River blockage used to be a great survival crisis in ancient times. Similarly in cyberspace, distributed denial-of-service (DDoS) attacks have become a devastating disaster. As we all know, DDoS attacks are destructive attacks and after over 10 years of evolution, such attacks have become an effective attack tool favored by multiple organizations and individuals who use them for ransom, revenge and cyberwars.
A Glimpse of DDoS Attacks and Defenses is a great resource to answer the following questions: Who are the attackers? Why do they attack? What attack method do they use? Why are these methods useful? How should I protect myself in the case an attack? In this document, we’d like to share a few misconceptions that we found during the learning process.
What is a DDoS attack and why do most of the costly protection systems developed by security teams consist of experienced professionals who remain fragile when faced with DDoS attacks?
Multiple sources attack a target in DDoS attacks which have the merit of continuously gaining partial advantages. This scenario can be described similarly to how DDoS attacks were used in the military during the World War II era. In 1939, 14 divisions of German soldiers approached Poland from the north, south, and west. Since the Polish army is was dispersed and moving slow, their protection line of 80,000 soldiers was broken in an instant and the main force was practically wiped out in the 20-day battle..
Since most people learn about DDoS attacks from reports or in news attack traffic and the impact scope are often treated specially in the media to show people how serious the attacks are. However, this causes the following misconceptions.
Misconception #1: DDoS attacks are volumetric flood attacks used only to cause destructions.
When it comes to DDoS, people think of UDP, SYN, and RST flood attacks on the conditional reflection. Similar to floods, DDoS attacks are launched to consume a large amount of resources by quickly sending a great deal of data and requests. In fact, flood attacks account for a large portion of DDoS attacks because the cost of short-duration attacks is more controllable. Nevertheless, not all DDoS attacks are flood attacks. Low-and-slow attacks are also DDoS attacks. These attackss consume target resources by sending long-term requests in a slow and stubborn way. They get target resources like constant dropping wearing away the stone.
Though many enterprises have experienced massive DDoS attacks, most have not encountered real high-volume attacks. On the contrary, a large amount of enterprise networks collapse by low-and-slow attacks that are just as destructive as the volumetric ones.
If you think that hackers are hot-headed to launch destructive DDoS attacks to harm others and not for their own benefit, you’ve got the wrong idea. Presently, attackers are far more sensitive to profits compared to ordinary people. In their opinion, they want to make profits that match the power of the caused destruction at the smallest cost. DDoS attacks are just a means for attackers’ permanent pursuit, i.e., profits.
Misconception #2: DDoS attacks are an attempt by using a tool, but not a crime.
Any individual, organization, group, or company initiating or organizing an attack or engaging in this industry to maliciously destroy third-party websites by launching a DDoS attack is committing a crime in which they cannot take any chances. Once discovered, the police will immediately initiate an investigation and hold them liable for losses incurred. In China, any laws related to computers have stipulated that attacking information systems is illegal.
For example, in the Regulations of the People’s Republic of China for Safety Protection of Computer Information Systems, it stipulates in Article 7 that “Any organization or individual shall not make use of computer information systems to engage in activities harmful to the interests of the state, collectives and citizens, and shall not endanger the safety of computer information systems”.
Articles 285, 286, and 287 of China’s criminal law have special regulations on computer crimes.
Article 285 states that those in violation of state regulations who invade computer information system in the fields of state affairs, national defense construction or sophisticated science and technology shall be sentenced to fixed-term imprisonment of no more than three years or criminal detention.
Article 286 states that those in violation of state regulations who cancel, alter, increase or jam the function of computer information systems making it impossible for the system to operate normally, shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; if the consequences are serious, he/she shall be sentenced to fixed-term imprisonment of no less than five years.
Those in violation of state regulations who cancel, alter or increase the data stored in or transmitted by the computer information system or its application program shall be punished in accordance with the provisions of the preceding paragraph.
Those who intentionally create or spread destructive programs such as computer viruses that affect normal operations of computer systems, if the consequences are serious, shall be punished in accordance with the provisions of the first paragraph.
Article 287 states that those who use computers to commit crimes such as financial fraud, theft, embezzlement, misappropriation of public funds and theft of state secrets shall be convicted and punished in accordance with the relevant provisions of this law.
Even an attack launched using zombies can be traced back. Therefore, you should not break the law boundaries.
