Distributed denial-of-service (DDoS) came into the public eye over 12 years ago, with attacks on Websites such as Amazon, CNN, E*Trade, Yahoo, and eBay, for financial gain. DDoS is still in regular use for many more reasons, including hacktivism, revenge, extortion, and ideology.
It almost seems like a step back in time to say that DDoS is the new plague of the Web, as in many ways DDoS is old hat. But 2011 and early 2012 have seen an unprecedented number of DDoS attacks with Websites targeted across a variety of industry sectors, including financial, military, government, social media, etc. So why and how has DDoS gained in popularity as an attack tool?
Let’s start by banishing a few persisting misconceptions about DDoS.
First, the self-proclaimed hacktivist group, Anonymous, was not the first to use DDoS for political reasons. In many people’s minds today, Anonymous and DDoS have become synonymous, and certainly the group's high-profile, large-scale assaults propelled DDoS into the public arena. But politically motivated DDoS had its beginnings back in May 2007, when Estonian Websites came under attack on a scale and sophistication never seen before, following a dispute between Russia and Estonia over the relocation of Soviet-era grave markers and statues. This, together with attacks on Georgia in August 2008, firmly marked an association among DDoS, cyber-attacks, and political motivation.
The next widely held misconception is that the bigger the size of the DDoS flood the more damaging it is. Nowadays it is known that a small and persistent attack that is sometimes a blend of other attack methods can be just as damaging.
Early on, DDoS was achieved mainly through flooding, or the sending of as large amounts of traffic as possible to the intended target from more than one computer. But DDoS has evolved. Research from global application security provider Radware shows that in 2011, around 76 percent of attacks flooded their targets with less than 1 Gbit/s of traffic, while only 9 percent of attacks consisted of 10 Gbit/s or more.
Radware condemns the media hype that sensationalizes large attacks, as this can mask the need for organizations to build defenses against anything other than large floods of traffic.
Radware helpfully separates the major DDoS attack types into three simplified categories:
- Brute force on the network, needing few resources to maintain a connection
- Connection-based floods that need a legitimate connection
- RUDY (R-u-dead-yet) attacks, e.g., Slowloris HTTP DoS, which use minimal bandwidth and target specific vulnerabilities
Whatever the misconceptions, DDoS as an attack tool has gained momentum, producing an outflow of new and more efficient DDoS tools that are easy to get hold of and easy to use. Over recent months, in many dark and cybercrime markets, DDoS tools have been outselling most other exploits and crimeware.
This buying and selling of DDoS tools has become a commercial enterprise that caters to anyone from the amateur to the professional criminal. For many it has become the ultimate attack tool that can critically disable its target; however, as the more recent toolkits have shown, while DDoS-ing the victim, these tools also inject malware, steal passwords, grab data, etc., for commercial or competitive gain and against any defense. Thus, the rise of DDoS within a blended attack combines the damaging effects of network and application floods.
The DDoS tools out there now are too numerous to mention specifically, but Arbor recently did a good job of compiling a long list. They range from the simple to the complex. Of the commercial DDoS services, the best known are probably the bank-robbing botnet, "Darkness," and the more recent "Dirt Jumper" DDoS bot written up by Andre M. DiMino and Mila Parkour of DeepEndResearch.org.
The mix of blended attack methods is, again, not new, but the commercial availability of such tools brings it into the reach of a wider audience, as seen in the recent increase of attacks -- the new plague on the Web.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com.