How a Denial-of-Service Attack Works

Another approach is to flag suspicious individual machines that seem to be behind an attack, and ban any traffic from them from reaching the site.

That can often be difficult, though, because criminals use "proxy" computers to route their traffic, masking the source of the original requests. Proxy computers are often other infected computers that are part of a botnet.

Q: Is there usually evidence of who the culprits were? Or is the nature of the attack such that it leaves few fingerprints?

A: It's usually easier to stop a denial-of-service attack than it is to figure out who's behind it. Simply identifying where the malicious traffic is coming from won't get investigators very far, since the infected PCs that get roped into a botnet are owned by innocent people who don't know their computers are being used for nefarious purposes.

Pat Peterson, a security researcher and fellow at Cisco Systems Inc., says sophisticated attackers have also been adding a more subtle approach to evade detection.

Instead of directing huge amounts of traffic at a target site, they'll make more complicated requests one at a time that eat up more of the site's computing power, like trying to log in using bogus usernames and passwords. If enough of those requests are made, on a site that requires a lot of computing power, the effect can be the same, and the site gets knocked out.

This type of attack is trickier because it doesn't involve the sort of massive traffic surge that would normally tip off network administrators.