Distributed Denial of Service – and how it works
I often get asked about Distributed Denial of Service (DDoS) attacks, how it works and what role we can play to prevent them.
So, let me start with the first part of it: Our Security Intelligence Report version 5 talked about the underground economy and actually explained what is happening before a DDoS takes place. Let’s recap this:
Often it starts with the plan of a criminal to build a botnet. So, this malicious person goes to an underground marketplace, buys a piece of malware, a bot and a control server software. In addition, he/she might even be able to buy an initial distribution of the bot by letting somebody infect a webpage (which might be unpatched or have a weak password or somehow else being unsecured) or any other distribution channel for malware you might know of (e.g. social engineering):
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/DistributedDenialofServiceandhowitworks_B9E6/original%5B1%5D.png "original[1]")
Now, the criminal is ready to go. He/she might own a certain number of PCs called Zombies. He can now offer his “services” on the same online black market, he initially purchased the malware from and might find “customers” like spammers, phishers, blackmailers or any other criminals:
![original[2]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/DistributedDenialofServiceandhowitworks_B9E6/original%5B2%5D.png "original[2]")
Here you see the reason why we leverage our Malicious Software Removal Tool to go after the largest botnets. It is all about protecting the ecosystem.
So, I could basically rent a botnet to flood a web server with any kind of junk in order to take it offline – this is called a Distributed Denial of Service attack. I often compare this with spam – not for your Inbox but for your web server. The server is still up and running but kept busy sorting junk from legitimate traffic.
There are often different motivations behind this:
- Remember the times of Al Capone? Where the criminals attacked shops and then offered them a service to protect them? The same can happen here: A criminal runs a DDoS against your website and takes it down for a few minutes. Then he lets it come up again and tells you that he can protect you from these attacks – I would call this blackmailing.
- We often see such attacks with a political background. You see a conflict happening somewhere and one party (or both) is trying to take down the website of the other.
- Sometimes it is more a “I do not like you” background. Microsoft has been attacked as well from time to time….
So, if you want to know more about DDoS, I can recommend you two sites:
- On our Technet site, there is an article called Distributed Denial-of-Service Attacks and You, which is worthwhile reading and shows you some basic protection as well. This article is not too new but it even gives you some advice on how to protect yourself.
- Wikipedia has a site, which can give you some history on it and shows you different types of the attacks: Denial-of-service attack
I hope this helps and clarifies some questions. Otherwise, do not hesitate to get in touch with me
Roger