AskUs: Why are big companies seemingly in a constant battle against DDoS attacks?

So one of our readers asked us this question the other day: Why are big companies seemingly in a constant battle against DDoS attacks?

ANSWER

I’ve got an answer for you, but it’ll take a little bit of time and I’m going to go a roundabout way, so bear with me. You’ve seen Law and Order, right?

If you’ve ever watched a TV cop or courtroom program, you know that prosecutors are always trying to prove that the accused had the means, motive, and opportunity to commit a crime. Distributed denial of service attacks are a crime just like any murder, larceny or assault. Just look up 18 U.S.C. § 1030, which covers computer crime.

That statute covers access to a “protected computer” and is intended to protect interstate commerce on a computer. Since Internet traffic – for all practical purposes – has to cross state lines, it’s covered under this statute. If you launch a DDOS attack, you’re attempting to interfere with interstate commerce, and therefore committing a federal crime.

With that in mind, it makes sense to look at all DDOS attacks in light of means, motive, and opportunity. Let’s take up means.

The original denial of service attacks came from a single computer. In the 1980s, when Internet traffic operated on the phone system, it acted like telephone traffic. Users would dial a specific number to access a specific computer or network. Popular computers and popular networks could handle multiple connections, but there was always a finite limit: Only so many people could access the board at a given time.

Denying service to a board or network was relatively easy, albeit expensive: A user could simply open multiple connections to the computer or network, dialing in on multiple phone lines and therefore blocking access to anyone else. As simple as this was to do, it was also simple to trace. You could trace the attacks with the same tools used to trace phone calls. Phone companies could shut down the attacks relatively easily, and police could prosecute them.

Because of the cost involved in these attacks and because they could be prosecuted relatively easily, they were uncommon. Even more uncommon were attacks that successfully used complicated networks of phone switches to obscure the source of the attack.

After the development of the World Wide Web and its commercialization in the 1990s, denial of service attacks became more common. Internet traffic moved off the phone system and into a purely digital arena. Attackers switched tactics. Instead of attempting to occupy the number of connections to a server, they attacked the server’s ability to handle requests by bombarding a target server with many requests for information, all seemingly legitimate, they could slow the server to a crawl.

This method allowed attackers to better obscure the source of their attacks, but it had its limitations. Defenders simply needed to add more capacity to withstand attacks, and since most attackers had access to only a handful of computers, this was economically feasible to do.

Toward the end of the 1990s, the distributed denial of service attack became the regular means of attack. Before, a single computer or a relative handful were involved in bombarding a server. Now, attackers began to use viruses to take over many thousands or millions of computers and harness those computers to bombard a server. The first viruses of this kind were crude. Their activity was immediately apparent to a computer user, and that user would run an antivirus program. Later iterations were more sophisticated; they began operating in the background, aided by advances in technology.

As computers became faster, they became better able to operate multiple programs at the same time. Faster Internet connections became commonplace, meaning an infected computer could send bombardments without noticeably affecting a user’s experience. This allowed a virus-maker to wield the bombardment potential of millions of computers, turning them into a botnet weapon.

The third innovation is the most recent one, within the 21st century. Botnets have become so widespread that virus-makers have begun renting them. For a few hundred dollars on a darknet site or some nefarious website, you can rent a botnet and direct it against a target.

Then there is another change in opportunity: Bitcoin. While DDoSing started off as an anarchist movement, it’s evolved into a professional blackmailing business. Trying to blackmail someone through the conventional finance system requires a high degree of sophistication because everything is tracked and potentially reversible. Bitcoin lowers the barrier to becoming a blackmailer by providing a relatively easy to use, relatively untraceable way to send money.

These are the reasons you’re seeing a lot more DDos, ransomware and other attacks. It’s relatively easy to do. With so many computers in the world, so many fast connections and so many infections spreading, a company cannot hope to add enough capacity to deal with a DDOS attack. Instead, the company has to filter the incoming attack, sifting legitimate requests from illegitimate ones, and that’s not easy. Right now, offense has the advantage over defense, and that’s the means.

Let’s talk about motive. Back in the later years of the 19th century and the early 20th century, there was a wave of terrorist bombings across the United States and Europe. These weren’t communists or fascists ─ these were anarchists. Their main goal, such as it could be defined, was to attack existing institutions (financial, religious and political) in order to force them to change.

With means so cheap and available, the barrier to entry for a DDOS is extremely low. Imagine how many bombings would have taken place in the early 20th century if those anarchists only had to pay $200 in a back alley for the ability to send a bomb anywhere in the world. How many attacks would have taken place? That’s what we’re seeing now. Because the means is so easy, the motive almost doesn’t matter. It could be a disgruntled video game player who was banned for cheating. It could be a competing company. It could be Russia attacking Estonia again. It could simply be an anarchist who wants to stir things up. It could also simply be a psychopath.

And if you’re a prominent company, you’re going to be a prominent target. That brings us to opportunity. If you have built or bought a botnet, you’re going to use it. That’s why you have it. The only question is what the target will be. Prominent companies like Blizzard, Google, Twitter, and Facebook have high profiles. Countries like Estonia have nearby and powerful enemies.