What is a Distributed Denial of Service attack (DDoS)? It is when someone tries to shut down a machine or a network by using lots of requests at the same time from lots of different sources.
A DDoS is a Denial of Service attack that comes from multiple sources. So, let’s look at a Denial of Service (DoS) attack first. There are several different types of DoS attacks but the most common one is where the service gets overwhelmed with requests. A DoS can be initiated against any device on any network, but recently, they are mostly aimed at websites. Without protection, a DoS attack can shut down a website.
In a DoS on a website, the person or group of people initiating it send out a huge number of requests to that website’s server. For example, if you wanted to commit a DoS against my homepage www.ilearnedthistoday.com, you would try to send more requests to it than it can deal with. When you want to view my homepage, you open up your Internet browser and type in my address. The computer doesn’t use this web address to find my homepage, it converts the address into numbers, called the IP (Internet Protocol) address. So, the IP address of www.ilearnedthistoday.com is 192.185.225.143. We use words because we can’t remember long strings of numbers as easily. Your computer sends a request to the server that my homepage is stored on and connects to a port. My server completes a handshake with your computer, called the Transmission Control Protocol (TCP), where both devices agree what will be transmitted and how. My server then sends the data that is my homepage to your computer, using your IP address to find you. Your browser displays the homepage.
The most common DoS attack works by requesting the server but not completing the handshake. When your computer is trying to access my homepage, it connects to one of the ports on the server to complete the handshake. Servers only have a limited number of ports. After the handshake is completed, the port can be reused. In a DoS attack, the handshake is not completed, which means the port is stuck open and cannot be reused. There are only 65,535 ports on a server. The computer initiating the DoS keeps sending requests and not completing the handshake over and over until all of the ports are used up and the server cannot take any more traffic. At this point the website will be unusable. Large companies have multiple servers (Google has more than 1 million), which means they can withstand larger attacks, but smaller companies can be brought down.
So, what is a DDoS? It is the same as a DoS, but the requests come from more than one computer or IP address. A lot of servers have protection against DoS. They can detect unusual numbers of requests and if they are all coming from the same IP address, the server can block them before then can connect to a port. If the requests are coming from multiple places, it is harder to block the requests.
There are two ways of carrying out a DDoS attack. The first is by spoofing multiple IP addresses and the second is by using a network of computers. When a computer sends out a request, it contains the IP address in the request. There are tools available that make it possible to change the IP address. That means it is possible to send multiple requests to a website from one computer but make it look like they are coming from multiple computers. The problem with this, though, is that the server being attacked can see the location of where the requests are coming from. If there is a sudden jump in the number of requests from one particular country, it would be possible to block all requests from that country. It wouldn’t be fair to legitimate users, but it would save the server.
The second method gets around this by using a network of computers that are based in multiple locations. A lot of computers around the world are infected with malware. Experts think that as many as 30% of all computers are infected, and it could even be 50% in China. The malware can be installed in many ways, but clicking on a link in an email is probably the most common. The people who installed the malware can use it in many ways, but one way is to make the computer into a part of a botnet. Then all of the zombie computers in the botnet can be used to send out requests to the website under attack. That way, the attacks are coming from many IP addresses, and many locations, often in many different countries. It is much harder for the owner of the server to defend against it.
As computers get more powerful, botnets become more effective and the companies that own the servers have to up their game as well. In August of 2022, Google’s Cloud Armor (the protection they have on their cloud storage) was able to defeat a botnet DDoS attack that peaked with 46 million requests per second. Google analyzed the data afterwards and announced that the attack came from 5,256 sources spread over 132 countries. Google has the server capacity and the technical ability to be able to defeat this, but what will happen if the hackers use 50,000 bots? Or 500,000? And with the spread of the Internet of Things and the likelihood of driverless cars in the future, this is rather worrying. And this is what I learned today.
Sources
https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
https://www.cisa.gov/uscert/ncas/tips/ST04-015
https://www.cloudflare.com/learning/ddos/glossary/denial-of-service/
https://en.wikipedia.org/wiki/Denial-of-service_attack
https://www.cloudflare.com/learning/network-layer/what-is-a-packet/
https://medium.com/@isaac_70614/how-does-a-computer-get-a-web-page-3f5b9458cf05
https://www.kaspersky.com/resource-center/threats/botnet-attacks
https://www.kaspersky.com/resource-center/threats/ip-spoofing