WIRED:If you know you can fight off the bad guys, you'll also know you can cope with unexpected internet fame, too, writes DANNY O'BRIEN
A WEBSITE documenting unheard stories and censored news from inside China; Russia’s leading independent newspaper; the Dalai Lama’s main computer systems; a Vietnamese site commenting on China-funded bauxite mines in the north of the country.
What do these small, volunteer-run services have in common with some of the largest e-commerce websites? They’ve all been the victims of distributed denial-of-service
(DDOS) attacks.
DDOS attacks are nothing new. At heart, it is choking an internet server to death by sending it too much traffic. The server can’t cope with its popularity: it either dies by running out of processing power, or because its net connection is filled to capacity.
In the early days of the internet, when audience growth was straining the capabilities of new websites, it was almost common for sites to fall over due to demand. Now, DDOS attacks are rather more deliberate.
Criminals use them to hold e-commerce sites hostage via a simple protection racket. They bring down the servers once, as a shot across the bows, then ask for a fee to make sure “it doesn’t happen again”.
For unpopular websites under authoritarian regimes, DDOS attacks are a targeted and peculiarly effective form of censorship. In the cases of commercial sites, these attacks have the potential to cost millions of dollars in lost sales.
For struggling independent online media in authoritarian countries, DDOS can wipe them off the net. It can transform them into internet refugees, moving from one hosting provider to another and rejected by each because of the dangers of attracting too much traffic.
It may seem strange that a site can become persona non grata at a web-hosting service for being too popular on the net, but the amount of data that criminals and rogue nations can throw at a single site are leagues beyond the spikes in traffic that most of us can expect in our wildest dreams of popularity.
The traffic is generally enough not only to take down the intended victim but can disrupt other computers sharing the same host, and even ISPs and networks further upstream from the sources of the attack.
In one case, exiled Burmese news websites based in the nearby Thai capital of Bangkok found themselves not only unable to disseminate news of protests in Burma, but actively threatening the speed of international links for the whole of Thailand.
The source from which all this fake traffic comes isn’t easy to filter. Malware-infected personal computers, remotely co-ordinated in the hundreds of thousands, can be commandeered to target individual targets from all over the world – hence the “distributed” part of the name. It is hard to find the real co-ordinators of the attack.
In the case of criminal protection rackets, investigators can follow the money. Most of the politically motivated attacks hint at their funders, simply by the choice of target. The Dalai Lama, for instance, just doesn’t have that many enemies.
What can be done? Given the (perhaps implausible) deniability of DDOS, diplomatic condemnations are hard to engineer.
Most governments which indulge in this kind of shady behaviour are assumed simply to hire the same hacking gangs – although the Vietnamese authorities have been suspected by some security professionals of running their own malware horde, infected by a government-recommended Vietnamese keyboard utility.
Going after the criminal gangs is the most proactive route.
There are ways to fend off DDOS attacks, but it costs time, money and expertise to prepare your defences and most companies and publishers are unprepared for being the next target. The attack itself makes it much harder to switch to a better-defended host.
How do you contact anyone when your own machines (including perhaps, your mailservers) are swamped with fake traffic? How do you move your data to a new website when no one, including you, can reach the data on the current server?
The simplest step is to ensure that you can point your domain name at another computer quickly and separately from the rest of your network and your hosting provider. Having independent control of your domain name service will let you switch to another, perhaps better protected website, and means that you won’t get caught out if your host suddenly decides that you’re no longer a viable customer.
If you have enemies out there, you might want to consider talking to your IT staff about how best to defend your site against a suspicious spurt of traffic. Even if you don’t, you might like to ask them to simulate what it might look like if you were popular for a day.
DDOS might sound sinister, but in practice, even a good review or an international headline can turn a firehose of attention on your site. If you know you can fight off the bad guys, you’ll also know you can cope with unexpected internet fame, too.
