What is a denial of service attack?

start us off is a little a listener mail. And this listener mail comes from Dorian, and Dorian says, Hey, guys, I really enjoy listening to your podcast. I've been hearing a lot of stuff about an attack on Twitter and Facebook, and I was wondering what that is all about. I heard Twitter was down for several hours, while Facebook took it like a man and was knocked down to about But still, what's going on? Keep up with a great podcast, Dorian.

Thanks Dorion. Actually I already responded to Dorian to let him know what was going on, but I thought we could talk about what happened in general and then get down to some specifics. So in general, we're talking about a denial of service attack. Yeah. Actually, um, this is nothing new. Denial of service attacks have been going on for quite some time, and part of the reason for that is they're really simple to cause it's a very

very simple attack on it on a network. Yeah, there's actually a couple of different ways you can you can perform a denial of service attack. That two most common ways really are you can flood a server with requests so that it becomes overwhelmed and then shuts down. Or you can send a special kind of request to a server where you you happen to know that the server has certain vulnerabilities, and by sending us a specific kind of command, it will cause the server to, uh to

essentially have a little bit of a freak out. I mean, it doesn't know how to handle the command, so it ends up shutting down. Um. That way, so in one case you're talking about just sending a stream of attacks, and then another you just it's like a well placed sniper bullet. All right, Then that's that's interesting analogy I hadn't heard before, you know, I'm all about the interesting analogies. Okay, then, so one shot, one kill. Now the the the denial

of service attacks like like Chris was saying, aren't really new. Uh, And really, a a simple denial of service attack isn't the most difficult thing to defend yourself against if you are targeted by one, because a very simple denial of service attack is coming from a single source. Yeah. Um, denial of service can be as simple as sending thousands and thousands of email messages uh to a single server. UM. Basically instead of you know, handling everything one at a time.

There you know, there's a log jam of information going at the server UM, and uh you know pretty soon the computer the other end can't handle it all. I mean, this is not something that you could do, uh if you wanted to crank up you know, Mozilla Thunderbird, You're not gonna be able to to, uh, you know, overwhelm a server by sending it messages one by one. You would have to dump thousands and thousands of messages per second um onto that server in order to overwhelm it. Right.

And so really, you know that the to really understand denial of service attack, you just really get to kind of think about the way uh communication across the web works. Essentially, whenever you are doing anything on the web where you are trying to retrieve information. You are sending out a request from your computer to whichever computer out there on the network happens to hold this information. That computer then sees where this request is coming from and sends the

information to you. So, uh, denial of service takes advantage of this. Um, if you are really clever, when you create your denial of service attack, you will send messages to a computer and your uh, you're essentially your return address will be masked or or um smurfd or spoofed if you prefer. And uh, so the the server will try and respond by sending messages to either a nonexistent IP address or or one that belongs to someone else

that doesn't belong to you. Uh makes it a little more difficult to track where the attacks are coming from. That way, Um, But because that's the way the web works, you know, you send a request and then the server responds. That's how you take advantage of it. I mean, it's it's kind of an obligatory response, right. You can't just ignore it unless you build that into a firewall. Yeah. Yeah, And and that's the whole thing is Uh, the web is doing what it's naturally designed to do in this case.

So I mean, if it didn't work that way, you wouldn't be able to get information when you needed it. You'd load up your web browser, you would go to say, I don't know www. Dot how stuff works dot com? And if it didn't automatically serve up that website, you wouldn't you wouldn't get anything in your browser. The the web just would not work without this kind of process. So that's what the attackers take advantage of. Yep. Now, um uh. Spoofing is one way to mask an attack.

Another way would be to build a massive army of bots, right, or a zombie army as we call it. And then you wouldn't even have to launch it an attack from the primary primary computer at all. You can just have all your you know, zombies attack it for you. Now, this this is a multi step process. Let's say that you are a nefarious hacker who is intent on bringing down some poor company's website. Right, So you are an unscrupulous person and you want to cause lots of damage.

