Security in Plain English Series
What is Two-Factor Authentication?
Why Do I Have to Change my Password Every 30/60/90 Days?
Office 365 Phishing
What is a DDoS Attack?
Security in Plain English: What are Red, Blue, and Purple Teams?
Today’s question from a reader:
I heard on the news about the biggest ever DDoS attack, but what is a DDoS attack, and should I be worried about it?
Distributed Denial of Service (DDoS) attacks are simply bad actors using an overwhelming amount of data requests to disable a server or website. Think of it this way:
If you are standing alone with one other person on a street corner, it’s very easy to hear them when they ask you a question – and for you to give them an answer. Now imagine that this same street corner has ten people all asking you questions. It becomes much harder for you to know which questions are legitimately being asked of you, and to give your answer with all the noise. Now imagine there are one hundred, one thousand, or ten thousand people all asking questions. It’s impossible for you to do much of anything since you can’t hear anything over all the noise, much less figure out which person in the crowd legitimately asked you a question!
DDoS attacks work the same way – just on a much bigger scale. A website is swamped with millions (or billions) of requests – with nearly every one of them being bogus and generated by an attacker trying to disrupt the service. This creates a situation where service to any legitimate user is denied – leading to the term “Denial of Service” attack. Bad actors used to do this by having several machines at one location all continuously blasting requests to a website or service, but soon technology evolved to be able to quickly figure out what was going on and block that location; fixing the problem. The bad actors, however; also evolved. Instead of attacking from just one location, they began attacking from dozens, then hundreds, then thousands of locations around the globe. This lead to the Distributed Denial of Service attack – which is much more difficult to deal with. When all those attacking systems blast the website in question with millions upon millions of requests in mere seconds, the servers either crash or simply become unable to handle any legitimate traffic, and the attack succeeds.
The way bad actors manage to pull this off varies by the attacker, but for the most part they zombie machines. Using well-known techniques, such as infected email attachments, the attackers install software on thousands or even millions of users’ computers. However, unlike a regular virus or malware, these software tools don’t do anything harmful to the machines they infect directly. Instead, they sit quietly and wait for a signal from the attacker to be sent out. When that signal comes, these zombie machines begin to send their malicious messages at the targeted website, creating a DDoS attack. Since each machine only sends a tiny amount of the overall attack data, those working on zombie machines may not even notice anything at all – making the attack hard to detect unless the user’s anti-malware software can recognize the infection.
With the advent of Cloud computing, DDoS attacks have taken a new vector – zombie servers. In addition to having zombie machines all over, the bad actors now also attack Cloud computing instances, dramatically increasing the number of machines they can use to attack a website or service and – since servers are less likely to have active anti-malware tools running – making the attack harder to limit before these zombies start hurling data at the target. Once the data starts flowing, good network security tools can recognize the traffic pattern and put a stop to it, but prior to that point the zombification software might be totally invisible.
Putting all these methods together, attackers have managed to create some truly impressive DDoS attacks in recent days. The largest ever recorded was sending data at the rate of 1.35 terabits per second. To put this in perspective, your home internet connection will range from ten to one hundred *mega*bits per second – meaning your entire internet connection is only a tiny fraction of the bandwidth that was used to attack GitHub and other sites in recent history!
Next week, we will help you figure out what to do to handle this type of attack.
To learn more or to speak to a solutions specialist, please contact us today!
