DOS: You Got Served

DOS (Denial of Service) attacks come in various different forms and intensities, but all have the same purpose, to take a website offline and damage the organization running that website. The most common use for DOS attacks are ransom missions. A hacker will DOS a site and email the owner, demanding payment or else the website will be taken offline. DOS attacks are also used as a form of protest. In 2009, Iranians DDOS (Distributed Denial of Service) attacked several government websites to protest the presidential election. Anonymous has also used DDOS attacks in “Operation Payback” to protest Megaupload being taken offline. They attacked the websites of UMG (the company responsible for the lawsuit against Megaupload), the United States Department of Justice, the United States Copyright Office, the Federal Bureau of Investigation, the MPAA, Warner Brothers Music and the RIAA, as well as the HADOPI, all on the afternoon of January 19, 2012.

The tool most commonly used to conduct DDOS attacks as protest is LOIC (Low Orbit Ion Cannon). LOIC is a free program you can download for any platform and does nothing but send garbage data to a server. One person downloading this program and trying to take down a server does nothing. Not a single website on the internet will fall to one Low Orbit Ion Cannon. Websites only go down when you have thousands upon thousands of people using LOIC at the same time, on the same server. Much like a real world protest, this clogs up bandwidth on the server, making it very difficult for legitimate traffic to travel through. LOIC is most publicly used by Anonymous. In 2008, they gathered enough people to attack the websites of the Church of Scientology. In 2010, they also attacked the Recording Industry Association of America and the websites of organizations opposed to WikiLeaks during Operation Payback.

While large groups of people can very easily take down a website through coordination, for one hacker to DDOS attack a website, he needs an army of botnets, or infected computers that he can control remotely. Another tactic that hackers use to multiply the amount of data sent is to hijack the NTP (Network Time Protocol). NTP is basically the protocol used to get the current time. What’s important is that you send a small request and get a large response, meaning that if hackers who have the NTP server send the response to a single target website, they can triple the amount of data they use to attack. Luckily, many NTP servers are aware of this vulnerability, and about 4 out of 5 servers have been patched against this type of attack.

Not all DOS attacks require angry mobs of people or thousands of zombie computers. Some attacks exploit vulnerabilities in the computer’s software to remotely crash or hang the computer. Teardrop is one of those attacks. Luckily, no modern computer can be taken down with a Teardrop attack – it was discovered and used on Windows 95, NT, and 3.1. An attacker would send a broken internet packet to the computer, causing it to crash. There was no other destruction of data, unless something had not been saved on the computer at the time, the attack would only cause the computer to blue-screen. A similar attack is the Ping of Death. To attack a computer with the Ping of Death, an attacker would send the largest bit of data in one chunk possible. In order to crash the computer the data would have to be larger than 65,536 bytes. The attacked computer would have nowhere to store the extra bytes in memory and would crash.

There are many forms of DOS attacks, and hackers are finding new vulnerabilities to exploit every day. The most effective attacks are still DDOS attacks, where large groups of people decide to take down a site in a form of protest. Though it may not seem like a government site going down for a couple days matters, DDOS attacks have a real world effect and can be used for peaceful protest or they can be used as a form of extortion from a mafia-like group of hackers.


Leave a Comment

‘Biggest ever’? Massive DDoS attack hits EU, US

A massive DDoS attack hit EU- and US-based servers, with security companies reporting it to be even more powerful than last year’s Spamhaus attacks. While the method of the attack was not new, CloudFlare warned there are “ugly things to come.”

Only scant details about the attack were released by US-based web performance and security firm CloudFlare, which fought back against the distributed denial of service (DDoS) attack early Tuesday.

According to CloudFlare CEO Matthew Prince, the attack reached 400 gigabits per second in power – some 100Gbps higher than the notorious Spamhaus cyber-assault of March 2013 that at the time was branded the largest-ever attack in the history of the internet.

“[It was] very big. Larger than the Spamhaus attack from last year… Hitting our network globally but no big customer impact outside of Europe,” Prince was quoted as saying by TechWeekEurope blog.

Prince said one customer was initially targeted by the attack, but added that he would not disclose the customer’s identity.

The company spent several hours mitigating the attack, but said that the European network was largely unaffected. When helping to deal with the massive cyberwar on Spamhaus last year, CloudFlare claimed it slowed down the entire World Wide Web, which prompted critics to dub the company’s part a “PR stunt effort.”

CloudFlare had some spooky statement to offer its customers this time as well. According to Prince, the latest attack has shown someone has got “a big, new cannon,” and it could be a “start of ugly things to come.”

French hosting firm OVH also reported being hit by an attack of more than 350Gbps in strength, but it was not clear whether it was the same attack CloudFlare experienced.

