Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Saturday 4 February 2023 Dublin: 9°C
James Cridland via Flickr A DDoS attack is the online equivalent of overcrowding. If too many people show up, nobody can get in.
# Points Race
What's a DDoS 'cyber attack' anyway?
The CAO website is down after a malicious attack. What’s going on?

THE COLLEGE APPLICATIONS OFFICE (CAO) website has been inaccessible since mid-morning, leaving many potential college-goers in the dark as to whether they have been offered a place in third-level education.

But what exactly is going on to the website? What is this “malicious attack from an unknown source“?

Well, reports seem to indicate that the website is suffering from a ‘Distributed Denial of Service’ attack, or DDoS for short. Essentially, this exploits the limited amount of traffic that any web server can handle.

Let’s say, hypothetically, that the computer on which a website lives can handle 100 visitors at a time. This means that only 100 individual users would be able to access a page at once, so if 101 people all simultaneously tried to access the website’s homepage, one of them would be unable to connect to the site – it would simply be unable to respond to all of the requests.

The internet’s answer to overcrowding

In fact, the other 100 users might notice a significant slowdown in the speed of the website, such is the effect. In some cases, the website would seem to entirely lock down. It’s the online equivalent of overcrowding: if a room can fit 100 people, then if more show up, not only can they not get in, but the people in there can’t get out.

Try to imagine a large-scale version of this. If the CAO website can handle – again, taking a figure entirely hypothetically – 3,000 users at a time, then any visitors on top of this simply cannot be catered for. And, naturally enough, the website will slow down – or grind to a total halt – if more people try to visit.

What a DDoS attack does, to be basic, is deliberately flood a target website with requests for pages, to the point where the server is unable to respond to any requests, good or otherwise. Typically the people behind such an attack will use several machines to launch it, so that blocking the traffic from one computer’s individual IP address does not resolve the crisis. It’s possible that some of the machines being used are being hijacked without the knowledge or compliance of their owners.

In essence, unless a website has bucketloads of spare capacity (in which case, it should probably be using some of it all the time anyway) that it can activate, then the sheer volume of requests being received will cause the website to effectively keel over. And, in some cases, adding new capacity will not resolve the problem, because the attackers could alternatively find new machines to launch even more sustained attacks.

When it happens – and when it doesn’t

Major international websites – the likes of Facebook – will receive multiple DDoS attacks a day. They’re simply big enough, however, to absorb the extra hassle without any noticeable slow-down. Even the likes of has said it gets regular attacks, but constantly monitors and counters them as they arise.

The problem with the CAO site, it would seem, is that it’s not generally built to handle quite the level of traffic it’s getting this morning – the bulk of it, you might guess, being maliciously sent.

Therefore the only real tactic a website can use to resolve a DDoS is to try and identify the IP addresses from which the traffic is coming, and then block these addresses from submitting any requests – freeing up space for the genuine web users. The CAO appears to have resolved its problems, however, and looks to be back up and running – a welcome return to action for the 77,628 students hoping for a college offer today.

In the meantime, potential college-goers are reminded that if they’ve been offered a college place, they should also have received a copy of the order via the post – and can also respond to the offer by post.

Those who can’t access their physical post need not worry, either: first round offers can be accepted any time up until next Monday, before offers are withdrawn and reallocated in the Round 2 offers.