But DDoS-defense tools aren't perfect, and Nazario says they never will be. That's because attackers are getting smarter, too. The savviest hackers have begun to analyze their targets for weaknesses. If they find a page on a site that generates a lot of internal processing, or makes a lot of database calls, then they craft their attack to take advantage of that resource-hogging feature. "We've seen them do a lot of reconnaissance to find out the best place on the site to attack—if they find that a handful of requests on this page, say, will bring down the whole site, they'll attack that," Nazario says. What's more, the tools to launch an attack are now much more easily available than in the past. Twitter and Facebook also make it simpler for attackers to recruit and organize their efforts. Anonymous, the group behind the pro-WikiLeaks attacks, has been launching its DDOS efforts using a program called LOIC, which stands for "Low Orbit Ion Cannon." Followers can download LOIC and instantly join a hive whose target is set by a central administrator.
The denial-of-service attacks that make the news are often ones that are launched for some ideological purpose. The most famous such example occurred in 2007, when hackers brought down the sites of banks, newspapers and other public institutions in Estonia. Although the attackers were never formally charged, many experts blame the attack on a group of Russian hackers who used DDoSes as a kind of cyber warfare, possibly with the blessing of the Russian government. Smaller, ideologically motivated attacks pop up all the time. In September, the meme-inspiring, prank-obsessed message board 4Chan took down the site of the Motion Picture Association of America. Last month, 4Chan set its sites on Tumblr, the blogging platform that 4Chan folks believe is overrun with lazy hipsters. That attack doesn't seem to have worked.
But ideological attacks, Nazario says, are the minority—most DDoSes are launched for much more pedestrian reasons. The main one is business competition; a shady company might hire the operators of a botnet to take down its rivals' site. Extortion is also a big thing, with hackers threatening to take companies offline unless they pay up. "Believe it or not," Nazario adds, "one of the big growth areas we see is people building small botnets to get an upper hand in online gaming. You've identified someone who's better at the game than you, but maybe you can knock his computer offline with an attack and then win the game."
This week's attacks didn't result in that sort of direct kill. While parts of the Visa, MasterCard, PostFinance (a Swiss bank that closed Assange's account), and PayPal Web sites went down for a brief while on Wednesday, the attacks don't seem to have done any serious damage to these companies. In particular, none of their primary operations were down—the attacks did nothing to prevent people from using their Visa and MasterCard accounts, or from paying with PayPal. It's unlikely that the DDoS can achieve much more than that. Still, for no money and very little time, the attackers made headlines around the world. That's not a bad return on their investment.