DDoS attacks have been around for about fifteen years and the recent reported attacks show that it is still going strong. In fact, DDoS will probably always be an effective attack technique because it is uniquely difficult to defend against.
The basic concept is simple. Use a large number of systems with widely dispersed addresses to send large amounts of traffic that’s difficult to distinguish from legitimate requests. If the systems are widely scattered, it’s difficult to block based on source addresses. And if the traffic looks just like regular requests, deep packet inspection won’t help either.
An additional problem is that for servers that use a regular ISP connection, it’s no use trying to block on the customer’s side of the connection as the traffic will have already saturated the link.
Early DDoS attacks often used ICMP or UDP packets, but these were fairly easy to distinguish from legitimate traffic so ISPs or hosting companies could block these sorts of attacks. Later the attacks moved to HTTP directed at the web server. These are difficult to block with simple packet filters, but the tools used to perform the DDoS often left a fingerprint, such as a unique User-Agent header, which allowed deep packet inspection to weed out the hostile traffic. Modern attacks though are much more difficult to distinguish from legitimate traffic.
While the technology behind DDoS attacks has changed over the years, the motives have largely stayed the same. The main motives are money (typically blackmail), activism and revenge. Blackmail is associated with sites that make large incomes, and has been especially prevalent with gambling sites. The recent cases in the news are mainly activism based, but that’s not just a recent phenomenon. In 2006, Blue Security Inc were forced out of business by a concerted DDoS attack by spammers who were angered by their anti-spam product ‘Blue Frog’.
The source of DDoS attacks is typically a botnet, comprising thousands or sometimes millions of compromised machines. Despite increasing security measures, many modern systems are still vulnerable to the botnet malware. There are plenty of Windows 7 and Mac OS X systems in botnets, so it doesn’t look like botnets will be disappearing soon.
There’s no foolproof defence against DDoS attacks, and there doesn’t appear to be a silver bullet coming along soon. But that doesn’t mean nothing can be done. Stress testing, understanding ways to mitigate the effects, and preparing a response to a DDoS attack can all help to minimise the effects.