Hacking has really taken on bad meaning over the past two decades. What began as software augmentation on a rapid development cycle has been popularized by movies like “Hackers” and “Swordfish” as underground and often sociopathic perpetration of evil. Interest has again been stirred with the holiday attacks against video game services and the release of the film “Blackhat”, which has since encouraged a lot of confusion through public ignorance of the subject and sensationalism.
The concept of hacking began many decades ago and to this day is used by software developers around the world for its original meaning. Virtually all software developers are hackers. Not all hackers are evil though. According to its widespread definition, a modern day hacker is someone who gains elevated privileges or access to systems and resources, often intercepting data and commandeering systems. A “bad” hacker is a software developer who has malicious intentions, whether or not those intentions are criminalized under law.
On the other hand, DDoS attacks have very little positive use. By its very nature, a distributed denial of service attack is an attack which forces the denial of service to legitimate users or requests. Their main purpose is to cause harm and negative impact. In recent times, some have argued that DDoS attacks are a form of social protest.
Are the perpetrators of DDoS attacks hackers? Do all hackers launch DDoS attacks? Is launching a DDoS attack a form of hacking? Which is worse?
So What’s the Difference?
Launching a DDoS attack is by definition not hacking. I want to be very clear about this. There’s quite a bit of misinformation on popular news outlets that seem to be thoroughly confused about this. There is a clear distinction between the two. Hacking, even by its popular definition, is about gaining access and privilege that would otherwise be restricted. For example, Target and Home Depot made headlines over the last couple of years by means of a hack in the payment systems used to process payments at their checkout terminals. They could have done this by finding a vulnerability in their security systems, thereby bypassing them and gaining access to the secured data. (It would later come out that the hack had begun through their air conditioning company, which had sensitive network data stored externally. We anticipate more of these kinds of hacks as the Internet of Things introduces more and more consumer products with fairly basic operating systems. Our blog article on that can be found here.) Similarly some months ago, JP Morgan was hacked and client account information was accessed. In neither of these cases was DDoS involved.
Back in 2000 and 2001, Yahoo.com and a half dozen other popular websites were taken down by crippling DDoS attacks. (Our CIO Arad Mahdavi covers this briefly in his article about DDoS’ development here.) These large scale attacks would happen again multiple times over the years, with Anonymous and LizardSquad in the more recent news. No information was actually accessed and no elevated privileges were achieved by the attackers. The purpose of the attack was to simply deny legitimate access to those online sites. They achieved this by bombarding the systems with overwhelming amounts of data. The series of Internet connections and systems serving those websites could not cope with the sheer volume of the attack so they were unable to service legitimate connections. It’s akin to adding thousands of cars on a highway in hopes of causing gridlock for the other motorists, or forcing the door closed on businesses by blocking the entrance.
How They Work
DDoS attacks are generally launched by leveraging hacked systems or finding a vulnerability in existing widespread software and using it as a means to launch the desired attack. Thus, a DDoS attack involves some level of hacking to facilitate the attack itself. Incidentally, DDoS mitigation works by understanding those vulnerabilities and designing security against the respective attacks. Thus, a number of people who launch attacks are also hackers. They commandeer systems and servers, write the tools and software to initiate the attacks, and allow others to take advantage of the entire platform. There’s another group of people that are often referred to as “script kiddies”. They just utilize existing tools that more experienced hackers have written to cause harm and disruption across the Internet. Script kiddies get their name from the use of scripts that often hack remote systems, and scripts that launch attacks. Script kiddies are not hackers.
DDoS attacks can also utilize spoofed packets from sometimes legally owned systems. These can target a machine and network directly, or they can utilize third party system vulnerabilities for an amplification effect. This is how NTP floods are launched. A malicious actor would compile a list of vulnerable NTP servers and then simply launch a series of spoofed requests to these servers, causing them to reply with much larger intensity to the spoofed source. This form of attack does not necessarily depend on hacked servers.
In short, DDoS is not hacking, and hacking is not attacking. DDoS does depend on some level of illegal hacking initially, though not always, as software has made it easily accessible even to the inexperienced. Some DDoS attacks can use legal systems to generate spoofed packets against vulnerable servers. The point is legitimate uses of DDoS are very few, and while they can be used to cover up an actual hack, they are in completely different categories of cyber attacks.