Moderated and by Bruce Preston and reported by Jim Scheef
Ask DACS is a Question and Answer session before the main presentation at the monthly General Meeting. We solicit questions from the floor and then answers from other audience members. This month I was away on vacation. Bruce moderated but is unable to write up the discussion.
Q – The social networking site, Meetup.com, has been sporadically unavailable over the last few days. They announced that this was caused by a distributed denial of service attack (DDoS). What is a DDoS?
A – A denial of service attack is any attempt to prevent a facility or service from performing its intended function. The original denial of service attack is the siege which evolved in more civilized times to the picket line. People outside a store or factory gate with signs asking that others not use the service provided by the store or factory. Another type of DoS is the "sit in" where people occupy a building or (during the civil rights struggle in the South) occupy the seats of a lunch counter. Typically, on the Internet a DoS takes the form of flooding a server with so many requests that legitimate users are denied access to the server. DoS attacks may also use malformed requests in an effort to crash the server.
A distributed attack is one where the malicious requests are sent from many computers. Such attacks may involve thousands of computers that have been "hacked" one way or another to install malware that allows the computer to be controlled remotely. When such legions of computers are controlled from a single server, they are called a "botnet". A DDoS attack in recent news was when the "hacker" group, Anonymous, attacked banks who refused to process donations to the WikiLeaks organization. Currently attacks are reported against the government of Ukraine.
The Internet is not the only place where DoS attacks are possible. Several years ago a security researcher (white hat hacker) demonstrated that it is possible to deny service on cellular networks by flooding the signaling channel with a high volume of text or other signaling messages. The signaling channel is used to make and receive calls so if it is overly busy, your phone cannot originate or receive a call. The Wikipedia article is wikipedia.org/wiki/Ddos#Distributed_attack.
Q – What can an organization do to prevent or stop a DDoS?
A – The short answer for a typical individual or business using the Internet is "nothing". Really large Internet sites often simply ignore the attack and hope the attackers get tired soon. The result of an attack against organizations like Google or Microsoft is slightly longer response times for webpages. These organizations have such massive bandwidth, and their services are distributed across so many servers in many physical locations, that they can simply absorb the extra packets. Organizations who are not in the Internet business have a much harder time defending against a DDoS. If they have a single location with only a moderate speed Internet connection, the attack may, indeed, knock them off the Internet, as happened to Meetup.com for short periods of time. Hosted DNS providers like Dyn and OpenDNS claim to be able to mitigate attacks. Longer term, Microsoft and various law-enforcement agencies have programs aimed at locating and taking down botnet control sites. These programs have been successful at reducing spam. It's impossible to tell what the effect has been on DDoS attacks.
Questions for the upcoming meeting can be emailed to email@example.com.
Disclaimer: Ask DACS questions come from members by email or from the audience attending the general meeting. Answers are suggestions offered by meeting attendees and represent a consensus of those responding. DACS offers no warranty as to the correctness of the answers and anyone following these suggestions or answers does so at their own risk. In other words, we could be totally wrong!