You might think that companies would have learned their lesson about distributed denial of service (DDoS) attacks. After all, we’ve been hearing about them for more than a decade now. Trinoo (or Trin00) was arguably the first notable DDoS, in August 1999, against the University of Minnesota, which involved servers being flooded with UDP packets. Subsequently, the focus of these attacks was on e-commerce sites, like Buy.com, eBay, Dell, Amazon and news sites like CNN.com.
In more recent times we have experienced politically-motivated DDoS. In 2008, ground warfare between Russia and Georgia was matched with cyber-warfare. The Georgia President’s website was allegedly attacked by Russian hackers. They reportedly flooded it with TCP, ICMP and HTTP requests. Suspicion of Russian involvement was based on the use of the HTTP-based botnet C&C (Command & Control) server, frequently used by Russian bot-herders. Other Georgian government websites came under attack – supposedly perpetrated by the infamous Russian Business Network. Social networking sites like Twitter, Facebook and Google became embroiled in this war when the accounts belonging to Georgian blogger Cyxymu were attacked by DDoS.
In 2010, a politically-charged cyber-warfare reached the shores of the United States in the wake of the WikiLeaks controversy. Anonymous’ Operation Payback was a series of DDoS attacks on PayPal, MasterCard, Visa.com, PostFinance and other web servers by disgruntled hackers. These corporations severed their business ties with WikiLeaks after what they called a violation of their user agreement when WikiLeaks engaged in illegal activities. The hacker community saw things very differently and felt that WikiLeaks’ constitutional right to free speech was being violated. Adrian Lamo, the once heralded hacker who years ago successfully broke through prestigious corporate networks, like the New York Times, was now being labeled a “snitch” at the Hackers On Planet Earth (HOPE) Conference in 2010. Lamo was the one who “betrayed” the confidence of PFC Manning and turned him into authorities. Subsequently, any organization disowning WikiLeaks had become fair game for DDoS.
This retaliation by hackers has not, however, been the final chapter in this story. Facebook and Twitter have suspended Operation Payback accounts. Investigations by the FBI are ongoing. The hacktivist magazine 2600 had publicly denounced the actions of PayPal, MasterCard and others but is highly critical of the Anonymous DDoS attacks.
What’s changed with DDoS?
Over the years many system vulnerabilities have changed but the basic premise has remained the same – flood Web servers with more requests than they can handle to render them useless. DDoS attacks continue to be so problematic because it can be very difficult for a Web server to tell a legitimate request from a devious one.
The most pronounced change in recent times is the proliferation of BotNets (Robot Networks). Bot refers to the computer, which has been infected with BotNet malware without the user’s knowledge. A bot herder then controls this computer, which is then referred to as a zombie. The zombies are then commanded to perform certain actions so that illegal activities cannot be traced back to the bot herder.
Bot herders use BotNets to manipulate online polls, hold companies for ransom, send out spam and test out their latest virus programs. Some BotNets are comprised of tens of thousands of zombie computers. Bot herders also lease out their herd of zombie computers through proxy services subscriptions. Subscribers to these services benefit from the anonymity provided and use stolen credit cards, share child pornography or engage in a whole host of other illicit activities. There are numerous examples of these proxy services that keep your Internet activity anonymous, including vip72.com, hidemyass.com and privateproxysoftware.com. These services are operated in countries like Russia and Ukraine – beyond the jurisdiction of the U.S. authorities. Anonymity is also possible by downloading software like Tor (torproject.org).
Microsoft has been focusing on eliminating the scourge of these BotNets, however, and successfully took down the Waledec BotNet and its 277 Internet domains, which had a capacity to deliver 1.5 billion e-mails a day. Microsoft continues to battle the BotNets, but millions of infected computers worldwide still exist and are being used for DDoS attacks. The most recent Microsoft Security Intelligence Report (SIR) clearly outlines the use of BotNets in DDoS attacks, although the motive is financial more often than not. The report illustrates the immense power that these BotNets wield, with one attack involving sustained traffic in excess of 7.3 Gbps over a 10 Gbps link. The fact that the Microsoft report focuses on BotNets in addition to the legal battle against Waledec clearly demonstrates the severe threat that BotNets still pose.
Interestingly, two unprecedented events took place with Anonymous’ Operation Payback that make this DDoS attack different from previous attacks. The first is that Anonymous provided WikiLeaks supporters the opportunity to volunteer use of their computers for DDoS attacks. The second is that the attackers became the victims. Ironically, Anonops.net, the Website used by Anonymous to announce its plans for attack, suffered a tremendous DDoS attack by those opposed to WikiLeaks.
