Cyber Attacks on Governments

The type of computer or computer operating system is less relevant than the nature of this particular type of attack. Let's recall the telephone analogy of where hundreds or thousands of bogus calls at the same time would prevent the one legitimate call from getting through. In that case there are no exploits of a vulnerability in the telephone system. Instead, the system is behaving as designed.

The same is true here with the DDOS attack - the Web is designed to allow requests to flow from a source (requesting) computer to a destination (responding) computer. When you have tens of thousands of source/requesting computers in a botnet all sending requests at the same time to a destination/responding computer (i.e., an attack target), that destination/responding computer gets overwhelmed. In this case, the system is also behaving as designed.

These DDOS attacks were not based on a flaw in any software. I would say that this isn't even a flaw in the general design of the system, other than perhaps not having security against such an attack automatically built into the protocol. Even a protocol-based response might not be appropriate, though. Think, for example, of when concert or other event tickets go on sale. The Web sites of the ticket sellers would legitimately get flooded. A protocol that automatically reacted to such a situation as an attack would result in a false positive with potentially very unintended consequences (e.g., people not getting through to buy tickets).

In conversations with colleagues, some have said the design of systems that provide Web site functionality could have helped prevent the problem. For example, an agency that uses an outsourced Web services provider that distributes content across multiple (possibly regional) servers would be less susceptible to such an attack than an agency that has kept everything in-house and centrally located. For those that have centrally located servers, they would need to take some of the steps outlined below (in the response to Mr. or Ms. Summers) , but the centralized nature of their systems would still make them susceptible to a renewed attack.

Going back to my previous response, the main 'vulnerability' here was a human one, not a technical one. Visiting untrustworthy Web sites or opening untrusted files, in combination with not having appropriate security software running, can cause people to infect their computers. This can then lead to the problems that have been experienced.

A summary of the technical details for the Windows operating system vulnerability exploited in the recent distributed denial-of-service attacks involving Web sites in Korea and U.S. is provided here.