Why Are We So Bad at Stopping DDoS Attacks?

Flickr/Nico Kaiser

Friday morning a DDoS (distributed denial of service) attack caused a server outage for sites, including Reddit, Twitter and Spotify, on the East Coast of the United States, and in some areas of Europe. While internet users mourned over “this site can’t be reached” notices, the team at Dyn — the DNS host that was attacked — was busy at work getting its servers back up. The FBI and Department of Homeland Security have also gotten involved in investigating the attack. DDoS attacks are getting more and more common, but the trick is one of the oldest in the hacker toolkit. So why are we still so bad at preventing them?

A distributed denial of service attack requires a flood of access requests from multiple servers, oftentimes controlled by a single hacker using a bot — a hostile program controlling other machines. One of the fundamental reasons DDoS attacks are so efficient, is that many DNS services can’t tell the difference between a legitimate server request and the bulk packets sent out by connected devices in an attack. In the past, experts have used router-filtering and over-provisioning bandwidth (making it more available than necessary for day-to-day traffic) to account for attacks. But digital security has fallen behind advancements in hacking. Firewalls, the most common form of server protection, were designed for the internet of the 90’s, not 2016. One of the only ways to mitigate damage, according to Cisco security, is to passively monitor traffic — to separate bad traffic from legitimate traffic in the case of an attack.

But many security experts argue that this isn’t enough. They say modern DDoS attacks are unpreventable and the best means of mitigating damage is early detection. Unfortunately, that’s become harder to do as freeware tools become more advanced, driving down the cost of renting bots to allow a hacker to control a number of internet communications devices at once. While a DoS attack can be solved by blocking the responsible IP address, it can be difficult to redirect traffic from thousands of different servers.

And there’s more bad news. Last month a hacker released the source code for Mirai, a system that controls IoT devices and uses them for large-scale DDoS attacks. A botnet built on Mirai launched a 620 Gpbs attack on security blogger Brian Kreb’s website last month. Right now, offensive DDoS technology has the upper hand, and no website is safe.