What are Denial of Service Attacks?
To fully understand denial of service (DoS) attacks and their danger to your business, think back to high school, and the havoc that a few pranksters could wreak by overflowing a few toilets at the same time.
Leaving behind commodes, digital hooligans have learned to cripple corporate networks and -- more often -- Web connected servers, using a modern form of the "everyone flush together" strategy. A DoS attack simply floods the target machine or network with an unusual, and unmanageable, amount of traffic. Distributed denial of service (DDoS) attacks are even more potent as they involve the perpetrators commandeering hundreds and even thousands of machines on the Internet for the purpose of launching the crippling attack against your company.
"Denial of Service attacks are purposeful actions intended to disrupt authorized use of some service, such as Web services, network bandwidth, etc.," explains Dave Dittrich, a researcher at the University of Washington's Information School and co-author of "Internet Denial of Service: Attack and Defense Mechanisms." "Distributed Denial of Service is a more advanced form of DoS attack where an attacker first takes control of a large number of Internet accessible systems (for example, home computers on DSL or broadband lines) and uses them all in concert to increase the effectiveness of the DoS attack."
The bad news is that such attacks are on the rise. The average number of DoS attacks detected every day increased by 51 percent between the first half of 2005 and the last half, according to Symantec, the global security software maker, which has been tracking the various types of computer attacks for years. The swift rise in the number of attacks "may indicate that an entrenched and well-organized community of attackers is beginning to utilize their resources to carry out more coordinated attacks," says Symantec's Internet Security Threat Report.
DDoS attacks remain difficult for network security administrators to thwart because of their simplicity and ubiquity. If you've ever tried to surf to CNN.com during an important breaking news story, you understand how too much network traffic can simply make a site unusable. In the worst case, the demand on the target becomes so great that machine crashes, or allows malicious code to stream through buffer overloads. At that point, you've been hacked.
"Years ago, these attacks were done mostly for fun and bragging rights within a small community of mostly teenagers trying to prove how skilled they were," explains Dittrich. A 15-year-old Montreal boy calling himself Mafiaboy brought DDoS into the common lexicon of security threats in 2000 when he used DDoS techniques to temporarily cripple sites including Yahoo, Amazon, and eBay. Unfortunately, DDoS has evolved from a teenage prank or revenge by one computer nerd against another into something more malevolent.
Today, a much larger percentage of attacks are done by organized criminals in order to seek financial gains. Here are some of the techniques they use:
- Delivery of spam e-mail
- Extortion (an electronic version of the old protection racket)
- Stealing competitive information
- Stealing sensitive information such as login credentials, credit card and CVV2 numbers (the three digit number on the back of your credit card)
- Or defrauding ad referral services that pay someone for directing Web readers to click on an ad link.
Preventing and dealing with DDoS remains a tricky business. A comprehensive list of how businesses can prevent a DoS attack is on the website of CERT, the federally funded Internet security research and development center at Carnegie Mellon University. Dittrich advises administrators that the most important preparation remains the basics of securing and hardening servers, ensuring level of service agreements with upstream network providers and regularly scanning client machines so that they don't become a part of a DDoS attack bot army.
Be aware that sometimes DoS attacks are not what they seem. "On more than one occasion, I have been contacted by sites who believe they are under a DDoS attack, swear they know who is responsible (a disgruntled ex-employee) and want my help in tracking down the person responsible," Dittrich says. But after working with these companies he sometimes finds that "the problem was really a bug in their browser application that was causing excessive connections to their Web server by legitimate users."