The Tao of Ops: What exactly is a DDoS?

As more and more people are enjoying the Internet as part of their every day lives, so too are they experiencing its negative aspects. One such aspect is that sometimes the web site you are trying to reach is not accessible. While sites can be out of reach for many reasons, recently one of the more obscure causes has moved out of the shadows: The Denial of Service attack. This type of attack is also known as a DoS attack. It also has a bigger sibling, the Distributed Denial of Service attack.

Why these attacks are able to take web sites offline is right there in their name, since they deny you access to a web site. But how they cause web sites to become unavailable varies and quickly gets into more technical aspects of how the Internet works. My goal is to help describe what happens during these attacks and to identify and clarify key aspects of the problem.

First we need to define some terms:

A Web Site -- When you open your browser and type in (or click on) a link, that link tells the browser how to locate and interact with a web site. A link is made up of a number of pieces along with the site address. Other parts include how to talk to the computers that provide that service and also what type of interaction you want with the web site.

Web Address, aka the Uniform Resource Locator -- A link, to be geeky for a moment, is what is known as a Uniform Resource Locator (URL). Although most people think of a URL as "how web sites are addressed," it is actually a part of a much wider method of access to any service on the Internet. That said, the vast majority URLs provide a way to navigate web sites.

This link, https://en.wikipedia.org/wiki/Url contains the following:

  • https:// The browser needs to talk to the web site using the https scheme - a secure web browsing web request
  • en.wikipedia.org The address of the computer (or computers) that will provide the information and content of the web site
  • /wiki/Url The resource you want to get from the web site

The address portion of a link, the "en.wikipedia.org" part above, is itself made up of various parts known as the Top Level Domain (TLD) and the hostname. For our example the TLD is ".org" and the hostname is "en.wikipedia" - the two pieces are then used by the browser to make a query to the Domain Name System (DNS). This request takes the name, determines which Name Server is the authority for that name, and then returns an IP address for the name.

IP Address -- Each computer that is connected to the Internet is given a unique address so it can be identified and contacted. This unique Internet Protocol (IP) address allows clients (such as web browsers) and other computers to find and access it. Once your browser retrieves the IP address for a web site it can then begin to contact a computer using the appropriate protocol style to get the contents of the web site and display it for you.

Now that's a lot of little things all happening behind the scenes when you go visit a web site :) - but now that we know what we're working with, it will make describing what a DoS is easier.

When someone launches a Denial of Service attack they are trying to make the computers providing a service unable to perform their duties. The difference between a DoS and a DDoS is in how many outside computers are helping perform the attack. A Distributed Denial of Service attack is, as the name implies, distributed across many many computers, all of which are making requests to the target over and over again.

That is the crux of a DoS - one group of computers overload another group of computers by making the target have to process so many requests it cannot keep up. Let's work through two examples of what a DoS attack would look like in the real world:

Example 1 -- Think of the Internet as a highway and your browser is trying to access it via the on-ramp. While a small stream of cars is trying to get onto the highway things go well, but when the flow of cars gets to be too many all hell breaks loose and everyone comes to a halt and sits in traffic.

Example 2 -- During home games, Denver Broncos quarterback Peyton Manning is able to call plays out to his team. The players can hear him just fine, since hometown crowds are quiet during the plays. However, once the Broncos traveled to the Super Bowl to take on the Seattle Seahawks, things changed. The Seattle fans, known for being very loud, were able to act as a "12th man" of the Seattle defense. So much so that Manning's teammates could not hear him above the noise of the Seattle fans! They were suffering from a Distributed Denial of Service attack from more than one fan at a time.

As with any attack, you immediately begin to wonder how they can be prevented from happening and how to deal with them while they are active. This answer varies, not only because of the nature of each attack, but also because there are quite a few different kinds of DoS attacks. This little essay is getting rather long already so we might discuss counter-measures in a future blog post.

However, now when your browser is giving you an error message or the "spinner" is doing its best to annoy you, you will at least have the information to understand what is happening when the IT or Support people say "Yes, we are being DDoS'd."

You might also enjoy reading: