NTP to do this. To get the proper time, computers make a request across the internet to an NTP server.
Attackers use spoofing (the practice of faking data/identity) and underlying weaknesses in how NTP data is transmitted to amplify the size of their attack. Attackers will spam a large number of requests (we are talking in the millions) to NTP servers and trick them into sending the responses back to the target of the attack. The response to the request is much bigger than the request itself (which is just due to the nature of what’s being asked for) – around 200 times bigger to be precise.
So the whole process works like this: First the attacker will make a request to a NTP server. Part of the request is “spoofed,” which will trick the NTP server into thinking the target server was making the request, and send them the response. The target server, who had no involvement in this process thus far, receives the data. The attacker then repeats this process millions of times over, flooding the target server with data.
The amplification comes into play due to the difference in size between the request and response. Remember we mentioned that every attacker has a capacity – for the sake of this example let’s say its 1 gbps. If that capacity was used to directly attack the target, the DDoS would be 1 gbps. But if the attack uses amplification, and sends the 1gbps of capacity to an NTP server, the target ends up receiving 200x that amount.
During the 2014 holiday season, a group known as Lizard Squad took down the online networks used by Playstation and Xbox, preventing thousands of people who just received the videogame consoles from enjoying their gifts. They brought the network down with a DDoS attack, preventing an estimated 150 million people from playing online.
Why did they target these networks? “Raising awareness regarding the low state of computer security at these companies.” In this case, the hackers were unhappy that such a successful company was, in their view, so “lazy” about their network’s security.
The most well-known hacking group in the world is Anonymous. They have been active for over a decade, and their actions are usually politically or ideologically motivated. They have executed DDoS attacks on Tunisian government sites in response to their internet surveillance activities, on payment companies that refused to accept donations for WikiLeaks, and loads of others for violating the principles they believe in. These type of attacks are often referred to as “hacktivism” – a portmanteau of hacking and activism.
Arbor Networks conducts the Worldwide Infrastructure Survey Report, an annual survey of service providers, government IT departments, and major enterprises. Until this year, organizations surveyed reported “political/ideological hacktivism” and “nihilism/vandalism” as the most common motivation for DDoS attacks. This year “criminals demonstrating attack capabilities” took first place for the first time.
But it’s not just big businesses or political targets that are at risk. Arbor Networks, a company that develops software for DDoS mitigation, closely monitors the activity of DDoS botnets and categorizes the victimized sites. They have seen every conceivable organization and business attacked – from banks to an ecommerce site selling car seat covers, and a pawn shop’s website. In most cases it’s impossible to know for sure why these sites were attacked, but we can speculate that it may be an angry customer who feels they have been wronged by the business, someone opposed to their ideology or product, or maybe even a competitor. Cloudflare echoed the same sentiment, saying “anybody can become the target of a large attack.”
The Economics: Profitable, Cheap, and Efficient.
Sometimes DDoS attacks are motivated by political ideology or personal revenge. But it’s also a major source of income for cybercriminals and hackers. The use of DDoS attacks for criminal means has become a major problem in the last few years. Attackers can extort companies, threating to DDoS them if they do not pay a ransom. Or they sell their services on the market, executing attacks for those willing to pay.
DDoS attacks have been advertised for as low as $5 on Fiverr.com, a website where user’s offer small jobs. The reality is that most websites and services are not prepared for a DDoS attack, so you can take down a small site for less than a meal at a nice restaurant.
Cybercriminals who sell DDoS attacks treat it like any other product. They advertise their services on forums, offer volume discounts, and even do free demonstrations on request.
The seeking of profits has encouraged cybercriminals to get more creative and improve their offerings. We briefly discussed NTP amplification above, which is just one of a number of highly-effective “reflection” or “amplification” methods. What these methods have in common is that they take advantage of improperly configured or unsecured servers and devices on the internet (which are often important internet infrastructure) in order to increase the size of their attack with little to no overhead. In Akamai’s State of the Internet Report, they stated that “it is far easier for attackers to exploit network devices and unsecured service protocols,” than it is to “[spend] time and effort to build and maintain DDoS botnets.” Akamai has seen these attacks grow at an increasing rate for the entirety of 2015.
An in-depth report by Arbor Networks tracked a single small-scale Russian cybercriminal and tried to find out just how much money he was making through selling his DDoS services. They estimated this individual made an average income of $66 per attack, for a total of $5,408 over the course of three months – and that’s tax free!
It’s an extremely profitable enterprise because attackers “clandestinely and illegally [leverage] infrastructure and connectivity which belongs to others,” such as botnets. With a little effort, Aspiring cybercriminals can essentially find a “turnkey” solution for DDoS attacks on hacker forums – guides and software they need to infect and control a botnet, and initiate a DDoS attack are freely available.
Unfortunately, being a victim isn’t so cheap. According to Arbor Networks, “the average cost to a victim of a DDoS attack is around $500 per minute… [while] the mean cost is only $66 per attack.” Because of this disparity DDoS attacks will likely continue to grow and be a thorn in the side of server administrators and organizations everywhere.
Websites in Fear: The Threat of Attack
DDoS attacks have become such a problem that even the threat of an attack is becoming its own weapon. Earlier this year Cloudflare documented a group of cybercriminals that were extorting businesses, threatening to DDoS their servers and networks if they did not receive ‘protection payment’ in Bitcoin.
This group, known as the Armada Collective, turned out to be nothing more than hot air. In a blog post, Cloudflare said they were “unable to find a single incident” of an actual attack. But all it took was a mass-distributed email to scare businesses – the Armada Collective has received more than $100,000 in payments from those hoping to avoid an attack.
That’s not to say this fear is unfounded -DDoS attacks are continuing to evolve and grow. Not only is the threat of an attack being used, but “DDoS attacks [are now] being used as a distraction for either malware infiltration or data exfiltration.” One quarter of organizations surveyed by Arbor Networks reported seeing this behavior.
Both Arbor Networks and Akamai recorded a near doubling number of DDoS attacks in 2015 when compared to the previous year. VeriSign (owned by Symantec) published figures for Q1 2016, which saw a 111% increase in attacks year over year. Just about every major industry player expects this trend to continue.Luckily, protections are also improving. The ability of a CDN to absorb a multi-hundred gbps attack says just as much about the defender as it does about the attacker. But DDoS attacks are not going away anytime soon, and none of us should be surprised when new record-breaking attacks happen sooner rather than later.
 Figure 2-10, State of the Internet
 Verisign DDoS Trends Report, 1st Quarter 2016. https://www.verisign.com/assets/report-ddos-trends-Q12016.pdf