Gunnar Assmy - Fotolia
Did DDoS attacks cause the FCC net neutrality site to go down?
The FCC net neutrality comment site crashed, and it was blamed on DDoS attacks. Expert Matthew Pascucci looks at the technical side of this incident and what was behind it.
There has been some controversy surrounding the government's claim that it was hit with multiple distributed denial-of-service, or DDoS, attacks that caused the FCC net neutrality site to go down. What are the technical details behind this incident? What else could have caused the disruption for the website?
With any DDoS attack, the best way to investigate it is to review the logs. Due to the sensitivity of the information submitted to the Federal Communications Commission (FCC) net neutrality site, and the ability for IP addresses to potentially increase privacy risks for users submitting their opinions, the logs have not been publicly released for review. The FCC's CIO, David Bray, stated that, after reviewing the logs, it was determined that nonhuman bots were creating a large number of comments to the FCC net neutrality site via an API. He also mentioned that the systems creating the large wave of comment traffic wasn't from a botnet of infected systems, but from a publically available cloud service.
If this truly was a botnet pumping large amounts of comments to the FCC's net neutrality site -- possibly for spam-related purposes -- while there was a large influx of users attempting to post opinions and comments regarding the net neutrality policy, it's likely that the application reacted in a manner that's identical to a DDoS attack. We know that the API was hit hard from public comments made by the FCC and it's these application-based resources that can become very expensive when it comes to utilization.
You can consider DDoS attacks like water: They're always going to find a way in. Application-based resources can be more sensitive to the amount of traffic being sent. In a network-based DDoS attack, large amounts of traffic are sent to a site in order to bring down the front-end systems, which might be able to handle the load if it's not too high, but the layer 7-based application layer attacks rely on how the back-end systems respond. In these types of attacks, the application or even the database can become the point of error and could cause an outage for a system.
At this point, if there were large amounts of spam bot traffic hitting the FCC net neutrality site while a large number of users were attempting to access the comment section, it's possible that this wasn't a DDoS attack but a performance issue related to insufficient resources. If there wasn't a malicious intent to the spamming of the site -- and we may never know the motive -- it's impossible to say if this was done for political reasons. There was no one taking credit for the outage, either, which is done many times after a particular target site is taken down.
In order to protect against DDoS attacks in the future, organizations need to understand their traffic patterns, get a baseline of what's normal and have an incident response plan put in place to help remediate the damage done as quickly as possible. The only way to truly mitigate DDoS attacks is through a third-party tool or service that's going to monitor and scrub DDoS traffic from a layer 3 and 7 standpoint. These attacks are becoming so familiar now that even small outages to large sites are always assumed to be malicious.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)