It has been a while since I wrote one of these computer security related posts, but in light of Sony’s troubles during the holidays and the seeming ubiquity of this manner of attack on the modern web I figured I would put together a little primer on what a DDoS, or distributed denial of service, attack is and how it actually functions.

If you play games online at all you are likely familiar with all of the symptoms of a DDoS attack: you cannot connect to your favorite online service and when you do the connection is slow and unreliable. This connectivity issue can last for as short as a few minutes and it can last for as long as days or weeks, but during that whole time you can’t use that service at all. Then, in an instant, the issue just disappears and everything goes back to normal. If you have experienced what I just described, you have likely witnessed a DDoS attack. The reason why you cannot connect to Steam, PSN, or Xbox Live during a DDoS attack is that the servers that host the service you want are being actively overloaded with requests by a malicious party. An ordinary internet connection involves an http request being sent from your computer to a server that you want to connect to. That malicious party is flooding the servers of your favorite service with so many http requests that those servers are overwhelmed and, as such, cannot process your request.

Imagine trying to order a Pizza from a local Pizza Hut during rush hour (imagine that you have to actually call and talk to a human). You might get a busy signal when you call, and even if you get through the delivery time is 20 minutes longer than normal thanks to all of the other orders they have to process. Now imagine that rather than ordinary rush hour calls, a group of people who hate pizza decide to call Pizza Hut continuously for 5 hour in the middle of the day, only to hang up as soon as a human being picks up the phone. Very few pizza lovers would be able to get a call through to Pizza Hut under these circumstances because of the ubiquity of the fake calls. For that 5 hours the Pizza Hut phone lines are effectively useless. Even worse than that, the owners of the Pizza Hut have very few options to stop this attack because their business relies on providing customers with a working phone line to call. Unplugging the phone will stop the attack, but it will also stop legitimate users from placing orders over the phone. The Pizza hut could change its phone number, but that would force all of its legitimate customers to learn a new number and the pizza haters would just learn that new number eventually. The owners of the Pizza Hut are mostly stuck. The scenario I described is what happens during a basic DDoS attack, except Sony is the Pizza Hut and their websites are the phone line.

In the case of a real DDoS attack the tons of http request (phone calls) that are needed to clog up an entire corporate server structure can be generated by a number of different sources depending on the scale of the target and the sophistication of the attackers. If the target is a relatively small website, then the attack could be the result of a hand full of people running a piece of software designed to spam a given url or ip address with http requests. If the target is larger, then botnets, thousands of computers that are remote controlled via a virus, are used to hammer the target server with requests. The larger the target the more resources needed to bring it down.

Now the manner of DDoS attack that I’ve described up until now is the absolute simplest version of the attack and in truth that is not necessarily what hackers use in practice. Maintaining a constant barrage of connections for hours or days on end is expensive and it can be thwarted. If a Pizza Hut kept getting prank calls from one phone number all day long, they would just block that phone number or ask the phone company to look into that number. The more troublesome attacks attempt to trip up servers by more closely mimicking situations where a users intent is difficult to discern.

Back to the Pizza Hut example! The same group of pizza haters, whose first phone numbers were all turned off by the phone company, decide that they need to be a bit craftier if they want to ruin pizza for everyone. This time they are going to call Pizza Hut and act like an ordinary caller, but they are going to act like their phone is dropping in and out of coverage. The Pizza Hut clerks answer the phone as normal and they try to take orders from the attackers for a few minutes each, but they never manage to get any real orders out of them. However, while the clerks are dealing with the attackers the phone lines are still tied up! Unlike the earlier attack, where the sheer number of calls made the phone lines unusable, this new attack ties up the phone by mimicking an ordinary user with a common and understood phone issue: a cell phone losing signal. The number of calls don’t need to be as huge when each call lasts much longer than the brute force calls did.

In the real world the kind of attack I just described involves sending fragmented http packets that look like the type of garbled stuff that can come from a bad internet connection. The targeted server expects the rest of the fragmented packet to show up eventually so it waits, but that packet fragment is never coming. With every moment that the server waits for the rest of the packet fragments to show up, a legitimate user is unable to connect. Thousands of fragmented packets can jam up a server just as effectively as hundreds of thousands of regular http requests since servers are built to expect this kind of lag from users. While there are answers to this form of attack as well, such as turning down the amount of time a server will wait for a fragmented packet to arrive before dropping the connection all together, the answers involve trade-offs that impact legitimate users on slow connections.

There are even more types of DDoS attacks than what I’ve covered here and there is much more to say on the ones I have covered, but I hope you can appreciate what a nasty problem they can present. DDoS attacks take the service oriented nature of the internet and use it as a means to attack a public facing service. They take the established server-user relationship and weaponize it to attack businesses and services.