What is a Distributed Denial of Service (DDoS) Attack?
It has been a little while since we've had a headline‑making DDoS attack, and given the huge uptick of these attacks throughout the first quarter of last year, it seems like we might be overdue for some breaking news.
But what actually is a Distributed Denial of Service attack? How do they get carried out, and how do they bring down the servers of some of the biggest companies in the world? In this article, we will take a look at the core concepts behind this remarkably popular hacking technique, some of the ways to protect against it, and we'll finish up with a quick peek into some of the biggest DDoS attacks in history.
DDoS: When Traffic Attacks!
A Distributed Denial of Service attack is essentially a barrage of traffic, coming from multiple coordinated locations. This overwhelming amount of traffic prevents users from accessing the service that's being targeted and can bring down the server (or servers) that the target is hosted on for varying lengths of time. You see similar (albeit less maliciously) if you have ever tried to buy Glastonbury tickets, or the latest Playstation.
The "Distributed" part of DDoS is a key difference between it and regular Denial of Service attacks. With a regular, non‑distributed attack, the incoming spam traffic can be halted by blocking the source that it's coming from (typically it comes from a single origin). However, when the attack is distributed, it comes from multiple sources all working together at the same time ‑‑ which makes it much harder (or impossible) to block before your service is overwhelmed and taken offline.
But We're Talking About Thousands of Machines. How Do Hackers Get That Many?
Obviously, when you're looking to take down a huge web service like Wikipedia, GitHub or Amazon, the levels of traffic required to overwhelm their servers means utilising literally hundreds of thousands of machines and sources. Hacking groups aren't buying all of these machines, setting them up and then running back and forth between each computer to start the attacks ‑‑ part of what makes these attacks so insidious is that they are often carried out from machines that have been infected by malware, entirely without their owners' knowledge.
This means that potentially thousands, or even hundreds of thousands, of servers, computers, laptops, and mobiles from around the globe are essentially sleeper cells, waiting for the switch to be flicked to start sending traffic as part of some as‑yet‑unknown DDoS. This might even include the machine you're reading this on right now. When these machines are coordinated and working as a group, they are called a botnet.
Why Would Somebody Do This?
There are all kinds of reasons that a person or a group would want to carry out a DDoS attack, whether it's personal, impersonal, ideological, or even militaristic. It's not always hacking groups trying to ransom web services to get paid in crypto ‑ governments carry out DDoS attacks too. In fact, during the Hong Kong protests of mid‑2019, Telegram (a messaging app used by civilians, but also by the protestors to communicate and coordinate) was taken offline by a massive DDoS attack.
The team over at Telegram took to Twitter afterwards to explain what a DDoS attack is, and to claim that it was a "state actor‑sized" attack coming from mostly Chinese IP addresses. This wasn't even the first time that Telegram had dealt with a massive DDoS ‑ the last time was during a 2015 crackdown on human rights protests ‑again ‑ by the Chinese government.
It's not always governments though. It is oftentimes smaller groups, working together to extort money, either because they have been paid for the attack, or to hold services to ransom. A lot of DDoS attacks target victims specifically in the Financial Services industry.
There is a specific type of DDoS called a Yo‑Yo attack, that focuses on services that employ autoscaling. Rather than the aim being to take the service offline, these attacks focus on sending waves of traffic, causing the services to provision more resources, driving the bill up for the owner, before the DDoS pulls back and leaves the service draining the owner's bank account. This happens over and over, and will cause some disruption to the application users, but typically is focused more on hurting the owner rather than disabling the service.
Is It Possible to Defend Against These?
The reason DDoS attacks are so popular is because they are such a great (and relatively easy) exploit of how the internet works. In a lot of instances, it is literally just traffic, but coordinated and pointed en‑masses to cause damage. This means it can be very hard to defend against these attacks, because it is easy to catch legitimate traffic in any traps you set for the botnet that's currently pointing at your servers.
There are solutions out there, though. With time to prepare, a company might have their IT team install hardware or software that can monitor traffic to their services and pick up on unusual behaviour or trends, such as a massive surge from locations that aren't usually high‑traffic areas, or requests that all look the same or have malformed or unusual headers. This botnet traffic can then be blocked entirely, or diverted to another server to be analysed further before being let through if it turns out to be legitimate.
Unfortunately, though, these attacks tend to get the better of their targets, because they are very hard to defend against ‑ and they are likely only getting more sophisticated and more difficult to detect and prevent.
2016: Mirai, Dyn and the Enormous Scale of DDoS
In October 2016, Dyn (a major DNS provider) was the target of a series of enormous DDoS attacks. Thankfully resolved within just a single day, this attack was nonetheless big enough to take a surprising number of big‑name websites offline in some regions, including Airbnb, Amazon, PayPal, and Reddit.
This attack was carried out via a botnet tens of millions strong, consisting of not just the devices you would typically think of when you think about machines connected to the internet (i.e servers and computers), but also devices that form the Internet of Things, like baby monitors and digital cameras.
This botnet was formed by Mirai, a virus that spreads through internet‑connected devices that are still using the default username and password that they were manufactured with (and I think we all know there are a lot of them). Once these machines are infected, they can be controlled by a single machine to target a specific victim.
Since the Dyn attack, DDoS' have become more and more sophisticated, each coming with their own increasingly edgy, very cool leetspeak moniker (like R. U. Dead Yet?) and with ever‑more overwhelming numbers of machines and requests; in mid‑2020, AWS reported an attack that hit their servers with 2.3Tbps of traffic. That's an unbelievable amount of traffic.
Categories:
Related Articles
Gatsby & GraphQL: Nodes vs. Edges. 
Preventing and Debugging Memory Leaks in React. Preventing and Debugging Memory Leaks in React
Redirect a Default Netlify Subdomain to Your Custom Domain. Redirect a Default Netlify Subdomain to Your Custom Domain
Array.from() and Array.of() in JavaScript. Array.from()andArray.of()in JavaScript
How to Prevent Race Conditions in JavaScript with AbortController. How to Prevent Race Conditions in JavaScript with
AbortController
Understanding WeakMap and WeakSet in JavaScript. Understanding
WeakMapandWeakSetin JavaScriptWeb Development and the Environment. Web Development and the Environment
Object.freeze(), Object.seal(), and preventExtensions(). Object.freeze(),Object.seal(), andpreventExtensions()
React vs. Vue vs. Angular. React vs. Vue vs. Angular
Replace Inline Styles in Gatsby with an External CSS File. Replace Inline Styles in Gatsby with an External CSS File
A Beginner's Guide to Web Hosting. A Beginner's Guide to Web Hosting
Object Equality in JavaScript: {} isn't Equal to {}. Object Equality in JavaScript:
{}isn't Equal to{}
