Do we know if the WoW and the Wikipedia attacks were from the same source?

Tracking the person can be fairly difficult depending on how the attack is carried out.

Botnets for example are hard to find what the originating IP is since the DDOS attack is coming from 100 different “people” all taking commands from somewhere else.

In todays case – the DDOS attacks on Blizzard were done by someone waving their new toy around using a 5+ year old twitter account (that has since been suspended.) – A seemingly rookie mistake

If Blizzard had the police involved, Twitter will have the IP’s of every login connection made on that account in those 5+ years, some of which I can almost guarentee will be from the attackers home address, then all Twitter has to do is give the police this data, who’ll then talk with ISP’s to find out who had the certain IP’s at the given time and boom, jail time.

The “D” in “DDOS” stands for “distributed”, and it means that there are many computers on the attacking side.

Those can be from a botnet where the attacker has managed to install some sort of software on them. Or they can even be volunteers, where somebody posts a call for action on some forum and people voluntarily join in.

If you consider that somebody with a good connection might easily have 100 Mbps or more available, it adds up to big numbers very quickly.

Also consider that while Blizzard has a lot of servers, individually they’re not that strong. If a given machine has say, 10 Gbps networking, then that particular machine only needs to be attacked by about a hundred machines or so. Bringing down a single machine might be plenty. It could be a particular server the attacker wants down, or worse it might be some sort of central authentication server. Then nobody can log in even though you’ve just taken 1% of the datacenter’s total capacity.

Then there are amplification attacks. For instance, if you find something you can send to a server that’s small but produces a large response, this works in your favor. You send 100 bytes of junk, you get a 1KB error page back, that’s the victim doing your work for you. Now you only need 1/10th of the bandwidth on your side to take up all of theirs.

One can also attack other resources rather than just the network. For instance if disks are slower, or if some particular action consumes a lot of CPU time you can get a lot of effect that way. If the server needs 10 ms to process a given command, you only need to send 100 of those per second, and suddenly the CPU is 100% busy.

Normal method is to hijack other computers to carry out the attack so unless you can track who hijacked the computers all you can track is the “innocent” people who got hacked first.

Same principle as any ddos attack, just on a larger scale. Also there are some security services which they have to find a way around, but as almost allways there are more people trying to break in than people defending. If enough small fish try to get through the huge wall eventually someone will find the crack.

Tracking is quite hard, these attackers normally know what they are doing. So normally it’s almost impossible to find the person reliably.