‘Know Thy Enemy,’ Distributed Denial of Service or DDoS.

images

We all know the axiom ‘know thy enemy’ – and this is above all germane to DDoS attacks.

Cybercriminals and their tactics are always evolving, becoming more dangerous and harder to detect by the day.

Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device causes disruption and destruction. DDoS attacks are launched from numerous compromised devices, often dispersed globally in what is referred to as a botnet and controlled remotely by the botnet herder using a covert channel, such as Internet Relay Chat (IRC).

Some of the larger botnets whose name comes from the malware used to infect them are estimated to be in the millions of bots including  Zeus or ZbotConficker, and BredoLab or Oficla to name a few.

It is estimated that upwards of 3000+ websites fall victim to DDoS attacks daily. Regardless if the websites are back up and running the same day, damages to both revenue and customer and/or client trust can follow organizations for years.

The primary purpose of the DDoS is to overload network layers with a substantial amount of outwardly legitimate traffic.  Ultimately the traffic consumes a disproportionate amount of bandwidth within and/or outside of the network and pushes network operations to become excruciatingly sluggish or basically nonfunctional.

Adding to the confusion, botnet servers can be controlled either by a single botnet herder or by multiple herders. Ultimately, at any given DDoS attack there can be multiple origins and multiple controllers making it much more complicated to mitigate than attacks originating from a single source.

The aggressiveness of DDoS attacks was illustrated last year by the Mirai Botnet in which the attacks besieged several systems using corrupted Internet of Things (IoT) devices. iot

The expectation of IoT is upwards of 25 Billion televisions, refrigerators, watches, thermostats, and other connected devices by 2020; most with minimum to zero security in order to prevent malware infections. Resulting in an unknown amount of IoT devices ending up as mindless bots caught up in a criminal botnet.

To make matters worse, roughly 40 percent of malicious bots are able to emulate human behavior. Not only do the malicious bots deceptively present themselves to websites as legitimate bots, but they can also persistently change identities.

The infrastructure which enables these attacks is also increasing rent_a_botnet_ddos_for_hire_botnet_service_02dramatically. Anyone with mal intentions can easily purchase on-demand botnet services for DDoS attacks.

They are readily available from multitudes of online sources; for as little as $5 an hour to $40 per day; Cloaked behind the definition of  Booters or stressers services.

They are also referred to as ddoser, ip stresser, ddos tools and ddos programs. No matter the name, they all provide the same service- providing paying customers with on-demand DDoS attack capabilities, at will.

Below find some of the more well-known Booters and Stressers which are easily accessed on the Internet.

NetworkStresser.com

120GB/s of combined power. Takes down everything. Working Skype resolver. Active support. Multiple payment options.

Betabooter.com

100GB/seconds. Easy to use. API. Insane Power. Accepts Paypal.

Critical-Boot.com

Good Power. Easy to use source. PayPal/Credit cards and 15% off Bitcoin. Build Your Plan.

There are three standard types of DDoS attacks including Volumetric, Application, and Protocol attacks.

Volumetric Attacks utilize massive amounts of traffic inundating the bandwidth of the host.

Volumetric attacks are generated by employing amplification techniques which primarily elicit server responses that are disproportionate to the original packet request sent; ultimately completely blocking access to a website or service. The extent of the attack is measured in either bits or packets per second. Domain Name System Servers (DNS) Amplification being a well known volumetric attack.

DNS amplification is an asymmetrical attack in which the dns amplificationcriminal exploits vulnerabilities in DNS servers, i.e., ‘The Internet’s Backbone’ by manipulating publically-accessible domain name system servers by querying the DNS with spoofed or ‘faked’ target IP’s and making them flood a server with large quantities of User Datagram Protocol (UDP) packets.

This results in small queries being turned into massive payloads that can ultimately be used to bring down even the most robust server(s).

Moreover, DNS amplification attacks often relay the exploited DNS requests through one or more botnets, radically increasing the volume of traffic and making it that harder to track the attacker(s) identity(s).

osi-modelApplication Attacks exploit a weakness in the Layer 7 or as the name suggests the application layer.

The cyber community, in general, agrees that application attacks are both the most sophisticated and the most challenging to identify and/or mitigate.

Application attacks begin with making a connection with the host then it exhausts the dnshost’s resources by controlling processes and transactions. DNS Flood attacks are the most well known.

DNS floods are a symmetrical attack that endeavors to exhaust server-side assets like memory or CPU, with an inundation of UDP requests, generated by malicious scripts running on multiple botnet machines. The criminals will often target one or more DNS servers belonging to a specified zone, with the goal of obstructing and overwhelming the resolution of resource records of that zone and its subzones.

