Recently I had a reader email me with a question about Distributed Denial of Service Attacks (DDOS). As it happened, ASPAlliance.com came under attack by a DDOS in mid-January that brought down the server for a couple of days. According to my ISP's logs, the attack originated from at least 4000 separate IP addresses. Below you will find the web server's statistics for that day -- a lot of the traffic is due to the fact that we were featured in a news story on slashdot.org, but the DDOS began around 11am, and you can see that shortly after that we were forced to pull the plug on the machine. The actual DDOS attack isn't reflected in these stats, since they are showing web server sessions and the attack was targeting a different port, but you get the idea and it's still a cool picture...

Anyway, Frank Wood asked "I would be interested in knowing how you defend, or do damage control for a DDOS attack." To which I responded:

The short answer is, you can't.  If you're Microsoft or Yahoo or someone big, you make sure that you have the phone numbers for the FBI unit that is responsible for such things, and probably other computer security contacts like CERT.  However, for someone like ASPAlliance.com, with very limited resources (I have a full-time job, ASPAlliance is really just a hobby), there's not a lot you can do.  The ONLY defense against a DDOS is not to be a target.  Seriously.  Yes, this is scary and really sucks.  Let me briefly explain why.  

The way a DDOS attack works it that it gets many computers to perform aninvalid TCP/IP transaction with the target/victim server.  The protocol uses a three way handshake to establish a connection, which goes SYN-ACK-ACK (where the requester sends the first and third message).  Basically, this is like saying "You there?", hearing "Yeah, you ready to send?", and then saying "Yeah, here comes my request."   

A typical DOS attack just sends a ton of SYNs but never any ACKs (this is referred to as SYN flooding).  The server waits a certain (short) period of time after receiving a SYN before it allows another request to come in on that port.  This is because it is in the middle of a handshake/connection and is waiting for the third message(the ACK).  Any computer with the TCP/IP protocol on it can send SYNs and ACKs -- it's baked into the protocol.  A single computer can fairly easily flood a server's network layer with SYN requests that aren't followed up by ACKs.  This kind of DOS attack can be defended against by refusing the specific attacking computer's IP address, say at the router or firewall.

With a DDOS attack, hundreds or thousands of computers are used. Typically, these computers come from a wide range of locations on the Internet, and therefore have a wide variety of IP addresses.  There is no way to know if a particular incoming request is valid or if it is from an attacker.  Thus, you cannot block the IPs that are attacking effectively. Also, since most or all of the computers involved in the attack are unwitting victims and not the attacker themselves, it is very difficult to trace who actually initiated the attack.  Thus, as I said, there basically is no defense against this kind of an attack unless you have a lot of resources.  In the case of the attack on ASPAlliance in January 2001, my ISP noted requests from 4000 different IP addresses.  Obviously, this was morethan enough to bring down our server (as evidenced by the image below).