You may occasionally hear about cyber-attacks in the news. The ones that get reported in the mainstream media often fall into two categories: data breaches and DDOS attacks. Data breaches are cyber-attacks where data is copied from computers, often this involves user data such as email addresses and passwords. A DDOS attack is an entirely different type of cyber-attack with few similarities to traditional hacks.
Most cyber-attacks are intended to gain access to a system then do something that can earn money, such as selling stolen data or ransoming access. A DDOS attack is actively designed to deny anyone access to the target. DDOS stands for Distributed Denial Of Service and uses a network of bots aka “a botnet” to overwhelm a website or other internet-connected service with traffic, to the point where either no legitimate users can access it or the servers crash.
How does a botnet work?
Creating this much network traffic would be essentially impossible for one computer so hackers create a network of robots that they can program to do their bidding. Generally, the bot software is distributed through standard malware methods and infects as many devices as possible. The infected devices then connect back to one of a few Command and Control servers, aka C&C or C2 servers. The hacker in charge of the botnet then issues commands to the C2 servers which proliferate the commands across the entire network. The network of bots then performs a single task all at once, as stated earlier this is generally just creating as much network traffic as possible and sending it all to an unlucky target.
The intent of the layered system of the C2 servers and bots is to make it difficult to tie the activity to the original hacker. Like other forms of hacking, DDOS attacks are illegal, the problem is that the bots running the attack are actually owned by innocent third-parties who had been infected with malware.
Botnets have two techniques they use to attack, direct attacks and amplification attacks. Direct attacks send as much traffic as possible directly from each bot in the botnet. Amplification attacks rely on abusing certain protocols that have two specific features, a spoof-able source address and a larger response than request. By sending traffic from every bot with the source address spoofed to be that of the target, legitimate servers respond to that server with large responses. Amplification attacks can result in a lot more traffic than direct attacks.