Postal services analogy for DDoS attacks

I think a good analogy for understanding DDoS attacks is to think in terms of old-fashioned postal services. You probably still use USPS / Royal Mail / Canada Post / Deutsche Post / etc. occasionally. But imagine if 1 million people from all over the world all decided to start sending you lots of junk letters every day.

Your letterbox would be swamped, and you would not be able to distinguish the junk letters from the legitimate letters. You would be powerless to do anything about this situation; your only hope would be that the police might be able to do something about the orchestrators of the attack.

Now imagine you run a business, and the orchestrators of the attack are trying to extort money from you. You obviously refuse to pay. It’s better to go out of business than to pay these criminals a penny. But now, it’s all down to your customers; how important to them is it not to let the extortionists win?

But where do these 1 million nasty letter-senders come from? Well, in real life, I doubt we would ever see a well organized criminal campaign along these lines. The closest we might get is some kind of disorganized hoax. But leaving the analogy behind, and returning to the topic of actual Internet DDoS attacks, the computers participating in the attacks belong to millions of ordinary people who don’t realize that their computer is not fully under their control, and is being used part of a ‘botnet‘.

So the irony is that website XYZ could be targeted by a DDoS attack, and lots of ordinary computer users might think “oh, website XYZ has been hacked”, when in fact the website has not been ‘hacked’, but many of those ordinary computer users have been (and are now unwitting participants in an operation to deny service to legitimate users of the website)!

DDoS attacks are very different from computer cracking attacks, like the one on Sony for example, which seem to be happening an awful lot recently. Going back to the analogy, instead of sending millions of junk letters so that any legitimate letters are not properly dealt with, computer crackers just send 1 cleverly-worded letter to the target. Imagine you use a machine to deal with your incoming letters, and when you designed that machine you made a mistake, so that a cleverly worded letter causes that machine to give the attackers access to all your customer records. In that case, your customers are entitled to question whether you took enough care of their data.

The current situation with DDoS attacks is that botnets are big enough for the attackers to target even a ‘fairly large’ website and ensure that it is completely unworkable for legitimate users. Whereas the very largest Internet companies probably have enough capacity to absorb a DDoS attack, and still provide their services to legitimate users – albeit more slowly than normal. The analogy for this would be that 1 million people from all over the world all decided to start sending lots of junk letters to various Acme Inc. locations every day. Acme Inc. is used to dealing with large numbers of letters every day. They draft in extra staff, make more space in their sorting offices, get in touch with their contacts in the postal service and ask them to stop delivering any letters from abroad, and take various other measures (corresponding to DDoS mitigation). So, legitimate correspondence to Acme Inc. is dealt with properly – albeit delayed.

Obviously it’s a very bad situation when a medium sized company’s website can be rendered unusable for legitimate users, through no fault of the company in question. The main focus for reducing our DDoS problem should be helping prevent ordinary computer users from losing any control over their computer – so that botnet sizes are reduced. One aspect of this is guidance for ordinary computer users, including the DHS’s advice, for example.