DDoS Attacks: A Quick Guide
Denial of service attacks can wreak havoc on victim organizations.
A denial of service (DoS) attack is a cyber attack that has the goal of making a device, devices, or a network unavailable to their intended users by disrupting their connection to the internet. DoS attacks are typically caused by flooding the targeted device or service with so many requests that it becomes overloaded and legitimate requests cannot be fulfilled.
There are various types of DoS attacks, but the most common is a distributed denial of service (DDoS) attack. A DDoS attack occurs when the incoming traffic that is flooding a victim organization or network comes from many different sources. This makes DDoS attacks very difficult to tackle, as victims cannot simply shut the attack down by blocking the source when the attack is coming from so many different points. In DDoS attacks, it can also be difficult to differentiate between legitimate traffic and malicious traffic.
My, my, my, Mirai
DoS attacks can be carried out for a variety of reasons. Sometimes they are driven by one of the basest of human emotions: revenge. Journalist Brian Krebs, whose website was subjected to a massive DDoS attack in 2016, for example, was thought to have been targeted due to research he was carrying out into DDoS attacks and the people behind them. The attack on Krebs’ website reached 620 Gbps, which was record-breaking at the time, though its record as the largest DDoS attack ever reported did not last long.
That’s because the attack on Krebs’ website was just one attack carried out by the Mirai botnet, which caused havoc around the globe with a series of DDoS attacks in September and October 2016. As well as the attack on Krebs, there was an attack in the same week on French hosting company OVH that reached 1 Tbps.
However, it was Mirai’s attack on DNS provider Dyn that produced the most headlines: this attack disrupted and forced offline several online services, including Spotify, Twitter, and PayPal.
Mirai works by exploiting the weak security on many IoT devices. It continuously scans for IoT devices that are accessible over the internet and are protected by factory default or hardcoded user names and passwords. It has a list of 62 user name and password combinations that it uses to try and take over these devices. Devices targeted by Mirai included routers, DVRs, and CCTV cameras, among other IoT devices. By infecting and taking over these devices, the attackers behind Mirai created a huge botnet — a zombie army of devices that could be used to overwhelm online services with massive DDoS attacks.
Mirai underlined the dangers posed by IoT devices — and by the lax security on many of these newly connectible internet things. Thanks to IoT, attackers now have a whole new cacophony of devices that they can potentially infect and use in hugely disruptive DDoS attacks, just like those carried out by the Mirai attackers.
Mmm-crash
Of course, you don’t need a giant army of zombie internet of things devices at your fingertips to carry out a DDoS attack, there are other methods, as two recent huge attacks have shown. In March 2018, popular code repository GitHub was briefly taken offline in a (once again) record-breaking 1.3 Tbps DDoS attack. However, Mirai or a similar band of angry bots wasn’t behind this attack, the attackers behind it relied on a technique known as Memcrashing.
Memcrashing is basically an amplification attack. It works by exploiting memcached database servers that have been left open to the public internet with no authentication requirements in place. Memcached is a caching system that speeds up web apps by reducing database load, and it is widely used by many internet services. However, Memcached databases should never be left open to the public internet due to the fact they can run without authentication.
To carry out a Memcrash attack, an attacker sends a small database command to an open memcached server, and, in the UDP packet for that request, sets the source internet address as the victim’s server. The memcached database fires back up to 50,000 times the amount of data it received in the command, flooding the victim’s server with a huge amount of traffic and potentially causing it to crash.
It appears to be a growing issue as, a week after the record-smashing attack on Github, another DDoS attack that used Memcrashing broke the record again! DDoS mitigation provider Arbor Networks revealed that a U.S. service provider had been subjected to a 1.7 Tbps DDoS attack, though in that case the company was able to repel the attack. For now, this remains the largest DDoS attack seen so far.
Why though?
The reasons behind DDoS attacks are not always clear, as said above sometimes they are prompted by revenge, with activism and extortion also having been motives behind some DDoS attacks. DDoS extortion attacks are really a type of ransomware: cyber criminals may carry out a small attack to show what they can do, before threatening a larger attack if a ransom amount is not paid.
Sometimes, websites become victims of an unintentional DDoS attack, not because they are under attack, but because their website has become overwhelmed with the amount of traffic visiting it at the same time. Small websites that don’t have the bandwidth for a lot of visitors but “go viral” for some reason are the most likely to become victims of this kind of failure, as they do not have the bandwidth to withstand the number of clicks coming to their site. We have probably all encountered this kind of “attack” to some degree, for example when you attempt to buy tickets to a popular concert but the website crashes due to the volume of people all clicking on the website at the same time.
One of the most famous recent examples of this kind of incident occurred in Australia in 2016, when the country’s Census website crashed spectacularly due to the (surely predictable) number of people attempting to access it at the same time.
How can I guard against these attacks?
So, revenge, blackmail, activism, and extreme popularity — just some of the reasons behind DDoS attacks, but how can you guard yourself from becoming a victim of these attacks?
· Ensure your network is well protected with good IPS and firewall protections.
· If necessary, engage the services of a DDoS mitigation provider that can help you fight off DDoS attacks if you do become a victim of one.
· Have a DDoS response plan in place in your organization if you do fall victim.
· Change the default user names and passwords on your routers and other IoT devices so they do not become part of a botnet that can then be used to carry out DDoS attacks.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
