One of the most powerful attacks on the internet today is the Distributed Denial of Service, or DDoS, attack. What makes it so powerful is its versatility, as every time Information Security experts think they’ve seen it all, a new version of the attack arises. This has been the story since these attacks first surface all the way back at the beginning of the 21st century.
Eugene Kaspersky, legendary cybersecurity pioneer, said it best when discussing this topic on his blog:
“DDoS attacks have evolved very quickly… They’ve grown much nastier and become a lot more technically advanced; from time to time, they adopt utterly unusual attack methods; they go after fresh new targets, and break new world records in being the biggest and baddest DDoS’s ever. But, then, the world in which DDoS find themselves has evolved very quickly too. Everything and the kitchen sink are online: the number of assorted ‘smart’ [sic] devices connected to the net now far outstrips the number of good old desktop and laptop computers.”
The basic idea of a DDoS attack is to overload a target until it can no longer function as intended. Its origins are in the Denial-of-Service (DoS) attack, but what separates the two attacks are the number of machines involved. In a DoS attack, one machine attacks the target. In a DDoS attack, however, the attacking machine is aided by a plethora of other machines.
These machines are called a botnet, which is a portmanteau of “robot” and “network.” The botnet is composed of hundreds, thousands, or even millions, of devices controlled by the attacker. The machines that form a botnet are called zombies. The term zombie infers that a computer is being controlled by an infection (much like the fictional monsters). Zombies are either infected with malware or exploited via some vulnerability in their software. The way these zombies are controlled is via the Command-and-Control (C2) server. All commands that an attacker sends to the machines are through the C2 server.
Botnets used to need someone with specialized knowledge to control them. These days, however, anyone with access to cryptocurrency like Bitcoin can rent a botnet. DDoS-as-a-Service has become an incredible threat as it allows script kiddies to play hacker villains for a while. Anytime a DDoS-as-a-Service is employed, the client is given an easy-to-use frontend webpage. This webpage functions as a Command-and-Control server in GUI (Graphical User Interface) form. It does not require much technical know-how to operate, which in turn makes it all the more dangerous.
Plenty of destructive botnets are a mere encrypted payment away, and a good deal of this makeup most DDoS attacks recorded. The most famous instance was Lizard Squad leveraging their rented botnet to topple Xbox Live, the Playstation Network, and even North Korean government websites. This band of trolls and script kiddies went after high priority targets with a fury not seen in many years, perhaps not since the Anonymous hacktivism incidents. They gained significant media exposure, and while their arrogance would eventually lead authorities to them, they left a trail of chaos in their wake.
Botnets have evolved throughout the years, and their uses have not always been for DDoSing. Here are some of the most important examples:
Created by Khan K. Smith in the year 2000, this was arguably the first notable botnet. Its purpose was not DDoS attacks, but rather to send out phishing emails at a high rate. Whether intentional or not, the DDoS attack was born here as the mechanism for creating it had been born. Other botnets have followed this style of a phishing attack, such as 2007’s Cutwail.
This botnet created a large amount of the world’s spam email traffic in 2010. It first came into existence in 2008, and before shutting down 2012, around 18 percent of global spam came from Grum. The spam emails were usually targeted towards pharmaceuticals. These spam emails were, of course, malicious attempts at infecting users. A large amount of malware infections to this day are a result of such spam.
The botnets formed by the Conficker malware were legendary. It was a worm virus that easily penetrated defenses and grew one of the largest botnets seen in the first decade of the 2000s. A total of 4 million machines were zombified and formed the botnet. It peaked in 2009 and was estimated to have infected roughly 15 million machines globally. Not all infected machines, as the data shows, joined the botnet.
Spanish for “butterfly,” this botnet was not a graceful creature. Instead, it was one of the most vicious and powerful botnets seen at the time in 2009. Mariposa used a combination of Peer-to-Peer (P2P) networks, malicious internet links, and malware-loaded USB drives (a common social engineering tactic). Eventually, the FBI got involved and was able to pinpoint Mariposa’s C2 server and shut it down. Before this occurred, however, Mariposa infected a massive chunk of Fortune 500 companies. It was also one of the first DDoS-as-a-Service botnets in history.