First of all, shame on you, But how would you do this? Well, the first step if you're wanted to do one of these attacks, which By the way, these are called distributed denial of service attacks because the attack is distributed across an army of computers as opposed to coming from just one source. Yeah, makes it which also makes it just that much worse because now it's not coming from one computer, it's coming from lots and lots

of computer. Right you, your options become more limited when you are dealing with a distributed denial of service attack. You can't just shut off access from one IP address and hope to be all right, because, of course the attack is coming from every direction imaginable. So the first step in creating one of these attacks is to build

your zombie army. And the way you do this is you create malware, so malicious software and often in the form of a trojan, where you trick innocent people into installing software that will create a backdoor to their operating system, often completely disguised so that it's really really difficult to detect the fact that someone has intruded upon your your computer. And you do this enough times where you compromise enough computers where you can direct all of these computers at

the same time. You can then send usually a pretty simple command to start peppering a target, in this case, the company's server, the one the company company that you

wanted to attack in the first place. And you tell all of these computers to start sending thousands upon thousands of messages or requests electronic requests to this one company server all at the same time, and it just becomes a massive attack, and it will eventually, uh either overwhelmed the server or I mean, if the if the people working at the company are really clever, they may be able to uh to get around without it bogging everything

down for too long. But usually it'll it will at least cause some massive headaches for a few hours, which is pretty much what happened with the Twitter case. But we'll get into that a little bit more later, okay. UM. Yeah, And and you know, with these situations, the cys admin, the system administrator UM on the receiving end of this, by this point, probably woken up at two a m. Caffeine free, unshaven and in his jammies somewhere in a big room full of machines that aren't working where they're

supposed to. UM is going to have to try and figure out where this is going. Because UM, for a distributed denial of service attack to work, it has to be targeted at one specific point. That's how it overwhelms the server. So UM he or she is going to try and figure out what port um that attack is coming from is directed toward and shut it down to keep the service from being overwhelmed. The thing is that's where all the other traffic is going through, the legitimate traffic,

so UM, you know there there's a problem here. It's also got to be rerouted. So you basically have to tell the legitimate traffic, Hey, go through this hole in our firewall, use this hole to go send messages to our server, and we'll send him back through this port. And we're not going to tell the guys who are sending these uh attacks against us. And sometimes that restore service pretty quickly, right, and sometimes it takes hours and

hours or even days before service returns. Um. Another another thing I wanted to point out is to make this even more difficult to trace, because I'm sure you can imagine if you are being attacked, if your service being attacked by a zombie army, you know, you start looking at the the the origin of these attacks, you're going to find the victimized computers, you're not necessarily going to be able to trace it back to the original computer the hackers computer. Um to make that even more difficult

to trace, they can a hacker can use something called reflectors. Now, this is really nasty. This it's different. It's different. That's good that you have those, because I've seen plenty of bikers who have not had those. I'm amazed they're still upright. Um, but no, these reflectors are totally different. So let's get off that tangent right now. The way this works is that the hacker sends a command to the zombie army.

The zombie armies sending requests to other computers, innocent computers that have not been compromised by any sort of malware whatsoever. All right, so these are just average servers and computers across the net. But what the the zombie computers are doing is they're sending it as if the messages were coming from the targeted server. So let's use a let's use a name. Let's say that it's CNN's server. So the the hackerson's the command to his zombie army. The

zombie army all start sending messages to various computers. Across the net as if those messages were coming from CNN. All of those computers and servers respond to this request by sending data to CNN's server, which of course has not set anything out at this point, so it's getting

responses to messages it has not sent. It gets overwhelmed by the traffic and by the fact that it's getting responses to something that it didn't even do, and then you have your denial of distributed denial of service attack, basically using it against itself. Yes, it's it's both really

clever and really nasty. Yeah, yeah, I would agree with that. Ye. Now, there's a couple of different ways you can talk about, you know, what you should do in case of a denial of service attack, but really the best defense is to just practice smart, safe web behaviors, you know, because the only way denial of service distributed denial service attacks work is for people to download the software that turns their computer into a zombie in the first place. Right

that's true. You you know, you could already have participated in one of these, if you've ever had one of these, you could be participating in one right now. That's true, and you may not even know it. You know, you might have a computer that's running a little slowly, but otherwise you might not realize it. Yeah, So if you if you just practice those safe behaviors, you know, you don't don't go to UH just don't click on on

