DDoS (Distributed Denial of Service) is a difficult concept for non-technical people to understand, but there's a way to explain it that any mischievous kid would understand.
DoS (Denial of Service) is the simple case. It involves sending data to a computer that demands a response, with the data being sent from a single source. If data is sent too often, the computer will have no time left to do any real work.
The kid's analogy to DoS is leaving a paper bag full of dog crap on someone's doorstep, lighting the bag on fire, ringing the doorbell, and running away. The victim opens the door, sees the flaming bag, stomps on it to put out the fire, and spends twenty minutes cleaning his shoes in the sink. Or so naughty kids dream.
Now imagine that the kid does this every half-hour -- and the homeowner is stupid enough to continue answering the door -- and the homeowner will spend most of his time on the prank. Voila, DoS.
DDoS is the same thing, only there are many attackers. So let's expand the prank. The house is now a building with one million doors, one million inhabitants, and one million sinks, and there are one million kids outside with an infinite supply of paper bags, dog crap, and matches. The entire building will be busy with the prank. Voila, DDoS.
A DDoS attack was first only possible because attackers were able to commandeer sufficient PCs in botnets, a group of PCs the security of which had been compromised. The botnet PCs, a/k/a zombies, were taken over because their owners were incompetent, either being too cheap to pay for anti-security software or incapable of recognizing phishing emails sent to them containing malware which burrowed into their operating systems.
Then there were booters, servers run by criminals for the express purpose of initiating DDoS attacks, but since there are only a small number of participating nodes, blocking the attack is much easier.
Now DDoS attacks have moved up in scale to the IoT (Internet of Things), the universe of chatty lawnmowers, eavesdropping televisions, come-hither baby monitors, gossipy oxygen monitors, tattletale mattresses, vincible buildings, perceptive penis rings and many other things containing a small computer. Intel estimates that there were 2 billion IoT objects in 2006, with a projected 200 billion by 2020. Intel exited the motherboard, tablet, and smartphone businesses in order to concentrate on the IoT.
The security of IoT devices can be substantially improved by simply changing the default passwords, but at least some devices come with backdoors which customers cannot mitigate.
James Scott and Drew Spaniel of the Institute for Critical Infrastructure Technology wrote a white paper, Rise of the Machines: The Dyn Attack Was Just a Practice Run, offering an detailed explanation of DDoS attacks and attackers -- "nation state and mercenary APTs, hacktivists, cyber-criminal gangs, script kiddies, cyber caliphate actors, and hail-mary threat actors" -- with script kiddies being teenagers not competent enough to write software so they resort to bought or borrowed scripts, showing just how easy it is to use DDoS.
Because Dyn, a DNS service provider, was hit, access to many popular websites was affected. The perpetrators could have launched a much more powerful attack, as it involved only 100,000 devices. "Maybe this was just a warning shot," said Ofer Gayer, a security researcher with Imperva, a DDoS mitigation provider. "Maybe [the hackers] knew it was enough and didn't need their full arsenal."
Scott and Spaniel noted, "The security of building automation systems is often neglected because neither managing companies nor property owners invest in network firewalls or other perimeter security," using the example of two housing blocks in Lappeenranta, Finland which had its heating systems knocked offline for more than one week in late October and early November.
The authors' explanation for why IoT vulnerability exists is as follows: "The brunt of the vulnerabilities on the Internet and in Internet-of-Things devices, rest with DNS, ISPs, and IoT device manufacturers who negligently avoid incorporating security-by-design into their systems because they have not yet been economically incentivized and they instead choose to pass the risk and the impact onto unsuspecting end-users."
The only thing I would add is that manufacturers should be criminally incentivized as well. Don't just pierce the corporate veil; burn it away with a flamethrower.
The other option would require some reengineering of Internet hardware to restrict nodes from broadcasting certain types and quantities of traffic, but anarchists and libertarians would decry that as government meddling.
The authors noted, "Nearly every device vulnerable to Mirai was developed and manufactured outside the United States by manufacturers like Dahua or XiongMai." Our insatiable quest to outsource all manufacturing has led us to the point where consumers have no choice but to buy goods from a country with which we might be at war soon.
Bruce Schneier noted that in 2016, DDoS "attacks continued to become more frequent, persistent, and complex," reminding him of "a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar ... of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities." It's problematic to conclusively identify a cyber-attacker but it's probably China.
Scott and Spaniel mentioned a few at-risk sectors, financial, healthcare, and energy. The financial sector includes both Wall Street gambling and banking for the masses, with the latter being much more important than the former, though politicians believe they are of equal importance. Given our dependence upon technology in hospitals, future attacks in the healthcare sector may cost lives. If an attack in the energy sector is well-planned, e.g. in the middle of winter, people will freeze to death.
The ICIT brief, China’s Espionage Dynasty: Economic Death by a Thousand Cuts, pointed out: "The criminal culture of theft that has been injected into virtually every line of China’s 13th Five-Year Plan is unprecedented. From state sponsored smash and grab hacking and techno-pilfering, to corporate espionage and targeted theft of IP, never before in recorded history has IP transfer occurred at such a rapid velocity." Michael Pillsbury's book, The Hundred-Year Marathon, addresses this subject from a longer perspective and ends with the same conclusion. I touched on this before (here and here), as China has been allowed to steal the West's IP and advance its industries because our naive and foolish leaders assumed that China would play the capitalist game as Westerners do.
The ultimate use of DDoS attacks would be in wartime. Much of the military's communications gear does not depend upon the Internet, but virtually its entire support organization does. If a base has moved to VOIP telephone service, it would be out-of-touch. Government contractors would be almost entirely dependent upon the Internet. If the power grid were to be disabled, the government might be torn between using National Guard troops for foreign combat or domestic use, and it would increase stress on troops worried about their families back home. The military's ability to move troops,weapon systems, parts, ammunition, and supplies via road, rail, or air would be affected by the disabling of systems mamaging those methods of transport. And so on.
We either take control of the IoT or it will control us.