Protocol attacks specifically exploit weaknesses in the Layer 3 and Layer 4 protocol stack by consuming all the processing capacity of the intermediate critical resources like a firewall causing service disruption; With the most notorious attack being the Ping of Death.

A ‘ping’ is part of the Internet Control Message Protocol (ICMP) which is a networking utility that determines whether or not a host is reachable. The ICMP request packet is sent to the host, which the host then responds with an ‘echo’ reply. The size of an accurately formed ICMP request packet should be no larger than 65,535 bytes; anything larger is in violation of the Internet Protocol.ping of death

Criminals, in turn, send malformed packets in fragments as fast as possible in which the host attempts to assemble using up bandwidth. This leads to a packet size which violates the internet protocol of 65,535 bytes causing a buffer overflow, and eventually causing the host to crash and become unavailable for legitimate users. This is a Ping of Death DDoS attack.

DDoS scripts are written most often in Python, PHP, or Pearl and refers to malicious software that enables the execution of DDoS attacks.Each script can diverge in severity, ease of use and impact and attacks at the application layer.

Some of the DDoS scripts available for free on the internet (too many to list) include

LOIC  (Low Orbit In Canon)

LOIC was made famous by the hacker group Anonymous. It is easy to use especially for beginners, because of its easy-to-use GUI; all you need is the URL of the IP address of the server. LOIC performs the DOS by sending UDP, TCP, or HTTP requests to the victim server.

XOIC

XOIC comes with an easy-to-use GUI, so all levels can easily use it to perform attacks on servers and websites anonymously and secretly. All that is required is an IP address.

XOIC has three methods including, Test mode; Attack mode; Attack mode with a TCP/HTTP/UDP/ICMP Message.

TORsHammer

Tors Hammer is written in Python, and it is a slow post tool* that can be run through the TOR network** and can kill most unprotected web servers running Apache and IIS by means of a single occurrence.

HOIC (High Orbit in Cannon)

HOIC is written in BASIC and is an open source network stresser that can attack as many as 256 URLs at any one time.

Slowloris

Slowloris is written in Python and operates at the application layer. It opens as many connections to the web server as it can, and holds them open as long as possible by sending partial requests, and periodically adding them to keep the connection alive but never completing and denying connection attempts from legitimate users.

DDoS toolkits are software packages that require greater resources and generally more in-depth knowledge of scripting and systems and attacks the network layer. They infect computers and other Internet-connected devices (IoT) with malware in order to build a botnet.

The malicious bot landscape continues to evolve. Considering that more than 60 percent of the Internet traffic is generated by bots of which upwards of 30 percent is represented by malicious bots which present a force to be reckoned with when talking about internet security.

DDoS attacks can be unassuming or sophisticated, regardless, they are always ddos ransomdangerous, calculated and profit-driven with DDoS ransom being one of the nastiest elements.

Extortionists will demonstrate their capabilities by acting out an attack such as shutting down a website, followed by a threatening e-mail requesting a monetary sum usually in Bitcoin to be paid within a time-period. ‘Pay the ransom or face greater attacks.’

The extortionists will continue broadening their scope and diversifying their targets to include more diverse industry sectors and larger organizations and even larger payoffs.

Below find a few strategies which can make your network less vulnerable to attackers, remembering, there is No 100 Percent Solution to prevent cyberattacks. Continuous learning and continuous experimentation are critical.

  • Limit the number of new connections. Set parameters for the number of new connections during specific periods of time by a single user or by the network. Doing this simple strategy will make it that much harder for a criminal to overload systems.
  • Bandwidth Shaping. If configured correctly, bandwidth shaping can be an easy to apply policy against DDoS attackers.
  • Network Segmentation. By dividing your network into segments into public and internal sections, each protected by a firewall, this tactic can support your internal network when there is a DDoS attack against your public-facing systems.

CyberSecurity is a shared responsibility. Stop. Think. Connect.

It’s A Brave New Bot-Filled World, With Great Possibilities And Even Greater Risks

‘Bots’ short for robots, are essential to the Internet ecosystem. It is estimated that more than 60 percent of botwebsite traffic is not human, but bots. Bots are essentially software programs that perform automated, repetitive, pre-defined tasks.  These tasks can include almost any interaction with software that has an Application Program Interface (API).

There are many varieties of bots. Some are just basic programs that execute physical work such as ‘Crawlers’ who run continuously in the background, primarily procuring data from other APIs or websites. Then there are specialized crawlers called ‘Spiders’ that extract URLs from documents, download the content and then pass it off to an indexing system to analyze, and construct into searchable indexes like Googlebot. Some only monitor e-commerce websites for price changes, and still, countless others, monitor for site errors, bugs, and performance issues. However this is not the end of the story, but merely just the beginning.