weird links that you don't recognize. UM. Make sure you have good anti virus and anti spywear UH software and make sure you're running it regularly and that you keep it updated. Make sure that you install patches when you get them. A lot of the malware, the way it works is that it will target a specific vulnerability that a hacker will find out about a specific kind of operating system. So let's say you're running Windows Vista and

there is a known vulnerability. Well, Microsoft is going to release patches that patch the security holes on on a fairly regular basis, but you have to install them for them to work. If you don't update your system, it will remain vulnerable. So, I mean, we talk about in the office a lot about how annoying it is to get system updates that require you to reboot your system, and it it takes forever to download them, I mean,

like yesterday. Yeah. But on the other hand, if it means that it prevents your computer from becoming part of a zombie army. That's a good thing. So, I mean I'm irritated by them too. But so now we we talked about the flooding ones, let me just talk a little bit about the other kind, which is that's the kind that send um an attack that that just sort of confuses the computer. Um. That's a it's a really a logic or a software attack. And there's several different

kinds of that as well. And this is just where you you come up with a command, uh that gives a computer trouble. It just it's not able to try. It's not really able to execute the command as um. It should be able to. It tries to, but it can't. Like when you provide one by zero and it gets stuck in an infinite loop something like that, or or you ask a robot of paradox and then it explodes. Yes, when the owner of the robot finds out right, Yeah, I was thinking of the Futurama episode with the Evil

Santa Claus robot. They say, well, if you if you are, if your programmed to kill everyone who's naughty, isn't that naughty? And doesn't that mean you should kill yourself, which, by the way, is not actually a paradox, but that that's

what they called it in the episode. Um, but yeah, it's the equivalent of that, you're sending a computer a a question that it is not able to answer, and uh that again, it's one of those things where once you realize that this is a problem, you can adjust the computer's programming so that it no longer uh has that trouble. But you know, you have to you have to identify the problem first before you can fix it, obviously, right, all right, my therapist tells me that nice. I have

no response to that. All right, So let's talk about the first you heard it here. Let's talk about the Twitter attacks, shall we. Okay, so what happened with Twitter? And at the time that we're recording this, actually we're we've gotten really close between recording and publishing right now,

so uh, this will go live pretty quickly. But the the attack that happened on Twitter, um a while ago, in a short while ago, was a kind of denial of service attack, and it was interesting because it wasn't meant to necess necessarily take down Twitter or Facebook or live journal. Live journal was another site that was affected by this attack. Um. In fact, this attack was specifically targeted at a particular individual yep, a professor in fact, um who was sort of providing a place for refugees

from from the from Georgia, the country, not the state. Um. And it was some possibly Russian hackers that that targeted this person's accounts and UH as a result, the site

suffered collateral damage. Twitter the worst of all of them, yep, yep. Well, it's just one of those things where they were they were trying apparently you know, of course they haven't exactly stepped forward and said, yes, we're just trying to get this one guy sorry the rest of you, right, um, But yeah, they were apparently trying to silence him or at least you know, on the web. And UH, in the meantime, managed to take down Twitter for several hours,

not even a fail whale. Yeah, some of us, some of us were having difficulty coping that day. A few of you, yes, yeah, some of you out there were probably having trouble. Um. I was in a corner weeping for most of that day for those of us who were trying to work. Yeah, I'm sorry about that. Uh, the corner being the corner of Chris's desk because you know, it's comfy over there. But yeah, it was bad, and of course, you know you, you know, you're the first reaction.

Anyone has a Twitter's down. I should tweet about that. Oh wait, I can't lematic. Yeah, there's sort of a circular problem there. So the other interesting thing about this is that by doing this attack, and by causing all this collateral damage, the hacks are pretty much guaranteed that way more attention is being directed towards this this person they were trying to silence than they had anticipated. And uh that may have actually hurt them more than helped them. True. Yeah,

it sort of makes a digital martyr anyway. Well, and and now more people are aware of this person and the message that he is trying to to convey. And so really it's this was probably well, I mean, it was already a bad thing to do, period, but it was definitely a mistake on their part. I think so. But that's exactly what happened, you know, you have someone was using a sledgehammer to take care of a very precise problem that they perceived. So fifty bit of alliteration there,