The technique used by Monday’s attackers was not exactly new, as they exploited the Network Time Protocol (NTP) used to synchronize clocks on computer systems. A weakness in the protocol allows querying an NTP server about connected clients and their traffic counts. If made en masse, such requests can generate an overwhelmingly large traffic, bringing down the target just like a typical DDoS attack would do.

What makes the recent attacks worse is the so-called “spoofing” of IP addresses of attackers, making it look as if the victim is actually generating those spam requests. The number of trash requests also skyrockets by “large” replies thrown back at the target from a number of servers “compromised” in the attack. For this reason, such tactics are often referred to as an “reflection and amplification” attack.

Back in January, the US Computer Emergency Readiness Team (US-CERT) issued a warning about such NTP amplification attacks after a number of prominent gaming services were brought down by them in December, including Steam, League of Legends and

While CloudFlare in its warning urged server administrators to patch and upgrade their NTP servers to solve the issue, it appears that few have since bothered to carry out these security measures.


Leave a Comment

DDoS attack considerations for healthcare organizations

Recent discussions of distributed denial-of-service (DDoS) threats in healthcare have mainly been in connection with a supposed DDoS attack on Healthcare.Gov that failed last fall. However, the conversation shouldn’t be limited to the government’s polarizing healthcare insurance website. As healthcare organizations begin to implement new, cloud-centric technologies, they need to be at least aware of DDoS threats, along with the new-age security options they can use to avoid potential incidents.

Stolen devices, according to Redspin’s 2013 Breach Report, comprised more than 45 percent of incidents reported last year. And though most healthcare data breaches are of the human error variety or involve some sort of physical security breakdown, prudent organizations are already trying to determine how to stay secure against the next wave of threats. For example, hackers have been targeting cloud providers with application-layer attacks in recent years. A DDoS attack, where network unavailable to intended users because of network over-saturation, would be especially painful in healthcare because of the continual reliance on an organization for record access and patient care.

DDoS threats aren’t limited to solely application-layer attacks, though. As contributor Bill Kleyman explained, high-bandwidth (volumetric) network-level attacks are also part of the equation. There are ways to protect your environment from these threats:

- The best place to stop high-bandwidth DDoS attacks is in the ISP’s cloud (via network-based DDoS protection).

- The best place to perform application-layer DDoS detection and mitigation is at the network perimeter.

From intrusion prevention systems (IPS) and integrated delivery systems (IDS) to data-loss prevention (DLP) platforms, healthcare organizations have already begun considering and implementing new-age technologies that can secure networks and prevent data leaks. Like most other decisions for these administrators and C-level executives, mobile security is a huge consideration because of network access and the popularity of BYOD. Ideally, executives would be able to create some form of a “sandbox” or restrict access to a VPN, but these decisions shouldn’t be at the cost of better patient care, which is why users have these devices in the first place.

Plenty of vendors have their versions of DDoS prevention that promise, for example, to configure network traffic so it funnels through cloud-based DDoS protection servers or to mitigate DDoS risk through use of firewalls. Even if an organization is just beginning to use cloud computing technology and its 2014 budget is already spoken for, researching the best fits for new-age DDoS prevention should be a worthwhile endeavor.


Leave a Comment

Why Would they DDoS Us?

As various pundits have reeled off their security advice for 2014 many have listed the growing threat of denial of service (DoS) attacks as something to look out for.

They are probably right to do so; two recent publications, the Arbor Worldwide Infrastructure Security Report (WISR) and the Prolexic Global DDoS Attack Report, both show that the number, size, sophistication and impact of DoS attacks continue to increase. Another December 2013 Ponemon Institute report suggests that distributed-DoS (DDoS) attacks are now the 3rd most common cause of data center outage after power failure and human error, causing 18% of all outages; three years ago it was just 2%.

There are a number of different ways of denying service. The various methods of attack are well documented elsewhere; the Wikipedia entry Denial-of-Service attack is a good start. However, it is worth pointing out that whilst most will be familiar with the idea of volumetric DDoS attacks (the flooding of network, server and/or application resources) there are other types of attack that are more insidious. These include state exhaustion of load balancers and firewalls (blocking all possible connections to a given resource), attacks on domain name server (DNS) infrastructure and low rate/slow attacks that will not be detected by looking out for high volumes of traffic and/or resource requests.

To decide how seriously to take the threat and what level of investment should be made in the necessary counter measures, those responsible for IT security should first consider why their organization might be a target for such an attack? ‘Why would they DoS us?’

After all, launching any sort of DoS takes some effort and it needs to be targeted.  Furthermore, it is not immediately obvious how DoS attacks can be monetized. Indeed, for cyber-criminals it is a relatively risky way to make money, principally by extortion; ‘we are going to render your service ineffective until you pay a ransom.’ Obvious candidate targets are those businesses that rely heavily on their e-services such as online casinos and retailers. Off web to them means no money coming in.

