Kin Lane

Observability Is Needed to Quantify A DDoS Attack

The FCC released a statement from the CIO's office about a Denial-of-Service Attack on the FCC comment system, after John Oliver directed his viewers to go there and "express themselves". Oliver even published a domain (gofccyourself.com) that redirects you to the exact location of the comment system form, saving users a number of clicks before they could actually submit something. I am not making any linkage between what John Oliver did, and the DDoS attack claims from the FCC but would like to just highlight the complexity of what is DDoS, and how it's becoming an essential tool in our Cybersecurity Theater toolbox.

According to Wikipedia, "a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled." It is a pretty straightforward way of taking down a website, application, and increasingly devices, but it is one that is often more theater than reality.

There are two sides of the DDoS coin: 1) how many requests an attacker can make, and 2) how many requests an attack receiver can handle. If a website, form or another service can only handle 100 requests in any second, it doesn't take much to become a DDoS attack. I worked at a company once, where the IT director claimed to be under sustained DDoS attack for weeks, crippling business, but after a review, it turned out he was running some really inefficient services, in an under-resourced server environment. My point is, that there is always a human making the decision about how many requests we should handle before things are actually are crippled, either by limiting the resources available before an attack occurs or by cutting off scaling up existing infrastructure because it would cost too much to achieve.

There are variations of the DDoS attacks, sometimes called a "cash overflow" attack, where a website operates in a scalable cloud, and can handle a large volume of requests, but eventually will cost a provider too much, and they will cut if off because they can't afford to pay the bill. A DDoS attack can be successful for a variety of reasons. Sometimes providers don't have the infrastructure to support and scale to the number of requests, sometimes providers can't afford to scale infrastructure to support, and other times a provider just makes the decision that a website, form, or device isn't worth scaling to support any level of demand beyond what is politically sensible.

I'm sure that many DDoS attacks are legitimate, but I know personally that in some cases they are also a theater skit performed by providers who are looking to cry foul or stimulate a specific type of conversation or response from a specific audience. I just think it is important to remember the definition of what a DDoS attack is, and always think a little more deeply about the motivations of both the DDoS attacker, as well as those under attack, and the political motivations of everyone involved, as well as the resource they have to contribute to the two-way street that is a distributed denial of service attack (DDoS)