It’s happening right now, somewhere in the world. The computer network of a company or government agency is clogging up, slowing down, becoming virtually unusable. It’s not caused by a defect, but rather one of the crudest weapons in the hacker’s arsenal.
The weapon is called a DDoS — a distributed denial-of-service attack, a relentless assault that can be launched from anywhere in the world, with minimal cost and a massive potential for harm. It freezes computer networks and prevents Web pages from loading.
You’ve probably heard of DDoS. In 2014, a weeklong DDoS attack crippled computers in Boston Children’s Hospital, costing the hospital an estimated $600,000. Last year, a similar attack on a New Hampshire computer networking company called Dyn kept millions of people from reaching Dyn customers and popular sites, such as Netflix and Twitter. News media sites, from the Boston Globe and Al Jazeera, to French publications during that country’s elections in the spring, are also common targets.
Attacks like these, large and small, happen more than 23,000 times a day all around the world, according to Arbor Networks, a Burlington cybersecurity company that focuses on preventing DDoS attacks. Many last just a few minutes; others for hours. Some are brought under control by security experts; others run wild, causing severe disruptions. And while the security engineers who battle these attacks say they can minimize their impact, they have little hope of stamping out DDoS attacks altogether.
“This is an ongoing battle,” said Arbor Networks vice president Carlos Morales, “and it’s never-ending.”
There’s little hard data on the impact of DDoS attacks. But in May, Virginia network security firm Neustar Inc. released results of a survey of 850 victimized companies and determined each may have lost up to $2.5 million in revenues from a single attack — and that’s not including the cost of beefing up their security. Collectively that’s $2.2 billion in lost revenues. If the Neustar survey is in the right ballpark, DDoS attacks are placing a massive burden on the global economy.
DDoS works because the Internet was created by engineers who trusted each other. They designed it to move data quickly and efficiently, but without regard to who sent the data or why. That allowed unwanted spam e-mails to easily flood networks, but Internet companies have become effective at blocking those.
But fighting a DDoS bombardment, where the flood of malicious data numbers in the billions, is far harder.
In a DDoS attack, online criminals use malware to hijack thousands of computers all over the world, then order those machines to send torrents of data to a targeted computer. The sheer volume of data overwhelms a system, preventing websites from loading for their real customers.
“It’s the virtual equivalent of the sit-ins of the ‘60s,” said Andy Ellis, chief security officer of Akamai Technologies Inc., a Cambridge-based data network management company. If enough protesters crowded into a military recruiting station, nobody could sign up for a trip to Vietnam. In the same way, DDoS attacks block the flow of good data, shutting everything down.
And these days, anyone can launch such an attack by hiring professional hackers easily found with an Internet search. For $20 or $30, an employee angry with his company can take down its website for half an hour.
Arbor Networks fights back with special servers that work like spam filters, instantly checking streams of data, identifying legitimate data packets and letting them through, while discarding DDoS junk.
Akamai does the same, but it also relies on its network of 239,000 data delivery servers. These computers, located all over the planet, speed up Internet performance for the world’s leading websites. Akamai can spread data surges throughout its network, preventing any one part of the system from being overwhelmed.
On a typical day, Akamai distributes about 30 terabits of data every second; the company’s all-time peak was 61 terabits. The worst DDoS attacks so far have topped out at around 1 terabit. So Akamai can soak up such attacks like a sponge.
While Akamai and Arbor routinely fend off DDoS attacks, they keep coming — and are becoming more sophisticated. Instead of simply bombarding them with massive amounts of data, some attackers now trick websites into running complex searches over and over till they jam. In another gimmick, some criminals send a series of partial data requests that cause servers to pause and wait for additional instructions that never come. This DDoS attack doesn’t even need a large network of infected machines. Just one computer can get the job done.
There are no shortage of other ways to attack. Tainted apps can transform a smartphone into a DDoS device. Or hackers could spend a few dollars to place infected ads on various Internet sites. As soon as the ad appears in a user’s Web browser, it would launch attacks against some remote computer.
An incident in 2016 involving Internet security journalist and Akamai customer Brian Krebs revealed a second, more worrisome front. Krebs’s website was brought down by a new kind of DDoS attack, made up of cheap Internet-connected security cameras and digital video recorders that do not have the same cybersecurity protections as computers. It was the biggest such attack ever seen, and it spawned new worries about the effort to build Internet connections into thousands of everyday electronic devices, the “Internet of Things.”
Research firm Gartner Inc. estimates there will be more than 20 billion connected devices worldwide in two years. Many will have poor online security features, making them easily convertible into DDoS attack machines.
Barrett Lyon, a vice president at security firm Neustar, said the threat can only be eliminated by a complete reengineering of the Internet.
“It requires the entire Internet protocol to be changed, on every device on the entire planet,” Lyon said.
But that process would take decades, and, until then, DDoS will remain a relentless threat.
“We’re stuck with it probably for the next 30 years,” Lyon said.