Skip to main content

How Hackers Take Down Web Sites

Many of the Web sites we visit every day are under cyber attack by malicious hackers looking to disrupt business transactions, discourage people from using a particular online service or exact payback for some real or perceived slight.

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American


Editor’s Note (10/21/16]): Massive attacks against key Internet infrastructure providers have taken down Web sites—including Twitter, PlayStation Network and PayPal—and slowed access for users across the U.S. Dynamic Network Services, Inc. (Dyn), Amazon and others reported Friday that they were subject to multiple distributed denial-of-service (DDOS) attacks that overwhelmed the companies’ computer servers with massive amounts of data traffic that caused them to take their systems offline. The following Scientific American article—originally published online February 11, 2014—explains what DDOS attacks are and how they wreak havoc on the Web.

Many of the Web sites we visit every day are under cyber attack by malicious hackers looking to disrupt business transactions, discourage people from using a particular online service or exact payback for some real or perceived slight. One of the most common ways to bring down a site is to flood its computer servers with so much traffic, they slow to a crawl or shut down because they simply can’t handle the volume. This is known as a denial-of-service (DOS) attack.

The weapon of choice in these cyber salvos is the botnet, a virtual armada of computers consigned to deluge Internet servers with requests for data to the extent that those servers cannot function. Botnets are used to perpetrate distributed DOS (DDOS) attacks against a target, and often the owners of those computers don’t even know that their systems are up to no good. This is because cyber criminals first break into those computers using a virus, worm or some other malware, turning someone’s PC or server into a “zombie” that can be controlled remotely.


On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


Scientific American’s Instant Egghead video below offers additional info on how these attacks work.

In one high-profile example, the hacker group Anonymous launched a DDOS against Paypal, MasterCard, Visa and others in December 2010—dubbed Operation Payback—after the payment services stopped processing donations to the WikiLeaks site. Operation Payback participants used a piece of software called the Low Orbit Ion Cannon (LOIC) to recruit computers for their attacks. LOIC actually included a feature that allowed computer users to voluntarily join Anonymous botnets. U.S. authorities charged 14 people for their roles in the attacks.

One of the newer approaches to launching DDOS attacks is to recruit mobile devices via DDOS apps to participate in these attacks, according to a recent report from cyber security firm Prolexic Technologies. In such cases, mobile device owners actually agree to participate in the attack by downloading the app and giving control of their phone or tablet to the attacker. This may not have been a real threat a few years ago, but the proliferation of increasingly powerful mobile devices has made them a valuable contributor to any botnet, the report says.

Attackers often protect their own identities by creating forged Internet protocol (IP) sender addresses for the servers they commandeer to commit DDOS attacks. Any investigation into the source of the assault leads to a spoofed address rather than the actual perpetrator. An increasingly popular approach is for an attacker to send forged requests for information to a computer or group of computers, which in turn send their flood of responses to that forged address. This is known as a distributed reflected DOS attack because the actual culprit is using an unwitting middleman to perform an attack. Taking this one step further, sometimes attackers deliberately create queries that elicit much larger responses, thus amplifying the attack without much additional effort.

Site owners can combat DOS attacks in a number of ways—adding more servers for redundancy and backup or setting up firewalls that attempt to filter traffic coming from questionable sources, for example. Unfortunately attackers continue to find ways around such defenses, creating an escalating virtual arms race involving Web sites, cyber criminals and law enforcement.