Attack of the Bot Army

A few days ago, one of my favorite email provider seemed to be constantly unavailable. Several users on Twitter expressed their anguish at having to pay for email service (this being more secure as opposed to the free ones), and yet being unable to access their emails.

The email service provider soon issued an apology outlining what they perceived to be an unexpected “Nation sponsored” attack attack. It soon became clear that this was a clear case of hacktivism rather than activism. Apparently, a hacker group were testing a beta version of a service that they were planning to launch & had chosen this email provider at random.

Image Source: Flickr

While the email support team kept diligently replying back to the users, the incident got a bit out of hand when their CTO angered the hactivists which led to an even more longish & sustained attack. Technically these two teams were at war & I got my most recent brush with a DDOS attack.

What’s a DDOS?

DDOS is just the abbreviation for Distributed Denial of Service. Imagine you and your friends are headed to a soccer stadium for a highly anticipated match. You soon realize that there’s more traffic on the freeway than normal because other fans are also en-route to this game.

The local authorities know this would happen and have already blocked off certain known choke points and are monitoring the traffic on all arterial roads an hour before and after the match. Well done to them!

Unfortunately for you, a massive group of protesters who were at loggerheads with the local football club over sponsor selection, decided to crash the party. Thousands of these protestors from all nearby cities get on the highway at the same time literally choking the usually free route.

While this does not fully stop the flow of traffic, this was only step 1. Once near the stadium, you notice that hundreds of their supporters start pouring paint on the road making it highly difficult for you to progress further.

Had you purchased the tickets earlier you were most likely going in, depending on how late you were to the game & the how important this game is to you. To the club, however, the impact is financial since most of the crowd were yet to buy the tickets.

Image Source: TrendMicro

DDOS is literally the cyber version of a scenario like the one above. This was what happened to the email service provider who were expecting a great spike in their new user base. As this incident was preceded by months of preparation that included social media campaigns, free awareness programs across countries etc. the cost to their company was huge; much more than just an increase in their usual sales volumes. The uptick to their profit margins just skidded to a halt when new users flooding in realized the site was unreachable.

Even worse, their existing users who were keen on upgrading to a paid account decided not to, when they realized this site can be subjected to such an attack. The irony is this can happen to any website on the internet. For normal users who just wanted to check their emails and get on with their life, the problem was more of frustration than anything else.

How to Launch DOS Attacks?

Before launching an attack, it is probably worthwhile to note that not all attacks are malicious. Websites expecting good traffic have a DDOS prevention partner and they would routinely conduct DDOS experiments in a non-live environment or in case of some corporate websites they will even test this with their live environment in a controlled manner during their off-peak business hours.

One might anticipate setting up such attacks to be insanely tough to launch given the amount of money that goes behind modern day IT infrastructures from major corporate companies. The truth is, it is only as difficult as it was for the activists (in above section) to stage their protest i.e. spend for fuel for their own cars and some petty cash for the paint.

The idea behind a simple denial of service attack is to send continuous requests, often reaching up to gigabits of data each second on a targeted site. This is like trying to breach a fort by continuously attacking using a single siege weapon. Such an attack is uncommon and is easily thwarted by blocking the troublesome IP.

Source: Simple DDOS mitigation at ResearchGate.net

In the case of a distributed attack multiple requests are triggered from hundreds or thousands of computers. At times a group of anonymous hackers (spread across geographies) might try to coordinate such an attack, but then again this is no better than the DOS attack and there is no guarantee they can coordinate this to perfection.

If the intent of the hacker was malicious and they did not have the infrastructure to generate so many hits on a website URL in a single second, the usual routine is to infect a malware script, across unsuspecting computers, that does exactly this.

In the mid-1990s an attack may have consisted of 150 requests per second — and it would have been enough to bring down many systems. Today they can exceed 1,000 Gbps. This has largely been fueled by the sheer size of modern botnets (Source).

So when the hacker group wants to launch a coordinated DDOS attack they use what is often termed as the herder bot that wakes up all the malicious bots sleeping in the hundreds of thousands of machines across the globe. The infected bots can be PCs or IoT devices.

Image Source: Hackread

It is very difficult to defend against these types of attacks because the response data is coming from legitimate servers. Even with such automated and well planned attack there is a chance of failure. Not all malware infected machines will be turned on all the time and not all of them use good internet connection.

You can also chose to amplify your attack by exploiting the known weakness of DNS resolvers. This is one example. Attacks have been known to be caused by malware that exploits a server’s memory caching systems, which can return very large chunks of data in response to simple requests.

