In a DDoS attack, a hacker gains control of a network of multiple Internet-connected computers, including IoT devices. A malware infection turns hacked machines into bots, with a group of bots forming a botnet (sometimes called a zombie network). Hackers controlling botnets remotely, for example, for clickbaiting, spamming or bitcoin mining. In a DDos attack, botnets are used to send requests to a targeted system, especially web servers. All about hackers on CIO.de
A large number of requests overloads the capacity of the target network or server, resulting in a denial of service for normal/legitimate traffic. Preventive measures include u.a. Increasing bandwidth, building redundant infrastructure, configuring network infrastructure to identify and prevent DDoS traffic, securing DNS servers, and deploying DDoS protection systems.
DDoS – A Definition
A distributed denial of service (DDoS) attack is the flooding of an online website or service with large amounts of unwanted traffic to prevent regular traffic from being processed. A hacker takes control of multiple systems and uses them to flood the resources or bandwidth of target systems and restrict user access. A DDoS attack can cause the affected system to slow down or fail altogether.
The concepts of DDoS: types of attacks and impact
An attacker must compromise multiple systems to execute a DDoS attack. Therefore, he must first manipulate multiple computers and IoT systems and infect them with malware malware that enables remote control. By using the compromised systems as multiple sources, the attacker can command each one to direct requests to a specific resource in order to flood it. Amplification tactics allow the attacker to generate massive traffic from a botnet. For example, in a DNS amplification attack, a hacker uses a spoofed IP address to send queries so that the DNS server responds with unusually large amounts of data. All about Malware on CIO.en
The most popular types of attacks are:
Multi-vector amplification (bundled scenarios)
Different protocols
Protocols surrounding DoS attacks include UDP, HTTP, ICMP, and NTP. A UDP flood is a DDoS attack in which a targeted system is flooded with User Datagram Protocol (UDP), with the main goal being to flood random ports in a remote host. Similarly, an Internet Control Messages Protocol (ICMP) flood quickly floods the targeted resources/systems with ICMP echo request packets without waiting for the resource to respond.
The goal is to consume outgoing and incoming bandwidth. A network time protocol (NTP) amplification attack allows a perpetrator to exploit public NTP servers to overload target resources with UDP traffic. Finally, the HTTP flood DDoS attack allows hackers to exploit legitimate HTTP POST or GET requests to attack web applications or servers.
DDoS attack tools and their effect
LOIC (Low Orbit ION Cannon) is an open-source DoS tool that can perform DDoS, HTTP, UDP and TCP attacks. To use the tool, the user should only know the destination URL/address. A HOIC (High Orbit ION Cannon) tool is also open source and can generate a huge amount of HTTP POST and GET requests to overload a targeted application server. It can attack up to 256 targets simultaneously.
It can be operated without prior knowledge. R-U-Dead-Yet (R.U.D.Y.), on the other hand, carries out slow-speed attacks on websites with form fields. It can be operated even with little knowledge. Slowloris also executes slow DDoS scripts by sending incomplete HTTP GET requests. No advanced knowledge is required to operate it either. Other tools include HULK (HTTP Unbearable Load King), XOIC, DDoSIM and PyLoris.
Use of Wireshark to analyze a DoS attack
Wireshark is an open-source network analysis tool that captures traffic in real time and displays it in graphical form. The tool acts as a log analyzer and allows to perform measurements of traffic per second and detect suspicious traffic indicating a DDoS attack. In addition, Wireshark displays detailed information about the captured packet structure such as origin, packet size and duration.
Botnets and how they are created
A botnet consists of a network of computers, such as z.B. IoT and private computers controlled by a malware infection with the knowledge of their owners. A cybercriminal can infect computers with malware by various means to make them follow instructions and commands sent remotely, u.a. Drive-by downloads, exploiting vulnerabilities in web browsers or operating systems, and sending Trojans with phishing emails.
A botmaster is the originator and controller of a botnet. It works through intermediary command-and-control (C&C) servers and various hidden channels to communicate with the C&C servers. Protocols used by the botmaster in this process include HTTP websites and IRC. Apart from communication between botmasters and other botnets, C&C servers collaborate with other botnet servers to control a P2P network by one or more botmasters. In this case, each botnet DDoS attack may have more than one origin or be under the control of many botmasters.
Botnets increasingly rely on connection data anonymization networks, such as Tor or I2P, to prevent infrastructure discovery and destruction. Cybercriminals respond quickly to countermeasures and actions against their infrastructures by improving their software and building new, more complicated botnets.
Command and control of botnets, botnet traffic
Once an attacker has successfully created a botnet, various command and control channels and protocols can be used to instruct the botnet to direct traffic to a system. Telnet botnets, for example, use simple C&C botnet protocols where bots connect to a command server that hosts the botnet. By executing a malicious SSH code, the command server is infected and used to send high-volume data packets to a target server or resource.
Botnets based on the IRC protocol use a client-server model that is used in most distributed networks. It enables real-time anonymous control and monitoring, has low latency and requires simple commands and settings. Attackers also use HTTP as a C&C, as this makes it difficult to detect the botnets. It hides the botnet traffic in the normal web traffic. A P2P protocol also serves as a C&C because it has a higher resistance to network failures.
