You’ve probably heard the term before. Such and so company got hit with a Denial of Service (DOS) attack, but do you know what that actually means? If not, this will give you a quick overview.
First, The Bad News
There’s no defense against a Denial of Service attack. None at all. The best you can do is to have a really robust server, capable of handling all the traffic you think you’re going to get. Even then, someone with enough determination or a big enough botnet can overwhelm you.
The reason is that no matter how expensive and bleeding edge your server is, it’s got limits. Once those limits have been exceeded, your site is going down, period. The slightly less bad news is, today’s servers are really robust, and it takes quite a lot to knock them off their stride.
So What Is It?
When you surfed your way to this article, you sent a request to the server that hosts the site this page lives on. Your request took some server resources to process, and a few more resources to actually serve the page up to you. It didn’t take many resources, but it did take some. It takes some more for every other person who’s reading this article at the same time you are. Each one of them sent a request to the server, and got served the page.
Now, imagine if you had control of a botnet of, say, three million computers. What would happen if you told all those computers to hit this page at the same time? Then to keep hitting it, that is to say, to keep refreshing the page and renewing the request to server the page.
The server would respond to each of those requests, or at least it would try to. There would come a point though, when the server just got overwhelmed. It’s resources would get maxed, and your site would simply stop working; that’s a Denial of Service attack.
It’s Not An Accident
Note here that DOS attacks are always intentional and planned, but they’re not the only reason that a server can get swamped. One recent example is the FCC’s website. Recently, when the FCC published their proposed new rules which would have effectively ended Net Neutrality, so many people flood in to leave comments in protest that it crashed the server. That wasn’t a DOS attack, but it had the same impact.
Another example happened to nearly every news site on 9/11. Everyone was desperate for news and information and there was a period of several hours when the news servers just got blown offline because everyone was rushing in to see what had happened.
As mentioned, there’s really no defense against it, but there are some things you can do to reduce the likelihood of a successful DOS attack. For instance, most big companies that see lots of traffic run mirrored sites, so they’ve got multiple websites that are all exactly the same, each with a dedicated server. If traffic gets heavy on one, they can re-route to a mirror site. The user doesn’t notice this, or even care. It’s all the same information. Of course, even in these cases, unless you build your capacity to handle literally every device on the net hitting your servers at the same time, a determined attack will bring you down. Since it’s prohibitively expensive to build that kind of capacity, there’s essentially no defense.