Distributed denial-of-service (DDoS) came into the public eye over 12 years ago, with attacks on Websites such as Amazon, CNN, E*Trade, Yahoo, and eBay, for financial gain. DDoS is still in regular use for many more reasons, including hacktivism, revenge, extortion, and ideology.
It almost seems like a step back in time to say that DDoS is the new plague of the Web, as in many ways DDoS is old hat. But 2011 and early 2012 have seen an unprecedented number of DDoS attacks with Websites targeted across a variety of industry sectors, including financial, military, government, social media, etc. So why and how has DDoS gained in popularity as an attack tool?
Let’s start by banishing a few persisting misconceptions about DDoS.
First, the self-proclaimed hacktivist group, Anonymous, was not the first to use DDoS for political reasons. In many people’s minds today, Anonymous and DDoS have become synonymous, and certainly the group's high-profile, large-scale assaults propelled DDoS into the public arena. But politically motivated DDoS had its beginnings back in May 2007, when Estonian Websites came under attack on a scale and sophistication never seen before, following a dispute between Russia and Estonia over the relocation of Soviet-era grave markers and statues. This, together with attacks on Georgia in August 2008, firmly marked an association among DDoS, cyber-attacks, and political motivation.
The next widely held misconception is that the bigger the size of the DDoS flood the more damaging it is. Nowadays it is known that a small and persistent attack that is sometimes a blend of other attack methods can be just as damaging.
Early on, DDoS was achieved mainly through flooding, or the sending of as large amounts of traffic as possible to the intended target from more than one computer. But DDoS has evolved. Research from global application security provider Radware shows that in 2011, around 76 percent of attacks flooded their targets with less than 1 Gbit/s of traffic, while only 9 percent of attacks consisted of 10 Gbit/s or more.
Radware condemns the media hype that sensationalizes large attacks, as this can mask the need for organizations to build defenses against anything other than large floods of traffic.
Radware helpfully separates the major DDoS attack types into three simplified categories:
Brute force on the network, needing few resources to maintain a connection
Connection-based floods that need a legitimate connection
Whatever the misconceptions, DDoS as an attack tool has gained momentum, producing an outflow of new and more efficient DDoS tools that are easy to get hold of and easy to use. Over recent months, in many dark and cybercrime markets, DDoS tools have been outselling most other exploits and crimeware.
This buying and selling of DDoS tools has become a commercial enterprise that caters to anyone from the amateur to the professional criminal. For many it has become the ultimate attack tool that can critically disable its target; however, as the more recent toolkits have shown, while DDoS-ing the victim, these tools also inject malware, steal passwords, grab data, etc., for commercial or competitive gain and against any defense. Thus, the rise of DDoS within a blended attack combines the damaging effects of network and application floods.
The DDoS tools out there now are too numerous to mention specifically, but Arbor recently did a good job of compiling a long list. They range from the simple to the complex. Of the commercial DDoS services, the best known are probably the bank-robbing botnet, "Darkness," and the more recent "Dirt Jumper" DDoS bot written up by Andre M. DiMino and Mila Parkour of DeepEndResearch.org.
The mix of blended attack methods is, again, not new, but the commercial availability of such tools brings it into the reach of a wider audience, as seen in the recent increase of attacks -- the new plague on the Web.
@jart- There are no real ways to stop a DDoS attack from happening, but there are ways to mitigate its effect. The best method I've seen is by getting your ISP or cloud vendor involved to have malicous traffic scrubbed before it reaches your organization.
There are a few ways that this can be done:
1. Many ISPs and cloud vendors offer a reverse proxy solution that allows you to have all your http/https traffic filtered through it and than sent back to you. This only requires a DNS change to have this system setup. Since these are around 75% of all DDoS attacks now this can be an interesting solution to have setup when needed.
2. The other method I've seen work from cloud or ISP based vendors is to fully route all traffic through these vendors "mitigation centers". Pretty much this is like using Arbor in the cloud. You broadcast your network via BGP to have the malicious traffic routed through these centers and than its sent back to you securely over a GRE tunnel.
