| I remember a few years back hearing about the | | | | When Blue Security was DDoS'ed a few years ago |
| blackouts in California (oh yes, the good ol' Enron | | | | the attackers decided to take down Blue Security's |
| days). It was quite shocking to hear that major | | | | providers along with everything else hosted there, in |
| dot-coms were down for hours. Even the "365 Main" | | | | all of the provider's geographical locations. |
| facility in San Francisco with its earthquake proof | | | | A DDoS attacks the servers wherever in the world |
| infrastructure lost power, proving that no matter | | | | they may be. Even if you span your server across |
| how well equipped, no single location can withstand a | | | | multiple physical locations the attack will be done on |
| big disaster. | | | | all of them. No matter how distributed your servers |
| Nowadays this is less and less a real issue for web | | | | there is always a limit to the number of transactions |
| sites - hurricanes and power failures are not an | | | | you can handle in a single second, and once the |
| excuse to stop providing service: Amazon and Google | | | | attacking botnet (a network of software robots, or |
| showed that you can reach close to 100% reliability | | | | bots, that run autonomously and automatically) |
| (barring software bugs) by eliminating all physical | | | | passes this limit, then your services will effectively be |
| single points of failure. Today in the 'cloud computing' | | | | denied. You will then have nothing to do but lean |
| age, every web site can get Amazon-like reliability | | | | back in your chair and wait for the attack to end and |
| without worrying about a power failure in its office in | | | | count the lost visitors/revenue/reputation with every |
| Mountain View or a natural disaster at its co-location | | | | minute passed. |
| farm - and all this for just hundreds of dollars a | | | | While cloud computing can save you from Hurricane |
| month. | | | | Katrina, if someone decides to DDoS anyone - even - |
| But as the local disaster problem is solved, there's a | | | | they only need to pay a fee; there is nothing |
| new one that may shape the way we think of | | | | Facebook - even with its massive server |
| disaster recovery. got hit by a massive Distributed | | | | infrastructure - can do to stop them. |
| Denial of Service (DDoS) attack on its Domain Name | | | | We simply don't know how to stop a DDoS attack in |
| System (DNS) servers. This attack will have many | | | | progress (snake oil solutions aside). The only solution |
| casualties - not just Register.com's users who may | | | | is to raise security awareness with administrators so |
| have their web sites unavailable if they used | | | | that they will run sufficient security tests on their |
| Register.com's DNS services but also all those hit by | | | | servers (see and eliminate any botnet code hiding on |
| the collateral damage. We don't yet have any | | | | hundreds of thousands (some say millions) of servers. |
| technical information on how the attack was done, | | | | This will reduce the size of botnets and make DDoS |
| but a DDoS attack is typically 'logical' and not | | | | less practical (or more expensive). |
| geographical - if your site is somehow 'logically' | | | | Until that happens, I wonder who will be the first to |
| connected to a site that is being attacked, you will | | | | use DDoS to take out a competitor? |
| also be DDoS'ed and that won't be nice. | | | | |