After my post about my laptop being cracked, lots of people asked me what a DDOS is. My years of tech support experience helped me learn that if I’m asked the same question more than n times, I should write it down and let people go read it for themselves. Hence, the Gospelcom Members Area.
A server on the Internet is designed to do one job. Web servers serve web pages. Mail servers handle email. A machine may have more than on server on it, but in places where there’s high traffic, they’re often dedicated to one job.
Let’s use a web server as an example. When you put an address in your web browser, it sends a request to the web server for a specific document with all related documents (images, flash, audio, etc). The server thinks for a picosecond, pulls it all together, and send it back to you.
The number of requests it can handle at once depends on how powerful the hardware and software are together. I can run a web server on my PDA, and it works fine serving pages to me. 10 people could kill it. Gospelcom has a cluster of 18 computers working together as one giant web server to handle all of its traffic. It can do a lot at once.
If a Bad Guy wants to hurt a website, he can do something called a Denial Of Service (DOS) attack. He writes a program that sends many requests at once. By many I mean it could be 10,000. Not only that, but he can write it to lie about where it came from, so the web server tries to honor these requests by sending a webpage, but the place it tries to send it doesn’t exist, so it comes back to the web server as a failure, and it has to deal with THAT. Enough requests at once will overwhelm a web server.
A plain DOS attack isn’t hard to stop. There are lots of tools available to prevent them, and many web servers even have it built in now, so a plain DOS attack really only works against unprepared websites.
Then the Bad Guys got the idea that if the bogus requests came from multiple machines rather than one, it would be much harder to a) block the bad traffic and b) decide who’s really bad and who’s really wanting all that info. This is called a Distributed Denial Of Service (DDOS) attack.
A DDOS must be orchestrated though. All those machines need to be attacking at once, so someone needs to control them all at the same time. Also, the Bad Guys don’t want to set up servers all over the place that can be traced to them, they want to use other people’s computers. But other people don’t want to be part of that, so they have to be sneaky about it.
So they write programs that sneak into your computer, install the software to be part of a DDOS, and they leave. The software is designed to stay hidden, so it doesn’t slow your machine down or anything, because it’s not doing anything yet. It’s waiting for the trigger to be pulled.
How do they get in? It varies greatly. Linux boxes are a lot harder to break into, but user stupidity helps a lot. Windows boxes are a LOT easier to get into. How many machines have you seen with spyware on them? Adware? If it’s easy to get that stuff on there, it’s easy to get something else on that you don’t know exists because it doesn’t annoy you.
So why would people do this? There’s an enormous amount of work involved in getting all those machines together. Who has the money? And who would they do it to?
Here’s how it works. Criminals with lots of money (think mobs, [‘russian’,’sicilian’,’los angelian’]) like to extort money from people who have it. So they say to someone like IBM, “Give is $10M or we’ll take down the Olympics site during the Olympics”. With that kind of cash on the line, they can afford to hire lackeys in Greece to find weak boxes and install stuff on there.
The scary part? It’s happening, and it works. Examples:
- Trojan turns victims into DDoS, spam zombies
- Will Distributed Denial of Service Attacks Mean the Death of E-business?
Citibank got hit HARD a few years back.
Something interesting is that often the Bad Guys don’t ask for a million dollars, they ask for $50,000, or some other (relatively) low number. Someplace like IBM will pay that to make them go away. And they don’t tell people. That’s the scary part. How much has your bank paid to keep the Bad Guys out? You’ll never know. They don’t want people to know they’re at risk, and they’re not paying so much that you’ll notice.
What do you do? If you run Linux, don’t be as big an idiot as I was. If you run windows on a broadband connection, buy a router. They’re only $30-$100 depending on what you get, but they’re worth it. I consider it a requirement for having broadband. If you run a Mac, be safe like with Linux. A router is good alway,s I think. I say simply “router” but what you really need is a firewall. Most commercial home-grade routers have them built in, so I tend to use them interchangeably.
Windows users, stop using Internet Explorer. It’s like a vacuum, sucking this stuff in. Get Firefox. It’s free, it’s safer, it has more features, it’s just better.
I’d like to close with this:
A test conducted by marketing firm AvantGarde and USA TODAY (and run in part by Kevin Mitnick) found that a poorly protected PC on the Internet is compromised within four minutes, with some being taken over in only 30 seconds. The test was conducted over a two-week period with 6 machines configured with a variety of operating systems, including Linspire’s distribution of Linux, Macintosh OS X 10.3.5, Microsoft Windows Small Business Server 2003, WinXP Service Pack 1 (SP1), WinXP SP1 with the free ZoneAlarm personal firewall, and WinXP SP2.
I am forced to use Windows XP at work. My “auto update” informed me yesterday I have a number of security updates available. The descriptions for all but one begin with, “A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it.” Scary.