D is for Denial (of Service)

Danny the Dolphin

All alliteration aside (heh) in light of the recent internet outages, Danny the Dolphin and I wanted to explain what a Distributed Denial of Service (DDoS) attack was and what happened to sites like Twitter, Airbnb and Reddit Friday.

This is intended to be an overview for the layperson. Neither Danny the Dolphin nor I think you’re dummies. Just because you aren’t a cyber-nerd doesn’t make you dumb (in fact there’s a strong argument the opposite is true). I know plenty of smart doctors, designers and dentists who are definitely experts in their fields. Danny just happens to be a Dolphin who specializes in defeating DDoS attacks.

Hopefully if you’ve made it this far you’re interested in knowing what happened or maybe you just want to know how a dolphin became an expert on denial of service attacks. So let’s jump in and see what happened. This DDoS was all about DNS so let’s start there.

Danny the Dolphin explains DNS:

Danny and I were discussing DNS over drinks and he came up with a pretty good analogy. DNS is the Domain Name System.. it’s like the phone book of the internet (or more perhaps more accurately a phone book of phone books). It’s how our computers know where to go when we type the domain name google.com into the bar of our web browsers.

Like a tower of blocks each phone book knows about a small portion of the domains on the internet. At the very top of the tower of blocks are a special type of DNS server called the root hint servers. These DNS servers only know about all of the top level domains (TLDs) like .com, .net, .gov and .org. Below that there are a level of DNS servers who know a little about all of the domains registered to a particular TLD. So a .com server knows who the DNS servers (blocks below them) are that are responsible for google.com, facebook.com, microsoft.com, etc. And then at the next level a DNS server may be responsible for addresses associated with one or more of those domains (www.google.com, translate.google.com and gmail.com might all be served by the same set of DNS servers).

The reason that Danny and I were talking about DNS is because that’s what was really under attack on Friday. Or more specifically the DNS servers of a single company that provides DNS services called Dyn. Dyn was the DNS provider for the many of the companies who were unreachable on Friday.

If you tried to get to a website like Twitter on Friday and failed the reason was because your computer was asking for the address of Twitter.com and the servers with that information were being attacked and couldn’t answer.

Danny Details the Denial of Service Attack

Danny decided to use another analogy to describe what was happening. In this case it was like a 3 year old trying to ask a question while the grownups in the room were having a conversation…. Dad..dad, dad, dad, dad..dad, dad. The constant repetition of requests broke through the conversation the grownups were having. They basically were asking silly questions over and over again for the DNS servers to answer. “Where is twitter.com?” and before the DNS server could even answer they were asking again, and again and again.

And it wasn’t just one 3 year old it was hundreds of thousands of three year olds asking the same questions over and over. That is the distributed nature of the problem. Most parents can deal with one misbehaving 3 year old, but hundreds of thousands? That can be overwhelming. The DNS servers became so overwhelmed trying to answer annoying 3 year olds they couldn’t answer questions for the grownups who really wanted to know.

Diabolical Distributed Devils

So who were these annoying 3 year olds? Believe it or not Danny the Dolphin insists they weren’t 40o pound hackers sitting at their keyboards. Instead they were mostly internet connected cameras and other devices which had been modified by hackers (who may or may not be morbidly obese) into an Army of Screaming Brats under control of an evil kindergarten cop (also known as a Botnet).

Internet connected cameras aren’t giant computers; they don’t have a ton of processing power… but they are really good at simple things like asking for the address of twitter.com. And because of a quirk in how those requests are made they don’t even have to bother to waste time digesting the response they can just keep asking over and over again.

Defeating Determined Dreadnoughts of Doom

This DDoS attack was successful in part, because computers are pretty stupid. The DNS servers are designed to dutifully answer the questions asked of it. They don’t determine if the requestor is a demented 3 year old or a serious adult asking. But Danny the Dolphin points out there are computer programs that are designed to determine if the request is coming from a legitimate source. These programs are offered by 3rd party services and act as a proxy or intermediary to filter out the unwanted/useless DNS requests. In many ways they act like the filters Gmail and other services use to keep out unwanted spam from our inboxes.

Final Thoughts from Danny the Dolphin

Danny wanted me to be sure to mention that DNS isn’t the only thing that can be attacked in a DDoS attack. It just happened to be what involved this week. Next week they may choose to attack something else. But the general nature of the attacks remains the same… a large number of requests from a distributed set of machines coordinate to overwhelm the company providing the service.

Danny and I hope this has been an educational diversion for you. If you have questions or want to point out the technical inaccuracies of our somewhat simplified explanation of what happened please feel free to leave a comment.

Show your love of Dolphins by clicking the ❤.