DDoS attacks are in the news again, so we thought this would be a good time to put together an explainer as to what exactly they are and how they can affect your website or your business.
A DDoS attack is a ‘Distributed Denial of Service’ attack. It happens when a network of computers overloads the connection or the capacity of another network, server, or even a single website, freezing access and bringing down servers that can’t cope with the load.
Why would this happen? There are several reasons.
- A hostile government may try to do this to another.
- Or perhaps you’re a big business – and by virtue of being big – that makes you a target.
- People who hate you and want to damage you
- People who want to extort you for ransom.
The latter appears to be the most common reason these days.
An RDDoS attack is different from a ‘ransomware’ attack which has also been in the news recently. A ransom-based DDoS attack seeks to extort money from you in order to prevent the attack from happening. Basically, they want you to pay them money to go away and leave you alone.
It’s a common tactic invented by organised crime over a century ago – pay us for ‘protection’, and we’ll leave you alone. The problem is that when you pay these criminals once, you embolden others to simply do the same. Paying DDoS ransom should not be a cost of doing business.
For example, in a recent DDoS attack in the news, hackers demanded 1 Bitcoin (worth about €30,000) to not make the attack. Unfortunately, the advent of Bitcoin and other cryptocurrencies has led to a rise in extortion attacks like this because it makes it easy for criminals to launder the money and get away with it.
So, how is an attack done? These hackers will have gotten control of a network of hundreds or even thousands of computers – likely illegitimately due to phishing, malware, or other nefarious means. While most web hosts and ISPs will have policies that ban doing things like this, they may not know it’s happening until it is – so action against a DDoS attack is very reactive.
The hackers will use automated software to control these computers and networks to flood your computers and networks with bogus and pointless traffic that essentially takes up the whole ‘pipe’ that is your bandwidth. Legitimate traffic can’t get in or out. Your hardware – websites, intranet, network – becomes overloaded and cannot function.
This is where the ‘good guys come in. There are things that ISPs, datacentres, and web hosts can do to mitigate a DDoS attack. And let’s be clear here, there isn’t much they can do to PREVENT one because it’s very difficult to block traffic you don’t know isn’t legitimate. This is not really something that an end-user would have to deal with – it’s out of their control almost completely.
DDoS Mitigation has four steps to it:
- Detection – This is where the traffic coming in is identified and checked to see if it’s legitimate or not. Sometimes there’s a good reason for a traffic spike, but if there isn’t, it’s a good indication that an attack is underway.
- Response – At the network level, this is where the malicious traffic is dropped, and the rest of the traffic is absorbed. If a network is large enough, it can route the traffic elsewhere.
- Routing – Effective DDoS Mitigation breaks the remaining traffic into manageable chunks, allowing the network to take the load.
- Adaptation – After the attack is over, a good network provider will study the results and look for patterns – blocking IPs block, certain countries or particular protocols that were used.
DDoS mitigation is not something that is ‘one and done’ – it’s something that network admins have to constantly do and monitor.
Attacks cannot go on forever, simply because it’s expensive to keep them going – even with access to a malicious botnet – there’s still a cost – especially with bandwidth. And more often than not, when they realise you’re not going to pay up, they lose interest and move on.
If you’re a Blacknight customer and you suspect you’re under a DDoS attack, please contact us immediately.