How Does a DDOS Attack Happen?

A DDOS attack works when a hacker sends a bunch of bogus traffic to a single target. The target of the attack is then overwhelmed because it is getting too much data. Maybe the system itself is overwhelmed and the target computer does not know how to process all the data. Maybe the Internet connection for the target gets full. Once an Internet connection is full it starts to cause problems for real traffic. Whatever the case, a DDOS often leads to a target becoming inaccessible.

So what can Internet providers do to stop and prevent DDOS attacks from happening? Is there really a solution to DDOS attacks?

The First Thing ISPs Do When DDOS Attacks Happen

When a DDOS attack happens the first step to mitigate it is for the target's Internet service provider (the uplink) to null route the target IP address. This makes the target completely inaccessible and does exactly what the DDOS attacker wanted.

So why null route the target IP address? The reason to null route the DDOS target is that this ensures that other IP addresses are accessible. If there are other IP addresses that are not being targeted by the DDOS, they can now opperate as normal.

When a large DDOS is taking place, not only is the target affected, but every device that shares a Internet uplink with the target is affected. When the Internet uplink is full, all devices using that uplink end up having problems.

That is why ISPs will null route the target of a large DDOS. Unfortunately it means that the DDOS attackers are successful, but at least no one else is affected by the DDOS. Without a null route, many more devices may be affected by a DDOS.

The Next Step In Mitigating a DDOS

Once the target IP is null routed the DDOS is under control. Now the target's ISP can take steps to stop the DDOS from taking place or being repeated. Once the target is null routed it is easy to see where the DDOS traffic is coming from. DDOS attackers will continue to send bogus traffic to the target even after the null route is in place.

The target's ISP can use its monitoring tools and find where the DDOS traffic is originating. DDOS stands for Distributed Deial Of Service. The "Distributed" part means that there is no single source of origin for the attack. Instead it is spread our across the Internet. There are many sources.

The target's ISP can make a list of these source IP addresses. It can then contact the ISPs of the source IP addresses. It can send them logs of the attacks and basically say "hey, you have someone in your network attacking us. Fix it!"

The source's ISPs can then go through the provided list and see what customers are assigned to the attacking IP addresses. The ISP will contact its customers telling them "hey, this IP address is yours. You are sending out bad DDOS traffic from that IP. Fix it!" and maybe the customer will fix it.

A really good ISP will actually turn off the customer that is sending the DDOS traffic until that customer fixes the problem.

This process can have many levels. The target of the attack may have an Internet provider who then buys IP transit from another provider who then buys transit from yet another provider.

Same for the source IPs. They may have an ISP that buys transit from another ISP that buys from yet another ISP. When this is the case, the top ISP will pass the complaint down to their customer, who will pass it to their customer, etc.

Not All ISPs Care

The above does not always happen. Sometimes the DDOS attack is so distributed that it is not worth the effort for the target ISP to contact every single source ISP.

Other times target ISPs only contact their own customers if the customer is a source of DDOS traffic and ignore other non-customer ISPs. They know that they are able to leverage their own customers into fixing the issue, while other ISPs might just ignore the complaint.

The source ISP may not have a way to deal with these types of issues. There are plenty of Internet providers that seem to just ignore any type of complaint you send them. China Telecom seems to be one of these. I know of websites that block all traffic from China just because the malicious traffic from those sources seems to never get cleaned up.

Finally, the very end customer might be a residential owner who has an Internet connected camera. This camera got hacked and is now part of a botnet sending our DDOS traffic. The owner does not know how to fix their camera and the manufacturer of the camera has likely not even put out any sort of patches to fix the camera software and prevent it from sending out DDOS traffic.

That is why DDOS attacks will continue for the foreseeable future.