According to Stratecast, DDoS attacks are increasing in number by 20 per cent to 45 pc annually
Google, Microsoft, Apple, PayPal, Visa, MasterCard… many of the world’s largest websites have all been victims of Distributed-Denial-of-Service (DDoS) attacks. A DDoS attack consists in having a multitude of systems attack a single target in an attempt to make its resources unavailable to its intended users. During the last decade, the number of DDoS attacks has increased and their motivations and targets have evolved. Karine de Ponteves, FortiGuard AV analyst at Fortinet, traces the evolution of these attacks.
Early 2000: Into the spotlight
Although we can’t be sure when the first real DDoS attack occurred, the first large-scale distributed attack (DDoS) happened in 1999, against the IRC server of the University of Minnesota. 227 systems were affected and the attack left the university’s server unusable for two days.
In February 2000, many popular websites including Yahoo!, eBay, CNN and Amazon.com, were paralyzed for hours. Yahoo! suffered a loss of $500,000 during its three hours of downtime, while the volume of activity of the CNN.com site dropped by 95%. The downtime loss was huge.
A 15-year old Canadian known as “Mafiaboy” was arrested and charged for the attacks. His motivation? Defiance. This teenager just wanted to show off his skills. To do so, he scanned a network to find a number of vulnerable hosts; compromised the hosts by exploiting a known vulnerability; deployed software turning the host into a “zombie”; and then propagated the attack so that each zombie would in their turn compromise new targets, following the same process.
2005: A lucrative attack
In the early 2000s, in order to create a botnet to launch a DDoS attack, the hacker would have to follow the same steps as the ones used by Mafiaboy. With the advent of Internet worms, those steps became automated, enabling a hacker to trigger large-scale attacks. In August 2005, 18-year-old Farid Essabar, who had never studied computer programming, was arrested for the spread of the MyTob worm. The worm would open a backdoor on the infected MS Windows host, connecting to a remote IRC server and waiting for commands. It would self-propagate at reboot copying itself over network shares, opening the door to massive DDoS attacks with all the hosts compromised by the worm and executing the commands sent over IRC. The outbreak was covered live on CNN as the TV channel own computers network became infected.
What were the intentions this time? Not to actually disrupt corporate networks, but to extort thousands of dollars from companies by threatening to target DDoS attacks to their networks. Quickly, the targeted enterprises decided to pay the extortionists rather than deal with the consequences of a DDoS attack.
2010: DDoS and hacktivism
In 2010, mainstream media extensively reported high-profile DDoS attacks motivated by political or ideological issues such as the well-publicized Wikileaks/Anonymous series of incidents. That year, attackers dramatically increased attack volumes, and, launched for the first time attacks breaking the 100Gbps barrier, which represents about 22,000 times the average bandwidth of an Internet user in the U.S. in 2010.
In December, Wikileaks came under intense pressure to stop publishing secret United States diplomatic cables. In response, the Anonymous group announced its support, and termed Operation Payback the series of DDoS attacks it led against Amazon, PayPal, MasterCard and Visa in retaliation of the anti-Wikileaks behavior. These attacks caused both MasterCard and Visa’s websites to be brought down on December 8th.
The tool behind the Anonymous/Wikileaks attacks is called the Low Orbit Ion Cannon (LOIC). Although it was originally an open-source load-testing tool, designed to conduct stress tests for web applications, it was in that case used as a DDoS tool.
2012 and beyond: The acceleration of application-layer based attacks
Although there are many different attack methods, the DDoS attacks can be generally classified into two categories:
Volumetric attacks: Flood attacks saturate network bandwidth and infrastructure (e.g.: UDP, TCP SYN, ICMP).
Application-layer attacks: These attacks are designed to target specific services and exhaust their resources (HTTP, DNS). Because they use less bandwidth, they are harder to detect. The ideal situation for application-layer DDoS attacks is where all other services remain intact but the webserver itself is completely inaccessible. The Slowloris software was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.
According to Stratecast, DDoS attacks are increasing in number by 20% to 45 pc annually, with application-based DDoS attacks increasing in the triple digits levels. The trend toward application-layer DDoS attacks is clear, and unlikely to reverse. This trend is not, however, an indication that network-layer or flow-based, volumetric attacks will cease. On the contrary, both types of attacks will combine to be more powerful. The 2012 Verizon Data Breach Investigations Report reveals that several high profile application-layer DDoS attacks hiding behind volumetric attacks were used to obscure data theft efforts, proving that multi-vector attacks are now used to hide the true target of the attack.
DDoS attacks are growing in frequency and severity while, in parallel, the means to launch an attack are simplified and the availability of attacker tools increases. In addition, the complexity of these attacks is increasing due to their polymorphic nature as well as the development of new tools to obfuscate their true nature. As a result, traditional methods of detection are often useless and mitigation gets more difficult. With such evolution, it is essential that organizations revise their security posture and make sure they have the right defenses in place to be protected against DDoS attacks. Here, the main challenge is to have sufficient visibility and context to detect a wide range of attack types without slowing the flow and processing of legitimate traffic; and then to mitigate the attack in the most effective manner. A multi-layer defense strategy is thus essential to enable granular control and protection of all components that are in the critical path of online activities.