DDoS attacks: What they are and how they're orchestrated

9:43 pm on 8 September 2021

It could seem like there's a new one every five minutes, but what actually is a DDoS attack?

man in dark room in front of computer screen, computer generic

Photo: Pixabay

In the past week, New Zealand has seen two major DDos attacks this week affecting NZ Post, Kiwibank, Metservice and others and last week a number of internet service providers. The headline "company disrupted by DDoS attack" has become very common in the past few months. So what actually is it?

First things first, a DoS attack is a Denial of Service attack. The intent is to make a network or website or other computer service unavailable to its intended users, by overwhelming its ability to process the requests. DDoS is when those requests come from distributed sources - or lots of different places.

Here's how CERT NZ describes it:

When you type a URL for a web page into your browser, you send a request to the site's computer system asking to view that web page. DoS attacks work by 'flooding' a website with fake requests in an attempt to overload the system. As websites and networks can only process a certain number of requests at once, this blocks any genuine requests from getting through.

Imagine it like the other kind of traffic. If the amount of cars is normal, theoretically, traffic should flow easily and everyone should get to the right destination on time. If you increase the flow of traffic exponentially, from all different directions and with no merging like a zip, traffic will come to a standstill. Then all the services in the city that rely on the roads grind to a halt - no pizza delivery, no rail-replacement bus home.

What that ends up looking like is that a website can't load or loads slowly, or a payment can't go through, or people's internet being down. The cars on the road can't get to their intended destination.

The distributed part relates to the practicalities of how attackers can best deny service. To overwhelm a big service like a bank, an attacker might struggle to do so from one place, so recruiting many other computers and their network connections provides a way to gang up on the victim. Sometimes this pool of attackers are doing so on purpose, but more often the systems doing the attacking are co-opted in an earlier, separate, hack.

The very biggest distributed attacks have been where flaws in internet services can be leveraged to attack, such as the one experienced by Amazon in 2020. To understand how big that attack was, 2.3 terabits per second was about the capacity of the entire of New Zealand's link to the international internet in 2014. (Nowadays, the Southern Cross Cable can handle about 10tbps, and there are additional cables.)

Sometimes the security controls companies and network operators put in place to prevent these attacks cause the very problem they're trying to prevent. This is reportedly the cause of last week's internet outage, where service provider Vocus activated their defence mechanisms, but this wrongly deactivated service for thousands more homes and businesses, causing more impact than the original attack. A similar scenario played out for the 2016 Australian census.

While the headlines usually say something like "hackers take website down," one of the important things to know is that the data the websites might hold is usually safe. The attackers aren't inside the system, they're bombarding it from outside.

Of course, the attack could be a distraction to do exactly that. Or, it might be to extort money, as was likely the case when New Zealand's NZX was the victim of several days of DDos attacks last year. It could be activism, like when "hacktivist" group Anonymous attacked Visa, Paypal and Mastercard. Or it could just be malice.

If it seems like DDoS attacks have had a bit of a renaissance, that may be true. With so many working from home for the past 18 months, people are extremely reliant on digital tools. Technology company Akamai said last year it had seen more customers attacked than any year since 2003. (Of course, Akamai also sells the tools that businesses can use to protect themselves against DDoS attacks.)

Late last year, the National Cyber Security Centre said that a range of New Zealand organisations had been affected by DoS events. Its report said attackers who are intent on disrupting the availability of systems can be just as damaging as those who seek to steal sensitive information. "[The attacks] demonstrated the ability for less sophisticated malicious cyber activity to have a high national impact. While DDoS activity has been commonplace for more than 20 years, there has in recent years been an increase in the scale and complexity of DDoS activity."

Calculating the cost of denial of service attacks is difficult. But if businesses can't function, then the lost productivity can impact everyone. And with the pandemic forcing many people to work from home, the impact is higher than before - ask any parent trying to work while Zoom school is down.

Get the RNZ app

for ad-free news and current affairs