Why are DDoS attacks so hard to stop?

I saw that Quake Live was down because of a DDoS attack. It seems like this happens to games all the time... so I don't understand why it can't be stopped. Will this madness ever end? —Tom

It is madness, Tom, and it ought to end... but it isn't likely to anytime soon. Distributed denial-of-service attacks can be mitigated, sometimes without any downtime, but they're really hard to beat altogether.

To quickly make sense of it, here's a real world analogy: If I'm running a Starbucks and someone sneaks in, dodges the security cameras and steals all the stupid flavored syrups, that was a preventable security breach. However, if 200 non-customers enter my store at the same time and block all the real customers from ordering, that's a DDoS attack. Now I have to figure out who the real customers are and shoo all the fake customers out the door, and that's going to take time. No stupid sugar coffee for anyone.

That's grossly simplified, but the idea is the same when attacking servers: overload the target with fake data so that it can't attend to real users. The least sophisticated version of a denial-of-service attack would have one computer firing away at the target server without any attempt to mix up its identity, and that's not hard to stop: just block all data from that address. A distributed denial-of-service attack, however, can fire away from thousands of infected computers all over the world, collectively referred to as a "botnet."

In my research I spoke to StrataFusion partner Mark Egan, co-author of The Executive Guide to Information Security, who explained that owners of major botnets simply rent them out. Want to take down EverQuest for some moronic reason? All you have to do is pay.

There are ways to mitigate DDoS attacks, and all kinds of services which offer such security, but no perfect solution. Egan explained that static content is a little easier to protect, as services like Akamai spread the data over thousands of severs, creating a big target. He suspects, however, that the dynamic nature of games makes them good targets.

One way or another, to end a DDoS attack and keep a game server operational, the hostile traffic must be filtered out. One method is to 'teach' a system what good traffic looks like so that it can identify bad traffic, Egan explained, but even a well-protected server can be brought down while the attack is mitigated. "If a very determined bad guy aims at you, they've got a pretty good chance [of causing an outage]," he said.

There are some very determined bad guys out there, though they may balk at the "bad" part. It has been argued that DDoS attacks should be considered a form of legal protest, the same as gathering in the streets. To decide if that can ever be a valid argument would be too much for this column's scope, but it's a pretty big stretch when it comes to game servers. No one fills the streets because they're mad at EA. And either way, the law certainly isn't having the protest angle: in the US, UK, and other countries, DoS attacks are a crime which can result in prison sentences... if you can catch the person responsible. That's not easy.

The perpetrators of these attacks can be anywhere in the world, and the owner of the botnet could be anywhere else in the world. "Very few people get caught," said Egan. And while DDoS attacks can be very bad for a company, Egan says the main focus in the security world is on preventing theft. A service outage is inconvenient, but stolen credit cards are far more damaging.

I asked Egan if he thought it would get better, but he isn't optimistic. "Each side will continue to up their game a bit," he said, meaning that more sophisticated security will only lead to more sophisticated attacks. It sounds terribly fatalistic, but all we can do is hope game services are prepared to respond quickly with strong DDoS mitigation techniques. Even then, we may still be locked out of the games we want to play now and then, because some idiots just hate fun.