By Barclay Neira, Microsoft
We realize that at this point even people not working in IT have heard of DDoS. Video and music streaming services, online games and any number of websites have all at one point been targets of a DDoS attack but even with their popularity they may worth discussing here.
Before we get talking about DDoS let’s briefly discuss what botnets are. These days it seems impossible to talk about one without the other one. Botnets are collections of internet connected systems that are under the control of some individual that uses them without their owner’s knowledge. The botnet owner uses it to perform any number of actions of their choosing.
In a lot of cases they use them for spamming, storage of data or DDoS. In the past botnets were just made up of compromised computers but now botnets are also made up of poorly secured security cameras, DVRs, thermostats, and potentially any other internet connected device that malicious users are able of getting under their control.
Just to help visualize how a botnet helps with a DDoS attack take a look at the image below. The malicious actor provides instructions via another system that the compromised systems contact for instructions and in our case the botnet performs a DDoS attack against a site. There is another command distribution approach that relies on peer to peer communication between botnet members.
- Malicious actor
- Command computer
- Regular user
- Compromised systems part of a botnet. (as we mentioned they are not limited to computers)
- DDoS website (yourwebsite.contoso.com)
So what is DDoS? DDoS is a collection of attack types aimed at disrupting the availability of a target. These attacks involve a coordinated effort that uses multiple Internet-connected systems to launch many network requests against DNS, web services, e-mail, and others. Pretty much any application that is accessible to the attacker can be the target of a DDoS attack. The attacker’s goal is to overwhelm system resources on targeted servers so that they can no longer process legitimate traffic effectively making the system inaccessible.
DDoS generally involves many systems sending traffic to targets as part of a botnet. In most cases the owners of systems in a botnet don’t know that their devices are compromised and participating in an attack. Botnets are becoming a bigger problem than before due to the increasing numbers of connected devices.
There are many reasons why DDoS is so popular among attackers. Some of these include:
- There are many DoS and DDoS tools freely available for download. The level of sophistication required for a malicious individual to DDoS a target is not high. More sophisticated attackers can do things not possible for someone just downloading some tools from the Internet, but it is the same type of attack. It’s just taken to another level by the more sophisticated attackers.
- There is an increasing number of connected devices that are poorly managed and tool kits released that allow attackers to take over them and make them part of their botnets.
- Using botnets to perform attacks allows the adversary to incur lower costs for performing a DDoS attack. In addition to lower costs, the ability to use botnets to perform DDoS attacks makes it more challenging to identify the individuals behind the attack.
- The fact that attackers can hide behind botnets has emboldened some individuals to the point where they offer DDoS services (DDoS as a Service). This allows potential attackers to not even bother trying to build botnets, download tools, or try to learn anything about how to execute an attack. Instead, they pay some bitcoin and a specialist will DDoS their target.
- The distributed nature of DDoS means that the attacking systems could be anywhere. Not only does this make it challenging to tell what is legitimate traffic and what is DDoS traffic, but it also makes DDoS more popular with attackers because they are harder to identify. If they cannot be identified, then their actions may have no consequences.
- Once triggered, the attack requires little involvement on the part of the attacker. Given the relatively low effort and costs involved in performing this type of attack, it is not a problem for the attacker to make it continue until their goals are achieved or they choose to stop.
If it is connected to the internet it is potentially vulnerable to DDoS. How you design your solutions, how much you are willing to spend in preparation, and your willingness to take advantages of cloud benefits (like dynamically scaling up or out) may make all the difference between staying online and having your applications or websites offline until the attackers get bored or you get the problem sorted out in collaboration with your ISP and cloud service provider. Keep in mind that in the end even some of the largest players get knocked out of the internet.
If attackers target infrastructure services like DNS and succeed your site may be online but a large number of users may not be able of reaching it. In the end if users can’t reach you regardless of the reason the impact on users could be the same. The DDoS issue is unfortunately not something that we can quickly solve. Maybe one day a combination of global collaboration making changes to laws and technical changes will make DDoS a thing of the past. Until then we can just hang tight and enjoy the ride. It will be a bumpy one.