Malware in the Internet of Things
More and more everyday objects are connected to the Internet – printers, set-top boxes, pet feeders with built-in webcams, refrigerators, etc. According to Avast’s Home Security Report, more than 43 percent of homes have at least five devices connected to the Internet. But unfortunately, the security of IoT devices has stagnated at a low level and attackers continue to find new strategies to use them for attacks. All about security on CIO.en
Majority of IoT devices lack security mechanisms such as antivirus or firewall. Access control, if any, is usually only done with factory preset usernames and passwords. This low level of security makes it easy for cyber actors to hijack the devices and abuse them in botnets for DDos attacks. Brute force method automates and infiltrates target devices. Private users rarely have the specialized knowledge to detect whether their video doorbell, washing machine or robot vacuum cleaner has been tampered with. This is how gigantic botnets of IoT devices of tens of thousands of devices have emerged in recent years.
The Mirai botnet was the first of its kind to infiltrate IoT firmware with malware to launch DDoS attacks.
Analysis of DDoS attacks using Wireshark and log files
After verifying that a DDoS attack is underway, security personnel can pull raw logs from the service for review. Log analyzers allow visual details from web traffic to be examined and generated. This process reveals peaks that exceed traffic at the busiest times. After identifying the origin of the spike, Wireshark can pinpoint other details such as the location of an IP address.
Wireshark filters help to detect malicious traffic
Wireshark can help to analyze the ratio of INVITE/OK to ACK packets and to initiate further security measures in case of suspicion. For example, network administrators might block certain IP addresses or domains that send an unnatural number of packets. Wireshark also ensures that existing security applications efficiently filter out malicious network traffic.
Here’s how you can protect yourself from DDoS attacks
In addition to typical solutions such as IDS/IPS, next-generation firewalls and endpoint security, there are solutions with built-in scalability that help organizations defend against the largest DDoS attacks, as well as web application attacks and direct-origin attacks. Such solutions help to maintain the performance and availability of the site even when faced with rapidly changing threats. With such a powerful solution, organizations can easily scale to defend against and absorb the largest DDoS attacks, reducing downtime, business risk and costs.
A key measure for containing DDoS and DoS attacks is black hole routing. In this method, network administrators create a blackhole route and use it to funnel and route DDoS traffic. By implementing the technique without specifying the filtering or restriction criteria, both the malicious and legitimate traffic are forwarded, effectively stopping a DDoS attack.
In addition, rate limiting is a technique where an admin can configure a server to limit the requests to be accepted within a certain time window. It is a useful mitigation measure to reduce the impact of the flood of DDoS traffic, but is not sufficient to protect against sophisticated attacks.
Implementing a web application firewall (WAF) can also mitigate a layer 7 DDoS attack. WAF accesses a reverse proxy to filter requests based on the defined rules, protecting the target server from some malicious traffic. Other approaches, such as z.B. Anycast network diffusion, scattering a DoS attack traffic across a network of distributed servers until the traffic is absorbed.
The cost of a DDoS attack
Experts estimate the financial impact of a DDoS attack to average just over 100.000€ for small and medium-sized enterprises and ca. 2 million € for large companies per attack. In addition, the attack causes unquantifiable impacts such as reputational damage, business disruption, and time required to restore services after a DDos attack.
DDoS-for-hire booter/ stresser service
On 22. July 1999, a computer at the University of Minnesota was suddenly attacked by a network of 114 other computers – the birth of the DDos attack over 20 years ago. Today, the DDos attack is one of the most popular weapons in the cybercriminals’ arsenal. Criminals trade DDos attacks on the darknet or extort websites and threaten them with attacks if they don’t pay up.
The Mirai IoT botnet forms the basis of an ongoing DDoS rental service that allows cybercriminals to launch high-impact DDoS attacks against the target(s) of their choice in exchange for compensation (usually in the form of bitcoin payments) and makes the service available even to non-technical users.
DDoS as a tool in economic competition
The motivation for using DDoS attacks varies: These include extortion, hacktivism, or pure cyber-destructive rage. But companies can also use DDos as a targeted measure to harm competitors.
A hacker hired by a competitor attacks an online game provider with a rented DDoS tool, often one after another, to economically damage the company by making operations unavailable or to cause it to expand its defenses, thereby weakening it financially. According to the latest Global DDoS Threat Landscape 2019 report by Imperva Research Labs, this is currently one of many distributed denial-of-service scenarios.
The price of a five-minute attack on an online store is about $5. A very small amount of money for a potentially large loss to the store operator, who loses customers who are simply unable to order as a result of the attack. Just imagine how many customers are lost to an attacked Internet store if the attack lasts for a whole day.
The fact that the operators of online platforms are often willing to pay gives rise to the prediction that the average price of carrying out DDoS attacks will continue to fall in the near future and DDoS attacks will become more frequent.
In 2019, the online (gambling) industry in particular was hit hard by DDoS attacks; as were online casinos. These markets are under great competitive pressure and a high risk of failure. Platform failure has a particularly damaging effect on business. For example, it is enough to make a competitor’s online service inaccessible to users for a few minutes with attacks. In such a case, the recovery process can take several hours. If the services are temporarily unavailable, this results in a large financial loss for the attacked company.
An indication that DDoS is being used as a measure against nuisance competitors could be a high volume of medium, large and very large attacks in November. Such an accumulation could be explained by the fact that residual budgets were spent on renting DDoS kits. Or perhaps the perpetrators are hoping for a special economic loss for their victims at this time: because the failure of an online service or web store in the year-end business hits the operator particularly hard.