The anatomy of a DDoS attack

Last week the BitTorrent site Mininova was hit by a large-scale DDoS attack that caused a total of 14 hours of downtime. Regardless of what you think about torrent sites, this was an interesting example of how a website can be incapacitated by a DDoS attack.

We chose this example to illustrate the effect of a DDoS attack because Mininova shared some relevant information about the attack, especially a very telling traffic graph from their Internet connection. The below traffic graph shows the impact on one of Mininova’s two Internet connections during the initial attack.

The site was attacked by a botnet (using hundreds of computers) using UDP connections, and judging by the above graph it reached full effect almost immediately.

The attack generated 2 gigabit of traffic per second. Since the attack maxed out Mininova’s Internet connection it made the site very slow and sometimes impossible to reach.

This is a typical example of a DDoS attack. Its objective is to in one way or another overload a site or service until it can’t function properly.

Now let’s take a closer look at how the site was affected.

How was site uptime and load time affected?

The above network graph is interesting, but what was the actual effect on the website’s load time, and how much downtime did it result in? We have some uptime monitoring data for the site (from Pingdom) which clearly shows the effect of the DDoS attack.

As you can see by the load time graph here below, there were actually two separate attacks; one that started very early on Friday (European time) and one that started on Saturday. The time stamps below are in GMT+1.


Note that the load time in the graph above only includes the loading of the HTML, not images, etc.

The above only shows the load time for when the website could be loaded at all. In many cases the load attempt simply timed out (30+ seconds in our case). So the effect was double. Slowdown AND downtime. Note how the reduced uptime in the graph below matches the periods of increased load time.

Counted over the two attacks, this DDoS attack cost Mininova 14 hours of downtime and some extreme slowdown. It might be good to remember that people tend to leave a website if it is too slow, so even when the website wasn’t technically down many visitors would still have been turned away.

It can happen to anyone

We hope that this practical example gives you a decent picture of how devastating a DDoS attack can be to a website.

It’s worth pointing out that what is described in this article can happen to any type of site. A similar attack could have happened to a blog, an e-commerce site, a social network, a web host, etc.

Another thing to note is that there are a very wide range of different attacks that can happen. To name a different example than the one above, the domain registrar Network Solutions recently suffered from a large-scale attack on their DNS servers that indirectly affected hundreds of thousands of websites that used those DNS servers.

One might also wonder why these attacks happen in the first place. DDoS attacks happen for a number of reasons. Sometimes they involve blackmail (“pay us or we break your site”), other times there are ideological conflicts or other reasons behind it.

Do you know of other recent examples of DDoS attacks that have had a negative impact on websites or services on the Internet? Please feel free to share in the comments.

Further reading (with more DDoS examples): Conflicting opinions causing DDoS blitzkriegs online

4 comments

  1. Did they ever highlight as to the magnitude of the attack both in terms of bandwidth and the PPS? The graph shows probably the server’s GigE port, which could have been flooded and exhausted. But the main two values of PPS and overall bandwidth used in the attack is of interest.

Leave a Reply

Comments are moderated and not published in real time. All comments that are not related to the post will be removed.