UPDATE: There seems to bee some confusion regarding the severity of the events described in this article. Before reading further, please take note that our server was not hacked, nor was any hacking attempt detected during this event (yes, we monitor for that). This event was simply the result of a sudden and directed increase in the number of connections being made to our server.

It's never a fair fight when a group gangs up on one guy; unfortunately, that's exactly what happened to us, twice, today. It's called DDoS, which stands for Distributed Denial of Service, and it's what you get when a malicious hacker takes control of dozens, hundreds, thousands, sometimes even millions of computers, and directs them all to attack one server.

How does it happen?

In case you've ever wondered why people bother writing viruses, let me tell you that this is a huge reason for it. Many viruses do mainly three things:

1. Find other vulnerable computers to infect so they can spread as far and wide as possible.
2. Listen for commands from whoever created the virus.
3. Carry out those commands without question or regard for the consequences. After all, computers just do what they're told.

A computer infected with such a virus is commonly referred to as a bot. A network of such infected computers is called a botnet. There are currently about 30 known active botnets in existence, each ranging from several hundred to several million infected machines, any and all of which may be called to attack any server at any moment.

Unfortunately, due to the widespread nature of such attacks, there's no single user who can be blocked in order to stop the attack and, even if all the offending computers were blocked, the attacker would simply call on more bots to join in the attack.

Our attack appeared to be comprised of some 300 or so bots, each of which would basically open several connections to our server and just sit there until the server quit listening for a command, effectively tying up every available connection so that legitimate users could not access their sites. Since the bots never made any actual requests, we are unable to determine which site or sites the attack was being directed toward.

What can be done?

Since today's attacks, we've been in contact with network technicians at the datacenter where our server resides regarding ways to minimize the effect of any future attacks. Unfortunately, the only real solution is to disable the botnets used in the attacks and that requires the cooperation of every internet user. Have you run a virus scan lately?