Editor’s Note (10/21/16): Massive attacks against major internet infrastructure providers have taken down websites including Twitter, PlayStation Network and PayPal and slowed user access in the US. Dynamic Network Services, Inc. (Dyn), Amazon and others reported Friday that they were victims of multiple distributed denial-of-service (DDOS) attacks that overwhelmed companies’ computer servers with massive amounts of data traffic that have taken their systems offline. American Scientist article – originally published online February 11, 2014 – explains what DDOS attacks are and how they wreak havoc on the web.
Many of the websites we visit every day are subject to cyberattacks by malicious hackers seeking to disrupt business transactions, discourage people from using a particular online service, or exact revenge for a real or perceived slight . One of the most common ways a site takes down is to flood its computer servers with so much traffic that they slow down or shut down because they just can’t handle the volume. This is called a Denial of Service (DOS) attack.
The weapon of choice in these cybersalvos is the botnet, a virtual armada of computers intended to flood Internet servers with requests for data insofar as these servers cannot function. Botnets are used to perform Distributed DOS (DDOS) attacks against a target, and often the owners of these computers don’t even know that their systems are useless. This is because cybercriminals first break into these computers using a virus, worm, or other malware, turning someone’s PC or server into a “zombie.” can be controlled remotely.
American ScientistThe Instant Egghead video below offers additional insight into how these attacks work.
In a high-profile example, hacker group Anonymous launched a DDOS against Paypal, MasterCard, Visa and others in December 2010 – dubbed Operation Payback – after payment services stopped processing donations to the WikiLeaks site. Participants in Operation Payback used software called Low Orbit Ion Cannon (LOIC) to recruit computers for their attacks. LOIC actually included a feature that allowed computer users to voluntarily join anonymous botnets. US authorities have charged 14 people for their role in the attacks.
One of the new approaches to launching DDOS attacks is to recruit mobile devices through DDOS applications to participate in these attacks, according to a recent report by cybersecurity firm Prolexic Technologies. In such cases, mobile device owners actually agree to participate in the attack by downloading the app and giving control of their phone or tablet to the attacker. It may not have been a real threat a few years ago, but the proliferation of increasingly powerful mobile devices has made it a valuable contributor to any botnet, the report says.
Attackers often protect their own identity by creating fake Internet Protocol (IP) sender addresses for servers they commandeer to carry out DDOS attacks. Any investigation into the source of the assault leads to a false address rather than the actual perpetrator. An increasingly popular approach is for an attacker to send fake requests for information to a computer or group of computers, which in turn send their flood of responses to that faked address. This is known as a distributed thoughtful DOS attack because the real culprit uses an unwitting middleman to perform an attack. Going a step further, attackers sometimes deliberately create requests that elicit much larger responses, thus amplifying the attack without much extra effort.
Site owners can combat DOS attacks in several ways, adding more servers for redundancy and backup or configuring firewalls that attempt to filter traffic from dubious sources, for example. Unfortunately, attackers continue to find ways to circumvent these defenses, creating a virtual escalation in the arms race involving websites, cybercriminals, and law enforcement.