There has been some controversy surrounding the government's claim that it was hit with multiple distributed denial-of-service,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
or DDoS, attacks that caused the FCC net neutrality site to go down. What are the technical details behind this incident? What else could have caused the disruption for the website?
With any DDoS attack, the best way to investigate it is to review the logs. Due to the sensitivity of the information submitted to the Federal Communications Commission (FCC) net neutrality site, and the ability for IP addresses to potentially increase privacy risks for users submitting their opinions, the logs have not been publicly released for review. The FCC's CIO, David Bray, stated that, after reviewing the logs, it was determined that nonhuman bots were creating a large number of comments to the FCC net neutrality site via an API. He also mentioned that the systems creating the large wave of comment traffic wasn't from a botnet of infected systems, but from a publically available cloud service.
If this truly was a botnet pumping large amounts of comments to the FCC's net neutrality site -- possibly for spam-related purposes -- while there was a large influx of users attempting to post opinions and comments regarding the net neutrality policy, it's likely that the application reacted in a manner that's identical to a DDoS attack. We know that the API was hit hard from public comments made by the FCC and it's these application-based resources that can become very expensive when it comes to utilization.
You can consider DDoS attacks like water: They're always going to find a way in. Application-based resources can be more sensitive to the amount of traffic being sent. In a network-based DDoS attack, large amounts of traffic are sent to a site in order to bring down the front-end systems, which might be able to handle the load if it's not too high, but the layer 7-based application layer attacks rely on how the back-end systems respond. In these types of attacks, the application or even the database can become the point of error and could cause an outage for a system.
At this point, if there were large amounts of spam bot traffic hitting the FCC net neutrality site while a large number of users were attempting to access the comment section, it's possible that this wasn't a DDoS attack but a performance issue related to insufficient resources. If there wasn't a malicious intent to the spamming of the site -- and we may never know the motive -- it's impossible to say if this was done for political reasons. There was no one taking credit for the outage, either, which is done many times after a particular target site is taken down.
In order to protect against DDoS attacks in the future, organizations need to understand their traffic patterns, get a baseline of what's normal and have an incident response plan put in place to help remediate the damage done as quickly as possible. The only way to truly mitigate DDoS attacks is through a third-party tool or service that's going to monitor and scrub DDoS traffic from a layer 3 and 7 standpoint. These attacks are becoming so familiar now that even small outages to large sites are always assumed to be malicious.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to find the best DDoS attack prevention tools
Get a better understanding of net neutrality from this explanation
Check out what else is happening around net neutrality
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Matthew Pascucci
Researchers found several Dnsmasq vulnerabilities that affect Google's Android operating system. Matt Pascucci explains how these flaws can be ...continue reading
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci...continue reading
A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this '...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.