What you are describing is a DDoS and most major websites pay for services to defend against such things. To overwhelm CDN's and DDoS scrubbing centers assuming the site is using them would require overwhelming the CDN and DDoS scrubbing centers and the numbers would depend on what resources these companies have and how fat the bandwidth pipes are. About 30% of people using these services report they get overwhelmed at times.
You specifically asked about "how many users" I assume customers. Customers are rarely the ones performing a DDoS unless servers are improperly configured causing a company to DDoS itself from it's own customers. This is never intentional and is usually short lived usually because the company launched an event they did not properly plan and scale for or an engineer flubbed an update. Once the event is over or the planned change was reverted the DDoS will likely cease and some people will be fired and/or they will better plan next time maybe.
If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known. Customers do have the advantage of being able to attack authenticated and thus going deeper into the stack increasing load. If anonymous attackers can do much the company may need to rewrite everything. It would make for some good bodycam videos and I will enjoy all of them with snacks. Bonus if they manage to get reviewed by Donut Operator.
For actual DDoS attacks, official detailed numbers will never be public as this would tell attackers how much more they need to spend to achieve 100%. It will vary by company, ddos cdn's and scrubbing sites used, website infrastructure, how well applications are coded and a number of other factors.
If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known.
If you feel like saying more, I'm wondering what actions a platform could take to stop an attack like this by their customers, and especially how easy or difficult it would be to stop without impacting business as usual (like say business with customers who weren't part of the attack?)
If customers were being malicious the normal process would be to
- block them by their IP accepting that if they are being a SNAT or CG-NAT legit customers may be blocked for a while. Adjust procedure based on whatever attack tools and resources are being utilized.
- have internal meeting with head of legal, all the C-levels, head of customer support
- send cease and desist emails from the legal department and/or cancel their accounts or just:
- coordinate with the FBI, provide logs and specific customer information to FBI or whichever agencies are appropriate for the customers physical locations on file.
- get a cup of coffee and maybe put some Kava in it to stay awake but also chill. Work on other tasks until the FBI wants more logs or whatever.
- maybe guess why customers are being buttholes and if the company actually did something to deserve it. Maybe update CV. Go for a walk with head on a swivel in case angry customers are in parking lot. Sit on thinking chair (toilet).
The number of users required depends on the website, what hardware it’s running on, what scaling it has in place, and what caching it has in place.
It’s called a DDOS — distributed denial of service.
It sometimes even happens inadvertently. Way back when, a server unintentionally brought to its knees by excessive traffic was said to have been “slashdotted”, after a then-popular tech site. Hitting the front page of HN or Reddit has had that effect on some sites too. It used to be more common before cloud hosting became ubiquitous — when auto-scaling apps was harder (or even essentially impossible) to implement and static-ish sites weren’t effectively hosted on CDNs.
Against a small-time operator or one with a very outdated approach to hosting, maybe. Most decent sized sites now have DDOS protections and manual scaling if not auto-scaling. And these days human traffic at many sites pales in relation to bot traffic.
It happens all the time, and it doesn’t even require coordination, just synchronized intent.
Examples:
- ai.com launching with a super bowl ad and being taken down just from large sign up volume
- Taylor Swift drops an album on Spotify, everyone rushes to stream it, crashes Spotify
- random small websites get featured on reddit front page and get hit offline
> how large would the number of users need to be
depends on the target. small website on shared hosting could be hit offline by 1000 concurrent users. major platform might need millions of users concurrently hitting write paths, not just loading cached/static content. or all requiring open sustained connections
What you are describing is a DDoS and most major websites pay for services to defend against such things. To overwhelm CDN's and DDoS scrubbing centers assuming the site is using them would require overwhelming the CDN and DDoS scrubbing centers and the numbers would depend on what resources these companies have and how fat the bandwidth pipes are. About 30% of people using these services report they get overwhelmed at times.
You specifically asked about "how many users" I assume customers. Customers are rarely the ones performing a DDoS unless servers are improperly configured causing a company to DDoS itself from it's own customers. This is never intentional and is usually short lived usually because the company launched an event they did not properly plan and scale for or an engineer flubbed an update. Once the event is over or the planned change was reverted the DDoS will likely cease and some people will be fired and/or they will better plan next time maybe.
If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known. Customers do have the advantage of being able to attack authenticated and thus going deeper into the stack increasing load. If anonymous attackers can do much the company may need to rewrite everything. It would make for some good bodycam videos and I will enjoy all of them with snacks. Bonus if they manage to get reviewed by Donut Operator.
For actual DDoS attacks, official detailed numbers will never be public as this would tell attackers how much more they need to spend to achieve 100%. It will vary by company, ddos cdn's and scrubbing sites used, website infrastructure, how well applications are coded and a number of other factors.
Thanks.
If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known.
If you feel like saying more, I'm wondering what actions a platform could take to stop an attack like this by their customers, and especially how easy or difficult it would be to stop without impacting business as usual (like say business with customers who weren't part of the attack?)
If customers were being malicious the normal process would be to
- block them by their IP accepting that if they are being a SNAT or CG-NAT legit customers may be blocked for a while. Adjust procedure based on whatever attack tools and resources are being utilized.
- have internal meeting with head of legal, all the C-levels, head of customer support
- send cease and desist emails from the legal department and/or cancel their accounts or just:
- coordinate with the FBI, provide logs and specific customer information to FBI or whichever agencies are appropriate for the customers physical locations on file.
- get a cup of coffee and maybe put some Kava in it to stay awake but also chill. Work on other tasks until the FBI wants more logs or whatever.
- maybe guess why customers are being buttholes and if the company actually did something to deserve it. Maybe update CV. Go for a walk with head on a swivel in case angry customers are in parking lot. Sit on thinking chair (toilet).
Hire a qualified CISO.
The number of users required depends on the website, what hardware it’s running on, what scaling it has in place, and what caching it has in place.
It’s called a DDOS — distributed denial of service.
It sometimes even happens inadvertently. Way back when, a server unintentionally brought to its knees by excessive traffic was said to have been “slashdotted”, after a then-popular tech site. Hitting the front page of HN or Reddit has had that effect on some sites too. It used to be more common before cloud hosting became ubiquitous — when auto-scaling apps was harder (or even essentially impossible) to implement and static-ish sites weren’t effectively hosted on CDNs.
I wonder if something like this could work as a form of protest. Like a DDOS attack through real traffic from protesters?
Against a small-time operator or one with a very outdated approach to hosting, maybe. Most decent sized sites now have DDOS protections and manual scaling if not auto-scaling. And these days human traffic at many sites pales in relation to bot traffic.
It happens all the time, and it doesn’t even require coordination, just synchronized intent.
Examples:
- ai.com launching with a super bowl ad and being taken down just from large sign up volume
- Taylor Swift drops an album on Spotify, everyone rushes to stream it, crashes Spotify
- random small websites get featured on reddit front page and get hit offline
> how large would the number of users need to be
depends on the target. small website on shared hosting could be hit offline by 1000 concurrent users. major platform might need millions of users concurrently hitting write paths, not just loading cached/static content. or all requiring open sustained connections
> what would they have to do
just all do the same thing at the same time.
Interesting, thanks