The evolution of bots focuses on the boundless possibilities and opportunities for both businesses and individuals. Add in Artificial Intelligence (AI), Machine Learning (ML), and Natural Language Processing (NLP) all of which enable greater accuracy in understanding both spoken and typed words are bringing never-before-imagined levels of personalization and predictive assistance to generations of mobile-intuitive consumers who are content and self-assured with messaging as a communication paradigm.

These smarter bots have a unique server-side processing component that allows seamless interaction as they are able to understand and respond to queries balanced with a live network for assistance. We interact with these bots through Mobile messaging and/or Chatbots. These natural language interfaces enable retailers, restaurants, and multitudes of other companies to communicate with customers in an innovative and compelling way from hailing a cab, ordering takeout, designing that unique pair of shoes, or paying your credit card bill.

Then there are the autonomous bots, the most rapidly accelerating bot space which includes the Internet of Things (IoT) devices encompassing the self-driving car; to  ‘Amy Ingram,’ a virtual assistant; to Amazon’s Delivery Drones. These bots will eventually require zero human intervention to their jobs.

In contrast, no conversation about bots would be complete without an overview of the Malicious bots which are capable of causing enormous damages to organizations network infrastructures, reputations, brands or their bottom lines.

As technology advances and becomes more easily accessible, bots are becoming the go-to tool of choice for cybercriminals accounting for over 80 percent of all cyberattacks. Add in human characteristics from AI, and these bots become harder to detect by the authorities. While other malicious software corrupts and damages the infrastructure of their targets, these advanced bots are also known as ‘Impersonators’ infect networks in a way that escapes the immediate notice, and the damages can quickly run into the millions.

Here’s how it works: Cybercriminals use Social Engineering techniques such as Phishing, spam, or malicious websites to entice users to download and install various forms of malware, i.e., malicious software including

Traditional-Botnet

A malicious bot, also known as a “Zombie,’ not unlike a worm, is self-propagating malicious software designed to infect a host and connect to a C&C or central command and control server(s). Bots are part of a network of infected computers, known as a ‘botnet,’ which can stretch across the globe controlled by a ‘botnet herder.’

No network is immune.

Once the botnet infiltrates, they go to work logging keystrokes, collecting passwords, amassing e-mails, gathering financial information, spreading spam, capturing and analyzing packets, hijacking servers, and launching Distributed Denial of Service (DDoS) attacks.

DDoS attacks are an ever-growing threat to businesses, growing in both scope and DDos-attack-modeoccurrence every year. Moreover, they are becoming harder to thwart because the attacks are allocated across sundry public anonymous proxies including TOR enabling the substitution of users’ IP addresses with untraceable proxies.

A discussion of impersonators would not be complete without the mention of Googlebot-again. These imposter bots gain privileged access and capture tons of sensitive, valuable online information. Additionally, they are utilized for DDoS attacks. According to the folks at Incapsula, ‘1 out of 25 bots are up to no good.’ Source: Incapsula

two-faces-of-google-dr-crawlit-mr-hack

Cybersecurity is often described as an arms race, Security professionals vs. Cybercriminals. Both sides are tirelessly working to stay ahead of each other. When one side finds a newer more resilient defense, the other side develops a shrewder more destructive offense. What was a sure thing today, is sure to be old news tomorrow. Never stop learning.

Protecting yourself and your organization requires immediate action. 

  • Never open e-mails from unknown senders.
  • Never download attachments or click on links from unknown senders.
  • Never click on pop-ups.
  • Never insert an unknown USB stick into your PC, Laptop, etc.
  • Never store sensitive or critical data only on your PC. Have at least two backups– an external hard drive and in the cloud.
  • Adjust your browsers’ security and privacy settings.
  • Use an HTTPS connection for all credit card transactions.
  • Keep your operating system and software up to date.
  • Never log in as an administrator. Rather choose a guest with limited privileges.
  • Removed outdated plugins and add-ons.
  • Disable ActiveX content in Microsoft Office applications.
  • Block TOR and I2P.
  • Disable remote desktop.
  • Use an anti-virus product.
  • Use a traffic filtering solution that can provide proactive anti-ransomware protection.
  • Block binaries running from %APPDATA% and %TEMP% paths.
  • Work with the C-Suite to enact social engineering awareness training for all employees.
  • Consider a Computer Incident Response Team (CIRT), based on the organization’s needs and available sources.
  • Have a tested business continuity plan in the event of any cyberattack.

P.S., I am not a bot annie2

Cybersecurity is a shared responsibility. Stop. Think. Connect.