3. Content distribution networks like Akamai are great at absorbing DDoS attacks and protected the US government mutliple times. Due to there network all over the world, they're able to absorb and give the traffic back to attacker without effecting the origin host.
All of these configs do have small amounts of latency, around 20 - 50 milliseconds, but it protects you from application and network layter attacks. Trying to find the attackers during a botnet DDoS is like playing cyber wack-a-mole.
One of the issues when under attack by a botnet while in america is that the United States will normally only go after machines located within its jurisdiction, leaving you to the wolves most of the time.
Smurf attacks are essentially "ICMP Echo Request Floods" but utilizing spoofed IPs.
Thankfully, most sys admins have been, or rather should be, able to simply prevent these by even low level ingress filtering which will simply reject anything from spoofed or forged IPs.
However, there has been some discussion that smurfing was recently utilized within DDoS amplification on a backbone level.
I personally suprised we havent seen more Smurf attacks being used with DDOS campaigns. Any thoughts on why we havent seen more of this type of attack being used?
Unfortunately, there is no real technical solution.
As with the majority of cyber security issues all the energy is applied to the business opportunity for the provision of products and services. Which simply to defend by reducing the effect and not aimed at stopping the problem.
I am aware of a few enterprises that have paid $ millions for reduction of the impact to anti-DDoS vendors, but really just want to stop it.
The only method which has worked to my knowledge as a real solution, to stop it. Was to apply the energy to track and hunt down where & who the attack(s) was originating from and simply tell them to stop, backed up with a few verbal threats of exposure, and matched with takedowns etc.
Old style digital detective work and hit / miss in actually getting to someone, but effective in these few instances.
Good query; of the DDoS family the conventional classifications are:
- TCP SYN Flood
- TCP SYN-ACK Reflection Flood (DRDoS)
- TCP Spoofed SYN Flood
- TCP ACK Flood
- TCP IP Fragmented Attack
- HTTP and HTTPS Flood Attacks
- INTELLIGENT HTTP and HTTPS Attacks
- ICMP Echo Request Flood
- UDP Flood Attack
- DNS Amplification Attacks
Without wriggling out of the question with a question, but it can come down to; what do we define as a botnet?
For example the early Anonomous use of the LOIC cannon, simply used participants PCs as a collective, but could be described as a self-induced botnet.
Increasingly the use of P2P (peer to peer) & the Dark Web are the weapons of choice for the attackers due to the use of DHT (distributed hash table) based comms and as such no IPs in a conventional sense.
Its the rise of modern DDoS tools that are of most concern, which can be used within minimilist attacks, and require a fraction of the connectivity of the older 'Black Energy' types.
In this area any enforcement against larger botnets, will have limited effect, i.e. good example from mythology the Hydra.
The problem with DoS, and more so with DDoS there is no real solution. And if defenders are able to deflect the attack, it takes little effort on the attacker's part to reposition to where it's effective again.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Within cybersecurity circles, talk of smartphone or mobile malware certainly produces a heated debate. To add gasoline to this fire, we can now add the examples of the first “pocket botnet,” a botnet solely or partly made up of smartphones, which could infect PCs.
The likelihood that critical infrastructures are woefully vulnerable has been predicted for many years by a few in security circles. Sadly, the reality hit home again last week with the disclosure of ongoing hacks on utilities at national and international levels.
A recent exposé by the hacker group Anonymous shone a light on the “Darknet,” the name given to an alternative network that operates beneath the backbone of the Internet. For those who know and use it, the Darknet has long been a place for clandestine operations, legitimate or otherwise.
Europe's largest “white hat” hacker group, the Chaos Computer Club (CCC), recently reverse engineered and analyzed an anonymously submitted malware program. Nothing out of the ordinary for security researchers. However, to its surprise, the group discovered this particular malware was commissioned by German police and used to spy on German citizens.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
