DDoS stands for Distributed Denial of Service, and it’s usually used to mean that a website is pushed to its capacity limit and forcibly closed. It’s entirely possible to do this accidentally, and spikes in a website’s popularity can actually be more of a problem than a success!
What causes it?
The internet has been described as a series of tubes, a network of roads, and a whole host of other metaphors. At its most basic interpretation, a DDoS attack is like causing a traffic jam, or a clogged pipe, by sending or asking for so much data that the road lights stop working, or the valves have to shut. The server holding the website gets so many false requests for data that it can’t sort the legitimate ones from the weaponized ones, and everything slows to a crawl while it tries to catch up.
Different websites have different thresholds to reach before this becomes a problem, however, and this changes the way the attack is carried out. The resources needed to DDoS a site change depending on where the website’s infrastructure is weakest.
Websites allocate time, money, and resources differently depending on what they need. A website with a lot of far-flung servers may invest heavily in load balancing and firewalls, so someone attempting to DDoS them is going to have a heck of a time actually getting through that way. A video hosting website that’s recently switched to 4K is going to invest in more server space, so a SYN flood may be unsuccessful.
And then there’s small websites who sit somewhere in the middle – they don’t host a lot of videos, and nothing’s really demanding of bandwidth except their content library. These are the most vulnerable to DDoSing.
DDoS-ability is entirely based on the website’s resources. It would be nearly impossible to successfully DDoS Google, for example. They have the capacity to withstand a sudden influx of several million computers, all trying to access their services. That’s just a Friday night for them! However, if a celebrity posts a link to a home-run recipe blog, that blog’s about to come under heavy strain they might not have expected.
Forum websites like Digg and Reddit have a term for accidentally DDoSing a small website: the “Hug of Death”. So many users are directed from a cool post on the front page to the website that it crashes and loses service. This is DDoSing, even if it’s completely accidental. Sometimes popularity is the worst thing that can happen to a website! Repeat visits to a website tend to grow very slowly and are the result of a lot of hard work and careful ad placement. Insane success doesn’t happen overnight… until it does, and a DDoS event happens.
DDoSing a site used to be a pretty popular way to harass a website creator or organization. It’s simple, it’s cheap, it’s effective, and it doesn’t take much to successfully DDoS the tiny sites that content creators make to separate themselves from things like BlogSpot or Wix.
There are multiple roads to get to the desired goal of a crash! One method is simply coordinating other users via social media to repeatedly ding a website til it starts slowing, and then crashing. This is the easiest, fastest method, but it requires a pre-existing platform to rally bad actors. This also happens accidentally all the time! Someone will point to a cool website and then crash it when their followers hit it too hard all at once.
The second option is to create a botnet, a network of internet-accessible devices that can request access to a website. This sounds expensive, but the real secret is that the hacker’s using other people’s computers to carry out this kind of attack. They get their malicious software onto the machine by exploiting social engineering or poor network security, and then they send a command to the device to attempt to access the website they’re DDoSing.
People affected may notice their own computers slowing down because the command is taking up computing power! This method requires more programming knowledge than the other method, but it delivers a lot of power anonymously. However, identifying it as an actual DDoS attack and not a spike in popularity is easier. The visits come in unnatural waves that the website host will pick up on! Many hosting services offer analytics as an option to help website builders sell ads. Using it for DDoS data gathering is a natural extension!
However, assuming it’s done right, this kind of attack is the most difficult to ward off. This method includes things like ‘http floods’, which is what it sounds like – the http, or the hypertext transfer protocol, is flooded with requests to connect. SYN floods also fall into this category, but instead of the http, it’s the initial request for the website. Again, the website can’t tell who’s legit. The website can reroute traffic to a stopgap page or a black hole page (where the traffic is just told ‘there’s nothing here!’) to stop it, but it still gives the DDoSer the desired result – service is denied.
DDoSing can attack the upstream and downstream of the site, too. One example is a DNS amplification attack, where the malicious user makes simple requests that take a lot of data to complete. The website can handle it, but the upstreams supplying the info requested might be forced to cut service to protect themselves. Protocol attacks aim to over-burden the firewall and load balancers of the site by repeatedly dinging them until they’re too busy and shut down. Both of these are easier to handle than http floods, but they’re still used today against unprepared and poorly written websites.
Botnets don’t have to be made entirely of high-powered user devices, like laptops or desktops. Internet of Things items can be used in a DDoS attack too! IoTs are usually poorly protected and have juuust enough power to request data from a website. They make perfect botnet fodder. Plus, it’s much harder to tell that a fridge has been hacked, so it tends to fly under the radar.
How to Stop it?
The best way for you to avoid being sucked into a botnet is the same security advice used against viruses. IoT items are computers too, and they should be treated with the same fear of viruses as PCs do! Don’t download sketchy things off sketchy sites, don’t click malicious attachments, etc. And for those IoT devices, change the default password! Use a password with your router that isn’t the factory default! This should keep your devices from being used in botnets without your knowledge.
As far as preventing an attack on your site, the answer is much more difficult.
Some websites defend against this by using something to check the request before actually allowing the request in. As mentioned above, AI will pick up on unnatural waves. Having a program in place to shut out the peaks of those waves can help. Real users will refresh the page and wait to be allowed in – bots may not. Some older websites use a form of this by routing new visitors to a ‘check’ page before allowing them access to the site; this confuses botnets, which may be expecting instant entry.
Also, be sure that firewalls and other web protections are up-to-date and running as they should be. This will keep out DDoS attacks relying on bugs and bad-faith data requests from being able to successfully deny service.