The first botnet to leverage IoT devices, Mirai changed the threat landscape forever. No longer was it just computers becoming members of a botnet, but any smart device that could be exploited (refrigerators, televisions, and much more). Mirai itself was a malware created to take advantage of Minecraft servers, but it created something far beyond the scope of gaming. The biggest cause for Mirai’s spread was poor IoT security practices.
The botnet is versatile, readily available, and powerful. No wonder DDoS attacks are so easily carried out by them.
To truly understand the power of the Distributed-Denial-of-Service, just like we did with botnets, it is vital to explore well-known incidents. What follows is far from an exhaustive list and analysis, but it should shed light on just how dangerous the DDoS attack is.
In the year 2018, the popular website for software repositories came under attack from a massive DDoS. The attack clocked in at 1.35 Tbits/s per second and overloaded Github servers. The company had DDoS protection in place, but it simply could not withstand a record-breaking barrage like this. According to GitHub, thousands of autonomous machines attacked over tens of thousands of unique endpoints.
The name of Cloudflare is synonymous with DDoS protection, so it should come as no surprise that hackers of all stripes want to test their defenses. In 2014 Cloudflare experienced an NTP reflection DDoS attack. The result was their servers being stressed by 400 Gbit/s per second.
Back in 2015, the Summer Olympics were preparing to be in full swing in Rio de Janeiro, Brazil. What was also in full swing was a massive DDoS attack led by a DDoS-as-a-Service botnet. Called LizardStresser, it worked with other botnets and targeted official Olympics committee websites. The attacks went on for months, disrupting the domains from functioning. At their peak, the attacks clocked in at a whopping 540 Gbit/s.
Much like the Cloudflare DDoS attack, Imperva is also the main target for cybercriminals due to their DDoS mitigation services. In 2019, Imperva came under attack by an SYN DDoS attack that peaked at around 580 million packets per second. This surpassed the Cloudflare attack significantly, at least in terms of PPS, as the Cloudflare DDoS peaked around 130 packets per second.
Remember the Mirai botnet we discussed earlier? It has been used in many prominent DDoS attacks, and this is one of the biggest. The DNS provider Dyn came under attack from the botnet in 2016. Many prominent companies that used Dyn’s services, including Netflix, Paypal, and Reddit, were brought down by this attack.
Brian Krebs is a well-respected cybersecurity researcher who runs the blog “Krebs on Security.” This blog became a target of the Mirai botnet as well, and according to Krebs, it was the largest DDoS attack he had ever seen. Krebs is no stranger to DDoSing, as a cybersecurity journalist, it sort of comes with the territory, but with the Mirai attack, his site could not withstand the assault. The attack peaked at around 623 Gbit/s and shut down the website in totality for a while.
While this is hardly an exhaustive list, the point here is to demonstrate the versatility of the DDoS attack. Some of the most popular DDoS attack types are the following:
An attacker spoofs internet packets so that a server will respond in a specific way. The idea is to trick the server into thinking the packets are being sent from the domain it controls. This is why it is called a reflection, as the Denial-of-Service is brought about by tricking a server into “reflecting” communications. The data spreads quickly and efficiently, bringing a target down without raising the alarm.
An attacker floods a target with malicious Internet Control Messaging Protocol packets. Many types of this attack exist, with one popular example being the ping flood. In a ping flood attack, an exorbitant amount of ping requests get sent to the target. Since ping is a legitimate request, the target server responds to each and every ICMP echo request. Eventually, the flood from the botnet becomes too much and the server is no longer able to communicate or receive new requests.
The TCP/IP protocol requires a three-way handshake to complete a connection with a device. The Syn-Syn/Ack-Ack connection allows for less DDoS opportunities than, say, the UDP protocol which requires no handshake. This does not mean, however, that it is free from exploiting. In an SYN flood DDoS, the botnet keeps sending the first SYN message over and over, forcing the server to restart the handshake until it is no longer able to handle it. The attack targets all open ports.
