What is a DDoS Attack, and why is it bringing my site down?
A "Distributed Denial of Service," or "DDoS" (say, "DEE-doss") attack, is a deliberate effort to bring a website or web hosting provider offline.
Web servers operate by responding to requests from end users. When you navigate to a website, your computer sends a request to the server that hosts that site. The server responds to the request by delivering the site's data - pages, images, and so on - to your browser.
That's all well and good while the amount of incoming requests remains reasonable. The trouble begins when the amount of incoming requests rises dramatically. A huge spike in requests in a short amount of time can overwhelm a server. This can be achieved by using a large network of computers that are connected to the internet and which are silently infected with a virus. These viruses (and there are plenty of them) allow unknown, remote third parties to commandeer the infected machines, and instruct all of them to bombard a specified web server with requests, one after another, without stop. The result is a flood of incoming requests which would all be innocuous when taken individually, but collectively are enough to overwhelm and bring down a server. The server is not actually taken offline, it's just so busy trying to respond to so many incoming requests that it's unable to actually send any site data out to the requesting users. The end result is the same, though: end users are not able to receive site data from the server.
A single webserver can be brought down by a small DDoS attack - that is, an attack that's carried out by a relatively small number of infected machines (in online security parlance, these infected machines are called "bots," and a group of them acting together is called a "bot-net." Bot-nets are often created by sophisticated criminals and rented out to whoever has the money and motivation to use them.) Webservers located in a large and well-managed datacenter (such as Finalsite's servers) are more resistant to DDoS attacks, but all that really means is that it takes a larger bot-net to knock them offline.
One benefit of a datacenter is the efficiency gained by 'pooling' servers so that they host many sites at once. In Finalsite terms, this means that a single webserver hosts the sites for numerous schools. If somebody directs a DDoS attack against a particular school, the hosting server itself is affected. Consequently, the other school sites hosted by that server will suffer the same attack. If the attack is large enough, the illegitimate traffic can cause enough congestion on the network that all sites in the entire data center can become inaccessible. This is why a site that's not directly targeted by a DDoS attack can still be brought offline. (This kind of additional collateral damage is part of the appeal of a DDoS attack for people who're up to no good. It's not at all uncommon for malicious hackers to target DDoS attacks randomly, in fact - they're not out to take down a particular website, they just want to test a new bot-net, practice for a 'real' attack against a higher-profile target, or occasionally want to simply wreak havoc for kicks. You can imagine how we feel about these folks.)
How is a DDoS attack defeated? How soon will my site be back up?
When Finalsite's datacenter detects a DDoS attack on any of our servers, automatic procedures immediately begin working to mitigate the flood of malicious requests. The incoming bot-net traffic is identified, isolated, and redirected to a non-existent server so that it no longer reaches the intended target. (The detection and mitigation tools are sophisticated enough that, by the time a partner schools notice the issue and reports it to us, the defense procedures have already begun to respond.) The amount of time this process takes to complete depends on how hard the datacenter is being hit with DDoS requests, but usually takes less than half an hour. If an attack is particularly large (i.e., coming from a large number of bots spread all across the web, and geographically all across the world), then the response time will take longer. Additionally, the sophistication of bot-net attacks is always increasing, and the largest attacks will use anti-mitigation strategies to press the attack even after the datacenter begins its defense.
Is my site's private information exposed during a DDoS attack?
It's important to note that a DDoS attack is NOT a security breach. At no time is a server's confidential data exposed, or even made vulnerable. A security breach would be equivalent to a bank robbery; a DDoS attack would be more like causing a traffic jam on the street to prevent customers from getting in the bank's front door.
What can be done to prevent this?
Right now, nothing can prevent hackers from perpetrating a DDoS. DDoS attacks exploit a vulnerability in the fundamental structure of the internet - the very basics of how servers exchange web traffic. To prevent DDoS attacks, we'd need to rewrite the software that powers and enables the internet. Rapid detection and mitigation are our best weapons, and we are continually working to improve the methods and technologies to detect and mitigate these attacks.
DDoS attacks occur everyday, all over the web. Any and every web host or datacenter will come under attack at some point. As the sophistication of the attacks increases, so too do the defenses against them. Finalsite is on the beta test list for new methods to combat DDoS attacks and keep our hosted sites up and available. As new defense technologies become available, they're tested, evaluated, and implemented when they prove to be effective.
Will Finalsite tell us when a DDoS attack takes place?
If you notice that your site appears to be inaccessible, you can check status.finalsite.com to see what's going on - when we detect incoming DDoS attacks, we'll post a notification there. You can also subscribe to Alerts on the Status page; whenever we post an update, it will automatically be sent out to you. After DDoS attacks have been fully deflected, Finalsite's data center team will put up a post-mortem report to explain what happened and how we responded to it.
Please Sign in to leave a comment if you don't see the comment box below.