How DDoS Attacks Threaten the Internet
Distributed denial-of-service (DDoS) attacks have made lots of headlines in the past year.
They're the preferred method of attack used by hacktivist groups such as Anonymous. Since September, major American banks have become victims of multiple, repeated DDoS attacks.
In March, a widely publicized attack against an anti-spam organization known as The Spamhaus Project caused Internet disruptions in parts of Europe and was billed by media organizations as "the biggest cyberattack in history."
Yet DDoS attacks are really just network traffic jams that temporarily block access to targeted websites. They rarely cause permanent damage. For this reason, they can be seen more as annoyances than as threats.
Now some experts are warning that as the techniques behind DDoS attacks grow more sophisticated, and the attacks themselves increase in size and scope, the formerly mostly harmless attacks could end up damaging the underlying structure of the Internet itself.
Clogging the series of tubes
In a DDoS attack, the attacker sends enormous amounts of network traffic to an online service, such as a website, in hopes of overwhelming the service's servers to the point where legitimate users can no longer access it. They can cost targeted companies lost business, as well as the cost of fending off the attacks.
"A DDoS attack is distinctly different from a normal DoS, or denial-of-service attack, in that it comes from many different distributed sources at once," said Corey Nachreiner, director of security strategy for Seattle-based network-security provider WatchGuard.
"Legacy DoS attacks only come from one attacker, and are therefore easier to block. However, a DDoS attack comes from many computers on the Internet at once — often from many different geographic locations," Nachreiner explained.
"By using many different distributed computers for their attack, an attacker can generate much more traffic than normal, and also make it harder for the victim to tell the difference between legitimate connections and these malicious ones."
Pump up the volume
The Spamhaus DDoS attack stood out because the attackers were able to sustain an attack volume of 300 gigabits per second (Gbps), which would overwhelm almost any Web server and which Nachreiner said was a significant milestone.
To accomplish this, Nachreiner explained, attackers leveraged weaknesses and misconfigurations in the Internet's Domain Name System (DNS) servers.
The DNS is kind of like the Internet's phone book — it translates domain names like "Google.com" to Internet Protocol numbers that computers use.
The Spamhaus attackers took advantage of specially configured DNS servers called "open resolvers," which take lookup requests from any IP address as a matter of public courtesy. (Most DNS servers only reply to lookup requests from specific IP address blocks.)
DNS servers can send a lot more network traffic than the average device on the Internet, and the presence of open resolvers allowed the Spamhaus attackers to greatly amplify their attacks.
If unchecked, DDoS attacks will become more devastating as the Internet continues to grow, said Ramece Cave and Jeremy Scott, research analysts with the Solutionary Security Engineering Research Team (SERT) in Omaha, Neb.
Anatomy of an Internet collapse
Routing equipment, even at the highest levels, has only a finite number of resources available. If those resources are over-utilized, the equipment can slow to a crawl or crash entirely.
Rebooting any router will usually clear its memory, bringing things back to normal.
Problems can occur, Cave and Scott explained, when high-level routers need to re-establish routing maps, adjacencies, policies and/or peering agreements with other entities and with their own client routers.
This process can take several minutes, effectively creating a bottleneck at a specific network location and sometimes generating a ripple effect that cascades through the network.
Services in the affected part of the network will slow or stop until the connections are re-established.
If this phenomenon happens at multiple locations across the networks of very large autonomous systems, such as those belonging to AT&T or France Telecom, the Internet may seem to grind to a halt while things sort themselves out.
What's it to me?
Information theft is not the typical motive during a DDoS attack, and a DDoS attack itself does not result in any sort of network breach or compromise. Instead, the attacker's goal is to clog up Web resources.
For the average consumer, a DDoS attack shows itself as an inconvenience —the site he wants to visit is temporarily unavailable.
So why should anyone, outside of an IT department, need to worry about DDoS attacks? Because almost anyone can run a website, Scott and Cave explain, and common mistakes made while running websites can aid attackers.
"More and more people and organizations are adopting an online presence, exponentially increasing the number of misconfigured or unsecure servers available online," Scott said.
"Often, they mean no harm in their actions and merely want to learn or embrace the full functionality, benefit and usefulness the Internet provides," he said. "Many attackers prey on the ignorance of not knowing and use it to their full advantage.
"Many of those newly configured hosts, whether it's a personal or company website or a Linux virtual private server with a default install, can be unknowing contributors in DDoS and botnet attacks."
"Some may think they are not affected because they do not run any services, or have machines online," Cave added. "The attackers are aware of this, too, and more and more unprotected home computers running … OS X, Windows or Linux are being targeted for recruitment into DDoS, botnets and other tactical initiatives."
Do your homework
The average computer user should be aware of the increase in DDoS attacks and have contingency plans for business conducted online.
For example, if the user does his or her banking online, a backup plan is recommended in the event a DDoS prevents the user from accessing the bank website for a prolonged period of time.
Consumers can encourage providers to pursue stronger DDoS solutions. As they shop around for Internet services, such as choosing an ISP, picking a Web hosting company or choosing some kind of cloud service, they should ask each provider what kind of protection it provides against DDoS attacks.
"If our network and telecommunication industry doesn't do something to restrict access to these open DNS resolvers, and to make it harder for attackers to spoof traffic (generate traffic that appears to be from their victim), I would expect DDoS attacks to continue to grow," Nachreiner said.
"DNS is a critical service for the Internet, as you cannot reach any website if your computer can't use DNS (the phone book) to learn the real address of the site," he added. "DDoS attacks that leverage DNS amplification generate so much traffic that they affect networks beyond just the victim."