By: Zujun Xu, Senior Security Consultant, NSFOCUS
The Current State of DDoS attacks
It has been 20 years passed since the first DDoS attack. Many variants appeared during this period of time, such as DDRoS, which has the same result as DDoS attacks, to disrupt the availability of the target host and their services. DDoS protection techniques also continue improving to defence the new types of DDoS attacks. Moreover the technology of DDoS defences requires further development and improvement not just to face the up-coming challenging DDoS attacks but also be suitable to interact with the other new technology. For example, the so-called hybrid solution has been introduced to encounter the challenges met with either an on premise only or an in-cloud only solution.
History of DDoS Attacks
The history of DDoS attack events is full of “legendary” stories.
The first DDoS attack event dates back to 1988 when Robert Morris wrote a self-replicating computer program (Morris worm), which had significant influence on the Internet. Such a Trojan virus was quickly detected during the spreading due to the large consumption of system resources. Although Morris did not launch attacks by controlling infected computers in a centralized way, it was the rudiment of DDoS attacks by exploiting botnets. Injecting a Trojan virus by exploiting system vulnerabilities and launching attacks against the target through botnets are the most common technical methods of DDoS attacks.
Figure 1 Robert Morris
In 1996, a real DDoS attack occurred, which affected commercial institutions’ operations and caused a huge loss. This was the Panix Attack. During the attack, a large number of SYN packets were sent, causing the server unable to respond to customers’ normal requests. At that time, US Community Emergency Response Team (CERT) provided measures (CA-1996-21) for fake IP address protection. They installed a filter on the router to filter the attack traffic. Although such malicious traffic was not cleaned by professional vendors, Linux patch.2.0.30 had brought the concept of SYN cookie protection algorithm for SYN flood attacks.
The far-reaching DDoS attacks date back to February 2000, when Yahoo, Ebay, and Amazon were attacked in the USA. Mafiaboy (Internet alias of Michael Calce) adopted the attack tool, TFN2, to launch distributed attacks against the target commercial website in an attempt to “control the Internet”. TFN2 is a typical tool for launching distributed attacks by means of botnets. To escape from detection, TFN2 can control the encryption of communication protocols.
Figure 2 Mafiaboy
In July 2001, the Code Red worm occurred. By exploiting the vulnerability in Internet information services (IIS), the Code Red worm intruded the control system and forced the system to attack other targets. The Code Red worm was self-replicating and could automatically infect other systems. The White House website (22.214.171.124) was the attack target of the Code Red worm. Since then the target of DDoS attacks expanded to governmental websites, with an intensifying impact.
The Internet is globally-connected network. Theoretically, any hosts connecting to the Internet can access any online resources. Therefore, the DDoS battle is not limited between individuals and commercial organizations. It has become an organized and planned defence at national levels. After Estonia was independent from the Soviet Union, the relationship between Estonia and Russia became tense. It broke out in April 2007 after Estonia moved the monuments built by the Soviet Union and Russia stopped providing energy support for Estonia. From May 2007, Estonian governmental websites, including the websites of the presidential palace and the Prime Minister’s Office, suffered from DDoS attacks and had knocked offline. (Source) Estonia tried to claim Russia was responsible for this event but lack of evidence.
From July 2009, American governmental websites, including the White House, the Pentagon, and the Department of Defence, suffered from DDoS attacks from botnets. (Source) According to the statistics, 27 websites were attacked. According to the intelligence analysis of South Korea, the attack initiator was the Telecom Department of North Korea. However, no more evidence could be found to support the claim.
In August 2009, Facebook, Twitter, and YouTube were attacked because a person named Georgy revealed the truths of the south Ossetia war between Georgia and Russia in his blog space. (Source)It was suspected that it was Russia who launched the attacks, but again there were no evidence.
In July 2010, Wikileaks released confidential documents that exposed the war in Afghanistan. PayPal boycotted it by terminating their accounts and services. In October 2010, theAnonymous -group took revenge (Operation Avenge Assange) on financial institutions such as Swiss Bank PostFinance and PayPal. From then on, the group that launch attacks against the target brazenly have emerged to achieve their goals.
Figure 3 Anonymous Group
In 2012, a big-scale DDoS attack event (named “Operation Ababil“) occurred. The cause was that an American film director put the trailer of the Islamic prophet, Muhammad, to YouTube, which brought the protest of Muslims. In this unprecedented religious war, US financial institutions, including Bank of America, Citibank, and HSBC, were attacked, causing a significant impact on the service availability.
In March 2013, Spamhaus suffered from the largest DDoS attack (Source) by that time, which the DNS reflection attack principle was used to launch the traffic attack, with the peak traffic rate standing at 300 Gbps.
In the second half of 2014, with the proliferation of the Internet of Things, any network-connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks. This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks. According to the NSFOCUS 2H 2014 Threat Report, it showed that more than 7 million smart devices have been exploited globally.
Early this month, 10th Aug 2015, Hacker used DDoS as smokescreen and stole 2.4 million personal data from Carphone Warehouse, UK. (Source) DDoS attacks usually are used to paralyze the customers’ networks. By using DDoS to distract IT security team while committing other cybercrimes is relatively rare. However the approaches are equally damaging.
Figure 4 Significant Events
The development of DDoS attacks has strong characteristics of different times. The attack motivations, methods, and types are historically different. It evolves from the individual heroism to a typical invisible war which is large-scale and organized with clear political or economic purposes. The motivations of DDoS attacks have changed from flaunting technical skills to use DDoS as a tool for profit making. They use DDoS attack to paralyze the competitors’ websites, blackmail, steal data, express angers and even for other political and religious reasons. Moreover, attack vectors are more sophisticated and smarter than ever. Besides using volumetric traffic to flood the target, intelligent attacks employing vulnerabilities or inherent defects on Internet protocols and network infrastructure become popular among skilled attackers. Notably a DDoS attack would not just affect the single target itself but also the entire network infrastructure due to bandwidth consumption. The numbers of victims will be increased even they are not in the attack target lists. Hence, you never know when and whether you could be the next victim of DDoS attacks.
The Future of DDoS Attacks
There is an interesting article in regarding of whether DDoS attacks should be accepted as a legal form to serve people. Anonymous, the online hacktivist group posted a petition to the White House in Jan 2013, trying to legalize DDoS attacks for protesting. (Source)
As the petition says, “it (the DDoS attack) is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage… Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.”
The debate on DDoS falls into two extremes- One side insists that DDoS attacks are perfectly legal and within the rights of citizen as it severs the purpose of protest within the cyber world, to force the organisation to shut down their online services. However, the other side takes a bit too extreme view by claiming all DDoS attacks as attempts by hackers and potential terrorists.
Let’s put it into the other way. What if protesters stand in front of the shop and stop customers to visit the shop, I am sure they will be sent away by police. It will be just the same as applying within the cyber world. Therefore I don’t think DDoS could be considered as protest at all.
DDoS attacks seem still be here to serve varies purposes in the cyber world due to the known and unknown vulnerabilities. Will it be avoided in the future? It would depend on the development of technologies which includes the improving defence technology and more advanced attack source tracing method. Also the secure design of network infrastructure and ID authentication techniques will restrain Internet users from performing malicious activities. The cyberspace will be bound by law which can minimise the numbers of DDoS attacks. Nevertheless, I would suggest organisations/companies should implement a complete anti-DDoS solution and a contingency plan to react on the instant DDoS attacks.
So what will happen next? I look forward to seeing how people think of the future of DDoS attacks and how we gonna respond.
DDoS attack types will be detailed in the next article, which will cover classification methods and attack characteristics.