How cybercriminals and hacktivists use DDoS tools to attack
Remote access, shell booters, low-orbit ion cannons - read all about it here
By Ted Swearingen, Director of Security, Neustar, Inc. | Network World US | Published: 13:00, 02 September 2012
Network professionals know that distributed denial-of-service attacks are an ever-growing danger. The recent assault on Twitter is just the latest evidence. Using a mushrooming array of advanced tools, including pay-per-use services and mobile devices, attackers are taking down websites, DNS and email servers, often using these tools to destroy a company's online revenue, customer service and brand reputation. But the technology is only half the story. The thinking that shapes attacks an evolving blend of careful planning, probing and improvisation is often the difference between duds and strikes that leave victims begging for mercy.
So who launches DDoS attacks and why? The most common profiles: extortionists, ruthless competitors and "hacktivists," those attacking not for money, but in the name of social or political protest. The latter gets the most press, thanks to the media-savvy tactics of groups that have punished the likes of Bank of America and the US Chamber of Commerce. However, even though reliable statistics about attacks are hard to find, it's likely that money, not justice, is the main motive.
Regardless of the attacker's identity or incentive, criminals use common tools and tactics in varying combinations. Many of these tools are cheap or free and easily available. They also require no more specialised skill than typing in the target's name and hitting "enter." The low-orbit ion cannon (LOIC), for example, is an open-source DDoS application which floods a server with enough UDP or TCP packets to disrupt service. The LOIC even offers multiple attack vectors. Attackers can send anything from packets with the text of their choice to random HTTP GET requests which imitate legitimate application-layer traffic.
Related Articles on Techworld
The future of malware
The means to launch an assault doesn't stop there though, as there are many other resources for attackers to use. If someone rents a server from a hosting company, but doesn't secure it, an attacker could obtain administrative rights to the server, load scripts onto it and execute them at will. This is known as accessing a "shell booter."
There are also remote-access Trojans and DDoS bots, both forms of malware that infect PCs and mobile phones, letting criminals control them remotely to execute attacks. A group of such computers is a "botnet" and each computer infected is a "zombie." Each family of malware has its own destructive capabilities. The most advanced the ones that avoid detection the longest and support the most types of attacks are often sold as software or as a complete pay-by-the-hour service.
Attackers can also infect mobile phones to be used as extra resources. It's the same idea as launching attacks with other people's computers in a botnet. However, the added benefit is that there are billions of smartphones in use all around the world. And unlike desktop computers and laptops which are shut off for hours each day, mobile phones are always on, connected and able to abet attacks. In the DDoS world, it's all about how much traffic you can generate, which depends on the number of hosts under your control. Mobile phones are simply too tempting to resist, and a new weapon that network security personnel have to keep an eye out for.
However, before going through choosing a weapon and firing, the smartest attackers do their homework first. After all, there's a ton of public information available about any business, including yours. For instance, a simple DNS look-up can reveal a lot of information about your public-facing assets. Attackers will also check your infrastructure for open ports, protocols, applications and firewalls. By doing recon on your infrastructure and understanding what it's built to support ecommerce, customer service or public information, let's say the bad guys will assess what's at risk and will look for the best ways to exploit these weak spots in your infrastructure.
In the ramp-up to an attack, you might notice bursts of heavier traffic in key areas of your network. The attacker is probing, trying to find a way in. While some will simply try to flood you, others will try to find a little crack in your network defenses, some piece of infrastructure too tempting to ignore. If you're a retailer, for example, and someone succeeds in bringing down your point-of-sale applications, the pain could be acute. For the attacker, it's well worth the time investment and ensures that your entire organization will take notice of the attack.
Know your network and security inside-out
Everything's not all doom and gloom though. While criminals have many tools at their disposal, understanding what's at risk, and how it will be attacked, allows you to understand how to take the first steps in order to protect it. For starters, make sure your team knows not only your network inside-out but also your security set-up. Conduct a security assessment, either in-house or with third-party experts who can give independent validation. Use these findings to help optimize your systems. It's also critical to monitor traffic, so you know what's normal and what's not. With a clear baseline, you'll be able to spot and mitigate DDoS attacks faster.
Maybe most important of all, devise a DDoS response plan to counteract some of the tactics described here, listing procedures to follow and which team members are responsible for what. And practice executing this plan regularly. If you have to dust it off in the midst of an attack, you're inviting chaos. Run regular drills including simulated communications with customers, so you can become adept at managing their expectations.
At the end of the day, it's not only attackers whose thinking makes a difference. Companies that invest more brainpower in understanding how DDoS attacks work, to better protect themselves are also more skilled in deploying the technologies designed to keep their online presences safe.
Ted Swearingen is Neustar's director of information security operations and currently manages the company's Security Operations Center (SOC). He is also responsible for project consolidation between the network and security teams, along with oversight of security responsibilities for both.