How can we stop or reduce DDoS attacks?
You cannot stop DDoS but you can certainly take steps to reduce your risk. Obviously, if BotNets are eliminated or significantly reduced, the threats posed by DDoS will dramatically decline. In addition, many risks associated with DDoS can be mitigated. As a general rule, check frequently for vendor patches to shore up vulnerabilities. Ensuring that all staff execute regular updates for anti-virus software is important. Additionally, you should perform regular file system integrity checks to see if your network has been penetrated and files changed.
Smurf attacks can be virtually eliminated by changes in the operating system. Smurfing involves a hacker flooding your router with ICMP (Internet Control Message Protocol) echo request packets. Most modern operating systems and firewalls prevent this type of attack. Another method of prevention is to block incoming packets with bad IP addresses.
SYN attacks take advantage of the protocol handshake between two Internet applications. SYN cookies are a successful technique for preventing this type of attack. SYN cookies allow the SYN queue to enlarge, thereby avoiding dropped connections.
Lessons Learned from WikiLeaks and Anonymous
DDoS attacks will continue to be a threat and there are ways to minimize the threat. Nevertheless, the most important lesson for security officers and those involved in risk assessment is that your primary focus should be on internal threats and host-based security because that is where you have the greatest control.
According to the recent 2010 Data Breach Investigations Report, conducted by the Verizon RISK Team in cooperation with the United States Secret Service, 48% of data breaches were caused by insiders (+26%) and 48% involved privilege misuse (+26%). Importantly, the report also indicated that 96% of all breaches were avoidable through simple or immediate controls. These statistics and words like “data breach”, “insiders” and “privilege misuse” certainly conjure up thoughts about where things went wrong with Private First Class Bradley Manning.
There is no substitute for ongoing risk assessments. Moreover, penetration testing is critical for security officers to identify network vulnerabilities. Of course, an organization may not always have the right personnel to effectively carry out this type of testing. Many companies have used the services of former hackers for penetration testing and advice on computer security, but government agencies simply do not have this flexibility and cannot hire convicted felons. Computer security job opportunities with government agencies are typically only reserved for U.S. citizens. This is another factor that potentially puts the government at a disadvantage when it comes to security. Times are changing, though, and last year the Navy announced NROTC scholarships for cyberhackers and hosted a large network defense competition.
WikiLeaks has also reminded us of the dangers of employees using removable memory devices, which have grown in capacity exponentially. The Pentagon recently announced a ban on these USB devices.
Social networking will continue to be an issue for discussion by the Department of Defense (DoD). Social networking sites can support troop morale; however these sites present potential dangers, too. These dangers became apparent last year when an Israeli raid on a group of suspected Palestinian militants was abandoned after an Israeli soldier posted details of the operation on Facebook. Social networking sites are a marvelous source of personal information for hackers using password reset challenge questions (for example, the city where you were born in or your pet’s name). Spear phishing, a highly-targeted phishing scam where it is difficult for an employee to discern that the e-mail is fraudulent, is a huge issue for organizations today.
All of these threats relate to DDoS because very often an attack will follow a hacker who has already successfully gained control of a host machine on a network through an attack like spear phishing. Very often this will have occurred when an employee opened an innocuous-looking e-mail and a Trojan was installed. This computer ultimately becomes a zombie – ready to received instructions from the hacker.
So the message is clear – more than a decade later, DDoS is here to stay. There are ways to reduce the threat though. There is a plethora of network tools available to alert security officers to aberrations in network traffic, although how much companies are really prepared to pay for this level of security remains problematic. There are fixes and patches that help mitigate DDoS attacks but large companies still must deal with older, more vulnerable legacy systems. Never underestimate the importance of host-based security, including the detection and removal of BotNet malware. Internal, host-based security is the most important strategy for protecting organizations against future DDoS attacks. Finally, the cost in terms of lost business and public relations makes a strong argument for all organizations to invest in security measures to reduce the risk of DDoS attacks.
 Microsoft, Security Intelligence Report, Battling Botnets for Control of Computers, Volume 9, 2010.
Dr. Darren Hayes is the CIS Program Chair for Pace University’s Seidenberg School of Computer Science and Information Systems. Mr. Hayes is a leading expert in the field of computer forensics and security. He is a frequent speaker at various conferences both domestically and internationally.
At Pace University, he is the Computer Information Systems Program Chair and manages courses for more than 2,000 students annually. In this capacity, he has cultivated partnerships with the New York Public Library, United Nations, Department of Parks and Recreation, New York Police Department and many other respected agencies. He also manages the computer forensics laboratory, where he conducts research with computer science and information systems graduates.