thank you. I I was not intending to do that, but it just kind of happened. So we'll really that's pretty much what I have about on denial of service attacks. Yeah, it's um it's one of those things that is amazingly simple. Yet when you factor in some of the things, like you know how to stop them, and uh, you know, the different kinds of attacks and some of the nasty

new twists they're throwing in, you know. I mean, we can always hope that as consumers get more savvy about computer security that these sort of attacks will decrease in number, because again, it does really depend upon uh, the individual victims trying to install this code on their computers to to make themselves part of the zombie army for it to work. The distributed ones anyway, the straight up denial

of service of course, could be done by anyone. UM, and be a computer skeptic, you know, don't just install random things that get sent to you from people, even from people you trust, because sometimes these programs use their email boxes and you know, they go through the contact lists and everything to everybody that they know and oh, well, hey, you know, if John installed this, then I should too. You know, John didn't mean to install that he thought

it was something else, and so did you. Yeah, it's a domino thing, and if one person gets uh, gets compromised, then it may may mean that everyone they know then follow a suit. And then of course it spreads out that you know what that is. That's a web Yeah, and it's worldwide or a shampoo commercial. Oh yeah, and they called two friends. Um, but yeah, so that's a that's denial of service in a nutshell. Uh. I hope you guys kind of have a better grip on the concept.

It's um, it's interesting stuff, and I'm sure it'll be a tactic that people use for for years to come because there are a lot of people will spare time on their hands and chips on their shoulders, and it is so innate to the web that it's just it's just gonna be one of the first things that people try when they want to take down a website. Well, since, uh, since we've exhausted that topic, I think it's time for

just a little more listener man. Then all right, and this listener man on me scroll all the way and so I can get the name right. Comes from Alan from the University of North Carolina, Chapel Hill so a tar heel. I guess uh and Alan actually wrote a very nice email, very and it was a pretty long one, so I'm gonna have to summarize part of it, but I'll read the beginning here. Hey guys, First of all, I love the show and then listened listened since the beginning,

Thanks a lot, Alan. I have a minor correction about the August fifth podcast on cell phone interference, but it has nothing to do with the subject material. Y'all misspoke, But putting a the in front of Mayo Clinic. They are sticklers up there about it because they feel that putting a the diminishes the respect that the name of the hospital gives to the founder, Dr Mayo. Leaving it as simply Mayo Clinic without any article pays more homage

to the patient, first staff, second philosophies that Dr mayor Mayo. Sorry, wow, I just made it worse made so successful. Well, thanks a lot, Allen. Um. I did not know that. I've always it as the Mayo Clinic. Yeah, and it kind of makes sense that definite article would be in there. It kind of makes it makes it weird. It's you know, it's one of those things like yourself from the clinic. But Alan also had a couple of other little points.

He had mentioned that he had been in the hospital several times and that I have never had a problem with any hospital staff about using his cell phone, so he wanted to point that out. And he also wanted to point out the episode of MythBusters where the MythBusters

tested the myth about cell phones being dangerous on planes. Now, they weren't allowed to take a plane up into the air and test their theories, which I mean for obvious reasons, because if they were in fact dangerous, you no longer have a show true, you have myth busted into tiny,

tiny pieces. So what they did was they had to do all their tests on the ground, but they tried to replicate the the as much of the scenario as they possibly could, including changing the pressure and all that kind of stuff, and they found that there was no appreciable um effect on the airplanes systems through any modern cell phone. A cell phone and older cellphone might be able to cause a little bit of interference, but anything within the last five years or so, UM not so much.

So thanks a lot Allen for pointing that out and for promoting one of discovery shows. That was great. We didn't have to do it ourselves because Allen did it for us. All right, then, if any of you have anything you'd like to say to us, you can email us. Our email ad us is tech Stuff at how stuff works dot com. If you want to learn more about computer security, I highly recommend you visit our site how stuff works dot com. Crispy and I will talk to

you again really soon. For moral thiss and thousands of other topics. Esit how stuff works dot com and be sure to check out the new tech stuff blog now on the house stuff Works homepage, brought to you by the reinvented two thousand twelve Camry. It's ready, are you