On September 20, 2016, security blogger Brian Krebs, was hit with “an extremely large and unusually distributed denial-of-service (DDoS) attack designed to knock the site offline”. According to Krebs, “The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges”. Akamai has said, “It was nearly double the size of the largest attack we had seen previously and was among the biggest assaults the Internet has ever witnessed.”
However, on September 22, 2016, Akamai dropped Mr. Krebb’s blog from protection due to the cost of a second sustained distributed denial-of-service. It’s thought that the source of the attack was from tens of thousands of compromised digital video recorders that either had default passwords or vulnerable web serving code.
Types of Denial of Service and Distributed Denial of Service attacks
A Denial of Service (DoS) attack overwhelms a computer network gateway by either sending too many connection requests or by the sheer volume of packets which can exhaust the systems resources. These are known by their technical terms as Volumetric, Network, or Application Attacks. When many computers combine their computing power together the attack is called a Distributed Denial of Service, a.k.a. the DDoS. Most DoS attacks are from multiple sources using multilayer attacks and as such are true DDoS attacks.
1. Volumetric Attack
A Volumetric Attack can occlude the gateway with too many packets to a targeted network in an effort to overwhelm its bandwidth capabilities. By flooding the target and slowing or stopping their services, the attackers achieve their goals. Request packet volume can be in the 100’s of Gbps and recent attacks have scaled to 1.7 Tbps.
Usually this type of attack comes from botnets of compromised computers that can amplify the attack with all bots transmitting in a single direction. When a single computer is “bot compromised” it may work normally for an owner but it has a Manchurian Candidate-like switch that, when turned on, joins an army of “bot compromised” computers with the single aim of smothering the target with massive requests. Imagine trying to receive a phone call when thousands of callers were all trying to call your number at the same time. No one would get through.
2. Network Based Attacks
Network Based Attacks are similar but are more specifically aimed at the Transmission Control Protocol (TCP) which uses a handshake connection with each party in a conversation. The attacker makes the initial request, called a synchronize or “syn” request, and the victim says “hello” and then waits for the attackers responding “hello” acknowledgement, or “ack” packet, but never receives it – and therefore waits with the connection left open. When this happens in the thousands, eventually the system runs out of connection resources and memory depletion occurs and it may even cause the system to crash.
3. Application Layer Attacks
Although less frequent and more sophisticated, Application Layer Attacks can be harder to detect and circumvent. Usually, as a part of a multi-vector approach, the attacker targets DNS, HTTP, and HTTPS, mostly because these are typical internet protocols in everyday network-to-network conversations. Think about the internet’s Domain Name Service (DNS). When you type in a domain name like google.com, your computer needs to find out the IP address of that domain name, because that’s how computers find each other, via IP addresses. DNS translates blog.eccouncil.org to an IP address like 22.214.171.124 or in IPv6 2607:f8b0:4004:804::2004. When the DNS is overwhelmed then no one can look up the IP address and everyone gets a ‘Web Page Unavailable’ page.
Application Layer Attacks also target web servers as well, and taking out a web delivery service is the easiest way to affect thousands of users that need that website.
How They Do It
The attacks are done with an array of botnets and tools. Some tools are very simple and generate the “syn” request, while others are more sophisticated, like the Low Orbital Ion Cannon (LOIC) and High Orbital Ion Cannon (HOIC) and can be used by groups to make hacktivistic public statements.
According to Wikipedia, LOIC was used by 4chan (a group growing into Anonymous) during their Project Chanology to attack websites like the Church of Scientology and the Recording Industry Association of America. LOIC was again used by Anonymous during their Operation Payback in December 2010 to attack the websites of companies and organizations that they opposed.
Why They Do It
There are many motivations for DoS attacks, including random pranks, hacktivism against your industry or country, theft by ransom (“pay us and we’ll stop”), disgruntled employees, market manipulation, diversion to mask data theft, competition and bragging rights amongst hackers and Nation State-sponsored social engineering.
Some Instances of Recent DDoS Attacks are:
- In 2015, as residents of New Jersey were getting ready to celebrate Independence Day, those who tried to partake in a little online gambling on a Thursday afternoon were met with some unwanted resistance. Four of New Jersey’s internet gaming sites were hit by a DDoS attack, causing them to be inaccessible for a short period of time. “At least four casinos were impacted and experienced downtime,” said New Jersey Division of Gaming Enforcement (DGE) Director David Rebuck.
- In Serbia last year, the Pescanik website said that it had been brought down by a DoS attack, directly after publishing allegations that that Serbian Interior Minister Nebojsa Stefanovic had plagiarized parts of his PhD thesis.
- According to Spirent, the later part of 2017 has seen a marked increase in the number and size of DDoS attacks around the world. The political crisis in Qatar was coupled by an attack on the Al Jazeera website, one of the largest news networks in the world. Presidential elections in France were disrupted by attacks on Le Figaro and Le Monde websites. And in Great Britain, the website that was used for Brexit voter registrations was rendered useless due to an attack that stopped certain voters from registering.
As we can see, the use of DoS & DDoS attacks is very commonplace and the easiest type of attack to perpetuate.
Countering DoS Attacks
DoS attacks can also be costly to defend against. The cost of the attack on Brian Krebs was estimated to cost $100,000 a day to stop. A cost this high could put most businesses into the red quickly if allowed to continue.
The bigger commercial sites use third party DoS prevention services, but they stand to lose money with their sites down from loss of use. Some ISPs can provide sufficient DoS mitigation as well as some networking and firewall techniques.
DoS defense and mitigation needs to be considered with regards to your business, especially before it is too late.
About the Author:
Tom Updegrove is the CEO of InterNetwork Service, an Information Security services company and the CTO of CIAsecure. Tom regularly maintains back office support for firewalls, VPNs, IDS, malware protection, secure email, IP based CCTV, VOIP, cloud computing and many other of today’s cutting-edge technology issues including conducting regular penetration tests as part of patch management services. Tom is also a Certified EC-Council Instructor (CEI) with over 20 years of experience providing technical and security services.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.