Named after the adorable Asian primate, this attack utilizes the old adage of “slow and steady wins the race.” Instead of overloading a target with as much traffic as possible in a short period, the Slowloris attack uses the botnet in an ingenious manner. It will have all machines send partial HTTP requests, which over time, eventually cause the targeted server to fill its connection pool. This blocks any legitimate users from connecting.
Learn more about Slowloris Attack
All DDoS attacks generally follow the same process. To get a better look into an attacker’s mindset, it will be useful to list this process out.
Preventing attacks against yourself is a multi-faceted affair. The first line of defense you should employ is a strong firewall. Some DDoS attacks target specific ports that, if a firewall is configured properly, the packets sent during the attack will not reach your router. While firewalls are a good start, they are not the end of the story as many DDoS attacks bypass Intrusion Detection Systems. Depending on the individual attacking you, they may be a script kiddie or somebody that has actual technical knowledge. Don’t assume they are going to be the former.
Some specialized DDoS attacks, like NTP amplification, will require specific configurations to create a proper defense. The “monlist” command is key to exploiting an NTP server. Depending on the server used, it is possible to install a patch that disables the “monlist” command. The tricky thing with this is that the patch must be 4.2.7 or above. There are many NTP servers that are legacy servers and cannot support this patch. As such, there is another workaround that must be implemented for mitigation. On a public-facing NTP server, US-CERT recommends legacy systems input the “noquery” command to the “restrict default” system configuration. If executed properly, it will disable the “monlist” command.
No matter what DDoS attack is being faced, large organizations should consider using third-party DDoS mitigation service. Whether you are a nation-state, a multinational corporation, or some other major entity, this is a vital part of a holistic defense. These services can handle major attacks as they have the server space to contain and break up the packets before they can reach the intended target. These “always on” protection services are not cheap, though, which is why using them is only recommended for the largest of companies (or if you have money to burn).
For routers belonging to a Local Area Network (LAN), your static IP address will be the most likely reason you get DDoS’d. To prevent your true IP address from being used against you, a Virtual Private Network (VPN) is your best bet. A good VPN encrypts your connection and hides your IP behind the IP address of the server. As a result, it is impossible for an attacker to find a vector to assault you with.
With PureVPN, you are given a cost-effective option of preventing a DDoS attack. With a network of over 2,000 global servers in 140 plus countries, AES 256-bit encryption, every protocol supported, and much more, PureVPN has your back against cybercriminals. PureVPN prevents WebRTC leaks, DNS leaks, and IPv6 leaks, so you can be sure that no attacker will ever find the data necessary to attack with.
In closing, consider these words on DoS and DDoS protection from professors Qijun Giu and Peng Liu (as written in an extensive research paper on the topic):
“DoS attackers exploit flaws in protocols and systems to deny access of target services. Attackers also control a large number of compromised hosts to launch DDoS attacks. Simply securing servers are no longer enough to make service available under attack, since DoS attack techniques are more complicated and many unwitting hosts are involved in DoS attacks… For defenders, it is difficult to decide whether a packet is spoofed, to prevent a host from being compromised and controlled, to ask upstream routers to filter unwanted traffic, and to keep defenders themselves from DoS attacks… DoS attacks in wireless networks extend to the scope not viable on the Internet. The existing defense approaches illustrate that security countermeasures should be studied and incorporated into wireless protocols at lower layers, and mobile hosts should actively and collaboratively participate in protecting their wireless networks.”
Denial-of-Service and Distributed-Denial-of-Service attacks will continue to evolve. There is no stopping that. As technology inevitably marches forward, security solutions must also stay in lock-step with that progress. It is something that will require the actions of not only InfoSec professionals, but regular citizens as well. All of us must hold ourselves accountable for preventing these types of attacks. Fighting infections that can cause botnets, increasing server protections, avoiding social engineering traps, and anything else that can cause DDoS attacks to evolve.
It will take all of us. Together. Believe this much, here at PureVPN, we are here to help.
Learn more about DDoS