DDoS stands for Distributed Denial of Service, and the risk of these attacks haunts website and application administrators. Understanding what the term means is different from having a grasp of the risk of DDoS attack, which is why in this post we outline exactly what DDoS attacks are, and what you should do about them.
Forecasting an internet event
To understand DDoS attacks, it is important to understand how the Domain Name Service root nameserver process should work in the absence of disruption. DNS root nameservers can be thought of as the internet’s roadmap: they are responsible for requests that are constantly passed back and forth across the internet. For example, when a computer asks to connect with a website, a request is sent very quickly to that domain’s nameserver. The request asks to access a domain name through the IP address.
This is the first step towards granting access to a website’s content. A connection must first be made at the DNS level before proceeding. Once the nameserver connection has been granted, the DNS root nameserver returns a list of authoritative Top Level Domains. This then leads to the next steps in the connection that involve accessing a website server. That is unless a DDoS attack interrupts the connection.
DDoS attacks are malicious attempts to disrupt the flow of information as it passes between the DNS root nameservers. During an attack, the normal traffic on the targeted server is flooded and overwhelmed to the point of incapacitation. Normal traffic is then inundated with false requests and is dropped in the maelstrom. The chaos of overburdened networks is lack of connection entirely. The false requests often originate from corrupted systems including infected computers and Internet of Things (IoT) devices like home security systems and even refrigerators. Unfortunately, any device connected to a network can become infected and used in a DDoS attack.
DDoS attacks are not new, nor are they without prevention. Devices used in these attacks are selected by their lack of security and easy infiltration. Before the IoT, cybercriminals had to work much harder to find systems ready to attack. More recently, bots have accomplished most of the heavy lifting. However, there are more than a few notorious DDoS attacks that managed to create havoc on a massive scale.
In 2007, a DDoS attack was launched and lasted 24 hours. During this time frame, service was disrupted for at least two nameservers (L-ROOT and G-ROOT). Two other nameservers suffered but were not taken offline entirely. Luckily, the situation was controlled and service returned to normal once the attack was contained.
In November and December of 2015, two waves of DDoS attacks targeted several nameservers and orchestrated attacks up to five million queries per second. The nameservers were incapacitated and traffic crawled to a stop. Fortunately, the nameservers had protocols for attacks of this nature and were able to utilize redundant nameservers to prevent further occurrence.
DDoS attacks should not be taken lightly. While there are many options for removing the threat, website owners need to ensure that their systems are not used in attacking root nameservers. This can be done by scanning systems for malware, changing passwords often, and by keeping services updated whenever possible. Stay tuned for our next DDoS installment when we cover how to protect your systems from DDoS threats.