Availability is the reliability of access to information.

Availability is an important consideration in information security as well. Imagine that you were somehow able to guarantee that a message was completely accurate and confidential, but you could not guarantee that it would actually arrive at its destination. This is such an important piece of the CIA Triad that it is subject to one of the more common attacks on computer systems.

The Distributed Denial-Of-Service (DDoS) Attack

The Internet is pretty amazing. A person can sit at home at her computer, search the World Wide Web for the best price on backpacks, compare the results of multiple online retailers, select one such as, make a secure purchase through SSL encrypted protocols, and receive the item in the mail. Not only that, but thousands of other people may be doing the exact same thing in their homes—all over the world—and never know about each other. No standing in lines, no competing for a salesperson’s attention.

Moreover, in this scenario, the consumer interacts with a bunch of websites, not just the retailer. Perhaps she visits a search engine to find and visit specialized websites for price comparison, reviews, and retail. The entire process as a whole involves two-way communication between multiple computer systems.

Imagine that one of these pieces suddenly becomes unavailable—how does that affect the scenario?

An Analogy

Imagine that you are in a classroom of about 30 students. Alice and Bob are the class “know-it-alls” who always raise their hands to answer questions posed by the teacher, Mr. Garrison. A fellow student, Eve, decides to play a trick on them. She visits each of the other students in the class and convinces them to raise their hands anytime Mr. Garrison asks a question. Assuming he calls on any of the other students, not Alice or Bob, they agree to respond, “May I go the restroom?” or “Did you lose some weight?” or something else unrelated.

How does this affect the classroom dynamic? Will Mr. Garrison’s question be answered? How long will it take? How does he know who in the class will respond with a legitimate answer and who won’t?

A DDoS attack works much in the same way. Multiple computers are infected with malware (malicious software) so that an attacker may coordinate them to send requests to a web server at the same time—much like Eve orchestrated the synchronized hand raising. So, instead of the situation described above, where is interacting with multiple real consumers, it is also interacting with a flood of irrelevant requests, like “Reload the home page.” Because the server cannot distinguish between legitimate and bogus requests, real consumers may have to wait an exceedingly long time for their requests to be addressed. To them, however, it just seems as if the server has stopped responding.

Think About It

Can you imagine any solutions to the DDoS attack? How might Mr. Garrison solve and/or prevent the analogous attack in his classroom? What are some potential drawbacks to any solutions he implements? How well do these solutions carry over to DDoS attacks on web servers?