FCC in DDoS communications misfire – and why it matters
One would think that the federal agency in charge of regulating communications providers will get its communications straight, but this is not what happened when in May 2017 when the FCC blamed a service outage on a DDoS attack.
It’s emerged that it was a deliberate miscommunication, but why did the FCC lie about suffering from a DDoS attack, what really happened and why should you worry about DDoS?
A quick DDoS explainer
DDoS stands for distributed denial of service attack. When an attacker launches a DDoS attack it tries to make a service or network unavailable (denial of service) by overwhelming it with requests or traffic from multiple sources (distributed). Network and online services kick into action when it receives a request such as serving a web page or receiving an email. Send too many of these requests and the service can be so inundated that it cannot respond to genuine requests.
Attackers launch DDoS campaigns for different reasons. An attacker might simply try to make a point, for example, by taking down a government or company website. Other attackers may want to cause real damage by robbing a company of revenue or by causing disruption for a nation’s citizens. This is why DDoS protection is so crucial.
What did the FCC originally say happened?
On May 7, 2017, one of the most popular American nightly shows encouraged viewers to leave comments on the FCC website that supports net neutrality. It resulted in the FCC website becoming unavailable. At the time, an FCC statement blamed external actors, implying that a DDoS attack caused the FCC commenting system to go offline.
The agency’s statement said that the malicious actor did not try to add bona fide comments but instead attempted to make it difficult for legitimate comments to be added. In the statement the agency directly implied a DDoS attack saying that the commenting system remained online but due to the DDoS attack was sometimes unable to accommodate people who were trying to leave comments.
It’s pretty clear that the FCC blamed outside actors for the problem with its commenting system, not accepting any responsibility for the issue at all. At no time did the FCC admit to any incompetence or capacity issues. Until now.
What actually happened
To be frank, nobody knows. The FCC has in the meantime disavowed their previous statement, saying that the DDoS attack didn’t happen. On Monday Aug 8, 2018, FCC Chairman Ajit Pai said that the outage was definitely not caused by a DDoS attack but didn’t offer any other explanation for the periods for which the FCC commenting system was out of service.
We can only guess at what happened: so many viewers felt strongly about net neutrality that the FCC website was overwhelmed with comments, in much the same way a DDoS attack could overwhelm it. Millions of viewers tried to access the service simultaneously, and the FCC servers simply couldn’t cope.
An Office of Inspector General investigation about the attack has not been released, but Pai said that the Inspector General stated that the information supplied about the DDoS attack was without a doubt false. Pai also expressed his disappointment in the false communications coming from the former FCC Chief Information Officer.
Why it was so easy to blame a DDoS attack
Believe it or not, DDoS attacks are incredibly common. For example, Deloitte predicted that in 2017 the world will see in excess of 10 million DDoS attacks on networks and services. It makes DDoS an easy scapegoat: a service becomes available and you can simply blame a distributed DoS attack as the culprit.
DDoS attacks are also very similar in nature to an excess demand for services: lots of requests from actors distributed across a vast geographic space. Clearly any company or government agency that wants to avoid the blame for its own incompetence could simply use DDoS as an excuse. But DDoS attacks are a serious, costly matter and should not simply be hauled out as an excuse.
DDoS attacks are expensive – your business needs protection
The monetary costs of a DDoS attack can be high as your company is suddenly unable to respond to the genuine requests of customers. Thankfully, protective measures are available. A good DDoS protection measure should kick in rapidly, reducing downtime to minimal levels. In fact, watch out for protection that offers a service level agreement (SLA) guaranteeing to mitigate an attack in as little as ten seconds.
You can get protection that thwarts attacks against websites, your network infrastructure and even the name servers that direct users to your website. All inside a package that allows you to monitor when DDoS attacks were attempted and stopped. Of course, your vendor of choice needs to have the capacity to soak up a big DDoS attack, so watch out for sufficient demand-scrubbing capacity.
Just because the FCC lied about suffering from a DDoS attack in this instance doesn’t mean that DDoS attacks are not a risk: DDoS attacks can strike at any time and are not necessarily directed at companies that attract attention or the ire of the average Joe. Protect your business against ransom demands, misunderstandings and just general rabble-rousing by using a service that stops DDoS attempts in its tracks.