Wikipedia lists several modes of carrying out the DDOS attacks. Summarizing the possibilities:

• Attack maybe in the form of resource starvation i.e. using the hacker’s own knowledge and publicly identified bugs, they can target buffer overflows or memory leaks of a particular site/ service.
• They can produce added costs for the application operator, when the latter uses resources based on cloud computing or has pay per use network bandwidth.
• Attacks can even be as trivial as slowing down response read times i.e. make a call to the web server but slow down response acceptance, thereby consuming more data connections which eventually leads to high CPU utilization and lowers availability of the service.
• The attacker can specify a large body size in the message header, but then go on to send the actual message body at a slow rate, thereby causing a large queue.
• They can even repeatedly send corrupt data packets and cause the service to come to a standstill or in case of IoT they can use security flaws which allow remote administration on the management interfaces to replace a device’s firmware with a modified, corrupt, or defective firmware image.

A more serious attack can be a Telephony DOS (TDOS) whereby an attacker can attempt to scam victims by flooding their telephony services making them unreachable via phone calls. So the next time you share your contact number on a website and start receiving blank calls, please try and be alert.

Sure, there could be legal outcomes depending on whom you are trying to upstage. But trying to get into some public website is hardly a crime worth the cost of a prolonged litigation.

Defending against the Siege

The cost to company does not directly stem from lack of usability of their services. Remember, we live in an ad driven world. A single user staying 10 seconds on a website could possibly mean 10 cents for the site owners. Then there is the consequence of damaged reputation.

How to stop these kind of attack from ever happening? The answer is very simple. If you’ve read the article so far you would have understood that PCs like ours need to become infected. Such infections most likely happened because we clicked on an unscrupulous links received in our emails or by forgetting to change their default login credentials (for their IoT device) to something strong.

Source: Known default credentials of IoT devices extracted from executable file behind the Mirai BotNet attack

So from end user perspective let’s hope that all the billions of people using various online services/ IoT devices simply start following best security practices with immediate effect and, while we are at it, hope that they keep their anti-virus signatures up-to-date! Or let’s get real, and stop such wishful thinking!

So what could large companies do to provision against such unanticipated attacks? In the above analogy, had the soccer club been been aware of the possibility of the protest group upping their game they would have asked the local authorities in all nearby towns to take stronger clamp downs and setup stricter check posts that scan all cars trying to get into the highway.

This is just the same way as how all world class service providers would prepare for an attack by partnering up with one or more DDOS protection providers. This is esp. true during major software upgrades when more damage can easily be done because of new unexplored code/ architecture level vulnerabilities.

The focus of protection is usually three fold:

• Application layer which targets software vulnerabilities to perform the attack and crash the server.
• Protocol layer which is a simulation of network protocol level attacks.
• Volume-based protection that can help secure against what is known as flood attacks.

Image Source: Internet

Yet, we see that the unexpected nature of such attacks keep increasing by the day. This is not because lack of defense but rather because the siege by the attackers can now last days, not just hours!

As mentioned earlier, there are network security services who ensure your attack vectors (that is geek speak for possible vulnerabilities or mode of entries into your architecture) are negligible or nil. What they would do in real life situation is:

• Advise on setup of application front end hardware which can analyze data packets as they enter the system, and then classifies them as priority, regular, or dangerous.
• Help establish a threshold of incoming request from IPs or ranges of IP.
• Use their algorithms (with above threshold as a base) to determine when/ if an attack is occurring.
• Raise an alert that will help warn all immediately affected parties using the system.
• Deploy countermeasure like request redirection or latency reducing techniques like Anycast if attack persists.

If you are a solution provider then given the ease at which attacks can be launched and knowing that help is readily available to protect the best interests of your business and your customers you should definitely look into DDOS protection across your site. By modern day cybersecurity standards, denying your website does not require DDOS protection would be very unwise and unprofessional.

If you are a consumer, and have reached this point of the article I hope you have become more aware of the war that goes on in the cyber world everyday. You would do well to follow my earlier advise and stay up to date with the less perceived security threats.

When an online website that knows a little bit about you goes dark you need to take action. In this battle between corporate giants and hackers there are no clear winners or losers.

Despite what you’ve been taught about chess, this game is played different. While there are tools at your disposal to ensure you don’t become a pawn in this war, the internet is no ordinary chess board. The army one one side are devils in disguise and the one at the other end aren’t your best friends either. You will do well to remember that no matter which game you play, while the higher powers may get a second chance at life the pawns don’t ever come back from the dead!