Nathan CrauseMusings of a Software Developer

I was reading an article in the October 2009 Reader's Digest about a young fellow named Michael Calce, a.k.a Mafiaboy, who (according to Reader's Digest) was the teen hacker who crashed Yahoo.

His actions are not being brought into question on this blog, nor the lack of moral back-bone which would have precipitated his actions. No, this blog post is about the issue of DDoS itself.

If you don't know, a DDoS (Distributed Denial of Service) attack is, in the simplest terms, when a huge collection of hijacked computers (called a Botnet) are directed to begin simple internet request against a single server/service at all once, thus flooding the bandwidth. It is different to a DoS (Denial of Service) attack in that there is no real software "bug" being exploited (such as the old Windows "ping of death").

The Reader's Digest article refers to the panic that erupted when big internet sites (like Yahoo) were being crippled by these DDoS attacks, because of how "vulnerable" the internet was. And this is where I take exception. The internet, as such, isn't vulnerable at all - individuals and operating systems are. I can pretty much guarantee that no Unix/Linux/Mac machines were slave botnet machines were involved (since Windows has a history of being a playground for hackers). If people took greater care to protect their computers, there's be not possibility of these massive botnets (and suddenly the "vulnerability" evaporates).

Internet Service Providers (ISPs) don't help the problem. I worked for an on-line payment system once which came under a DDoS attack. The ISP can see where the traffic is coming from, and where it's going to. The logical step by the ISP would be to cut off the obviously infected machines from their network. Heaven forbid that we follow logic, though. No, the ISPs (in this case Rogers and AT&T) actually cut off all access to our server, thus aggravating the problem! You read that right - ISPs end up punishing the victims of a DDoS attack (imagine jailing a rape victim for being a victim).

Another way of looking at a DDoS attack, and to clearly see it's not a vulnerability, and how an ISP would handle it, is to look at road traffic. If millions of people all took to a single highway in order to reach the same destination (let's say Vancouver), the highway would become clogged, and traffic would come to a stand-still. This is a DDoS attack.

Governments and police deal with this by creating more roads, making the existing roads wider, and sometimes having police on-hand to direct traffic. Fairly logical. If an ISP was in control, they'd block off all access in to and out of Vancouver until such time as all the cars magically disappeared. Not so logical.

All-in-all, what I'm saying is that I don't see a DDoS as a vulnerability on the side of the internet - the blame lies with inept users who couldn't be bothered to learn, and ISPs who are equally inept, and take the path of least resistance for themselves, and sacrifice the victim.