What is a Distributed Denial of Service (DDoS) Attack?

What is a Distributed Denial of Service (DDoS) attack?


During the week of February 7-11, 2000, Distributed Denial of Service (DDoS) attacks emerged as a major new way to wage cyber-war on the Internet. That week, such attacks struck many sites, including Yahoo!, Buy.com, eBay, E*Trade, and CNN. The victims' Web sites were unreachable for several hours each.

There is no certain way to either track the perpetrators down or to determine how long attacks may last. There are methods for preventing such attacks, but the effectiveness of these methods is not foolproof.

Legislation has since been passed making such attacks a federal offense in the United States. The FBI has also become involved in the issue.


DDoS attacks are "brute force" attacks involving the hijacking of hundreds or thousands of machines connected to the Internet — frequently servers or other powerful machines but, in truth, even a home computer with a cable modem or DSL connection is vulnerable.

The attacker installs software on these "zombies," allowing him to control the computers when necessary. Then the attacker uses these hijacked machines to launch coordinated attacks on specific Web sites. These attacks typically exhaust bandwidth and router-processing capacity.

The increase in traffic makes it impossible for legitimate users to view the targeted Web sites.

The perpetrator starts by breaking into weakly secured computers, using well-known defects in standard network service programs and common weak configurations in operating systems.

Once he breaks in, he performs some additional steps on each system. First, he installs software to both conceal the actual break-in and hide traces of his subsequent activity. Then he installs a special process used to allow remote-control access to the burgled machine.

The attacker then runs a single command, which sends command packets to all the captured machines. This instructs them to launch a particular attack against a specific Web site. When the attacker decides to stop the attack, he sends another single command.

Thousands of requests for pages are sent to the target Web site, but the requests appear to come from non-existent Internet Protocol (IP) addresses.  When the target site's server attempts to confirm the existence of each requesting IP addresses, it will not get a response and will try to respond several more times. 

Usually a non-existent requesting address is a trival issue — a server will stop trying to respond after a few tries.  But when this scenario is multiplied by thousands or tens of thousands, a server can quickly become overwhelmed and will not be able to respond adequately to requests from legitimate IP addresses.


The first thing the administrator of the target site notices is that thousands of compromised systems all over the world simultaneously flood his site with traffic. At first, he'll think it's a router crash or a similar software error. Traffic simply stops flowing between the Web site and users on the Internet.

Tech staff at the affected site then tries to find out what's wrong. After the first few checks don't solve the problem, they look at the large increase in traffic. Then they realize that the site is victim of a major denial-of-service attack. The techies try to capture a sample of the packets flying over the network, attempting to gather as many as they can.

They take that information and begin an investigation, turning over any relevant data to the relevant authorities. 

However, if the software controlling the attacking computers is written well enough, it can disguise itself so that tracing the person directing the attack becomes virtually impossible.  "Mafiaboy," the Quebec teenager who launched the Feb. 2000 attacks on eBay, Yahoo!, CNN and other sites, was only caught when he boasted of his exploits in hackers' chat rooms.