Data in Arbor’s WISR report sheds some light on the actual motives reported by victims of attacks. Criminal extortion comes near the bottom of the list (16%). The most common motive (40%) is down to political and/or ideological disputes, so not cyber-crime at all but hacktivism. Many may say, well that is alright then, they would take no interest our dull everyday business; that is until you realize you are a supplier to someone that is of interest and an easier attack target due to your complacency.

Other interesting motives are criminals demoing of their DoS capability to prospects (26%), pre-sales activity if you like – who cares what the target is, as long as it can be shown to be rendered non-functional! Competitive rivalry (18%), that is organizations with similar interests attacking each other, mainly seen in emerging markets (imagine the scandal a major EU based brand was exposed as behaving in this way!) Flash crowds (19%), for example a rush to watch a video or secure coupons, not a DDoS attack per se, but an unexpected legitimate rush on resources. Diversionary attacks (16%), this is where DDoS in particular is used to send an IT department in to array whilst a more targeted attack is launched elsewhere on its infrastructure.

One area not listed by Arbor is collateral damage. This is where your organization is not the target but you share resources with an organization that is. This is increasingly likely to be the case as the use of cloud-based services continues to increase.

As with all DoS, this danger can be mitigated against. It should be pointed out that cloud-based services are also part of the solution to DoS. First if you are hit by volume due to a flash crowd, a cloud service provider should be able to add additional resource for as long as it is needed. Second, DoS defense is increasingly offered as an on-demand data-scrubbing service from vendors such as Akamai (via its Prolexic acquisition), Neustar, Black Lotus and DOSarrest. They will divert infected traffic streams to their servers and clean them up once an attack is detected.

However, this is often after the event. Many organizations detect their resources from DoS attacks using on-premise protection from vendors such as Arbor with its Prevail APS product aimed at enterprises or Peak Flow SP aimed at service providers, many of whom tote their own DOS mitigation services, and Corero with its DDoS Defense System. Corero is now going after the SP market too with a new offering called the Smart Wall Threat Defense System, the premise being that cloud service providers should offer to protect their customers, for a premium, and mitigate both direct attacks and collateral damage; its message is ‘always on’ protection, rather than just during an emergency. Arbor also offers cloud-based protection with it Arbor Cloud, which supplements on-premise protection. Radware is another vendor with such hybrid capability.

So, the DoS threat is real. Your organization does not need to be an obvious target to be a victim; it may be seen as the easy target to disrupt a better protected partner or customer, impacted by collateral damage in the cloud, the hapless target of a pre-sales demo or even the beneficiary of unexpected popularity. Whatever the cause, all organizations need to ability to see attacks coming and respond accordingly. The cost of putting in place some level of protection will likely be a lot less than the cost incurred during an all-out attack.


Leave a Comment

DDoS – The 21st century protest

According to tech daily publication The Register, both the Chinese Central Bank and Weibo were brought to a crashing halt for a period of time this week due to what was thought to be a distributed denial of service attack (DDoS).

What is a DDoS?

DDoS attacks have become increasingly popular in recent years as a form of protest (although they are also used frequently for criminal activities too), and occur when a server is overloaded to the point where it can no longer perform its regular function. This can be done in several ways and can be achieved by individuals with the correct software or large groups of people with the same objective.

The method is very straightforward. One way occurs when a user with a botnet at their disposal orders the botnet ‘zombies’ to communicate with a server until it’s no longer able to handle the increase in traffic.

However, very often DDoS attacks occur when large groups of individuals want to protest and as such, all make contact with a server simultaneously flooding it with emails, large files and huge amounts of irrelevant information.

Weibo & The People’s Bank of China

This week’s attack is thought to have occurred in response to China restricting its banks from using Bitcoin as a currency. The Register suggests that disgruntled Bitcoin users may have responded by causing a DDoS and went on to suggest that matters could get worse: “the bank will do well to prepare itself for a prolonged cyber backlash – there are plenty of digital currency users and traders all over the world with an eye on revenge given recent events in the Middle Kingdom.”


This isn’t the first time a high profile site has incurred the wrath of internet users with this form of protest either. In 2010, WikiLeaks, the organisation that brings secret information into the public domain, had its PayPal account suspended after PayPal received a letter from the US government.

In response, the world’s most famous hacktivist group, Anonymous, reacted with ‘Operation Avenge Assange’, which resulted in PayPal going off line, at a cost of over $5 million. This story has been in the news this week with some 13 members of Anonymous in court with 10 of the defendants pleading guilty to felony charges.

Just the beginning

If anyone thinks that this high profile court case is going to bring an end to DDoS attacks they are probably very wide of the mark. If anything, more and more internet users are now seeing these type of attacks as a justifiable way of demonstrating when they feel they have been treated unfairly.

What’s more, for every 13 people who are arrested, another 13 will be more than happy to take their place fighting for something that they believe to be a worthy cause.


Leave a Comment

Older Posts »