Distributed denial of service (DDoS) attacks—in which a Web site is bombarded with such a volume of traffic that legitimate users can’t access it—are on the rise. The frequency, size, and scale of DDoS attacks have been consistently increasing. A quarterly threat report by Prolexic, a DDoS mitigation service provider, showed that in the first part of 2013, the average attack strength skyrocketed from 5.9 Gbps (gigabits per second, which is the measurement of the speed of the number of pings or traffic hitting the site) to 48.25 Gbps. In the most recent Prolexic quarterly report, that number rose again to 49.24 Gbps, suggesting the larger attacks may be here to stay. And some attacks have gone well above those average numbers. In March, one of the largest DDoS attacks ever seen on the Internet at 300 Gbps was launched against Spamhaus, an anti-spam service.
A 2013 Global Security Report by Trustwave showed DDoS activity was up 9 percent from 2011 to 2012. The Trustwave report found that these attacks most often target Web domains related to government, finance, hosting providers, media, and politics.
Stephen Cobb, who works at Web security solutions provider ESET, explains how a DDoS works. First, a basic denial of service type of attack “takes advantage of a protocol in which you say ‘hello’ to the server, and the server says, ‘hello, what’s your name?’ and you don’t reply,” says Cobb. “So the servers are waiting and waiting, and [if the same computer submits that request over and over, it floods the server until] it just can’t perform.”
He says DDoS is the distributed form of this attack; it is simply a multiplication of that effort. “All that means is it’s not just one machine carrying out the attack, it’s a number of machines,” he says. “And so somebody has coordinated multiple machines which have denial of service software on there to carry out the attack.”
Typically, these are so-called zombie machines, or botnets, that have been commandeered without the owners’ knowledge. Cobb says the latest development in DDoS is the use of Web servers as botnets, rather than individual computers. “The classic botnet is laptops and desktops on which a bad guy has his code,” he says. That code then “calls home” to command and control. “The command and control machine is in the hands of the bad guy, and he can orchestrate this army of machines remotely,” Cobb explains. “The same thing is now done with Web servers,” he says. “The bad guy gets his code onto the Web server, and then can orchestrate multiple Web servers to carry out the attack.”