Misconception #3: DDoS attacks are all launched via a botnet that is difficult to deploy, and therefore DDoS attacks are far away from “me”.
Many people, even a number of IT professionals, believe that massive DDoS attacks are uncommon because of the assumption that it is difficult to build a botnet. However, this is not the case. The technical difficulty of botnets decreases rapidly with the increase of Internet scale.
For example, the botnet rental service provides an opportunity for technically unsophisticated people to launch attacks. As long as they are willing to pay, the botnet rental service platform will help them achieve their goals. Buyers can subscribe to attack duration of botnets, for example, a total of less than 1 hour in a month. In doing so, even those who do not understand DDoS attacks are simply able to launch a DDoS attack.
Nevertheless, not all DDoS attacks are launched via a botnet. The improvement of technical capabilities, processing performance and bandwidth use of high-performance servers increase accordingly, which draws a lot of attention from hackers. In addition, many hackers prefer to launch attacks together with real participants.
Many people might believe that large-scale DDoS attacks only target large enterprises, websites, and figures. But this is information is not accurate. There is little to no protection on small websites so it is easier for hackers to hit them and achieve their malicious objectives. That being the case, vulnerable websites have a higher probability of being susceptible to DDoS attacks.
Misconception #4: Though DDoS attacks are destructive, they are unable to target precisely.
The future of cyberwar has two trends: extensive attacks and targeted attacks. If an adversary country becomes a target, extensive attacks can create social chaos (such as telephone network interruption, smart grid paralysis, financial system data confusion, and traffic scheduling out of control), thus wearing down resistance of the targeted country. Targeted attacks have received wide acclaim in the military community due to advantages such as high precision, low operational risk, small collateral damage, and has become an increasingly important attack method in the informatization era. DDoS attacks are characterized by great destructiveness and are a powerful weapon for extensive attacks, but they cannot be used as targeted attacks. Still have doubts?
With development in science and technology, DDoS is also entering the APT era where it shows emerging features likeintelligent technology, continuous process, wide impact, and serious hazards. It is believed that this poses a bigger challenge for DDoS protection and process response, and with the escalation of cyberwar, new types of DDoS attacks will be commonly seen.
Misconception #5: DDoS attacks can be prevented simply by adopting an intrusion prevention system (IPS) and increasing the bandwidth.
Though the IPS is an attack detection/prevention tool widely used for protecting network security, it is only an application-layer protection tool which cannot effectively defend against DDoS attacks. To effectively defend against DDoS attacks, enterprises need to adopt dedicated hardware protection solutions and cloud cleaning services.
Some will certainly say that since DDoS attacks aim to paralyze the server, this problem can simply be solved by increasing the bandwidth. Increasing the bandwidth is an appeasement policy requiring the purchase of redundant hardware and high-performance servers. As long as the resource consumption caused by the attacker is no more than the amount carried by the current bandwidth, the attack will be void. On the other hand, once the DDoS attack succeeds, further appeasement is required to make the attack ineffective.
Further Insight Into Getting Botnet Nodes
The core of building a botnet is to get botnet nodes. Common ways of getting botnet nodes are as follows:
Use search engines to obtain botnet nodes. A large amount of ready-made or almost ready-made botnets can be obtained by using search engines. Hackers often use the Google Hacking technique and Shodan search engine to get botnet nodes. Everyone can obtain related information by typing the key phrase “google hacking backdoor” or “shodan backdoor” in a search engine and then receive botnet nodes according to this information if he or she has basic computer knowledge.
Use MetaSploit to penetrate remote hosts. In PopVote cases, many botnet nodes are from Taiwan. According to the analysis of security professionals in Taiwan, the main reason is that most people do not have the habit of updating software patches. Providing a lot of exploitable vulnerabilities for hackers is a common phenomenon around the globe. MetaSploit is a penetration tool that integrates a large number of exploits of known vulnerabilities. Even those who do not understand vulnerability principles can easily use MetaSploit to compromise the target system.
Use vulnerabilities in open-source software such as Struct, Apache, and Discuz to take control of the host. Some open-source software has a lot of users all over the world, so any security vulnerabilities in such software can affect many hosts. It is mind-blowing that there are still many hosts, even for old vulnerabilities, on which patches have not been installed Search engines such as Shodan, ZoomEye, and Google can be used to find a long list of vulnerable hosts and corresponding exploits that can be used to take control of the vulnerable hosts.
Use cracked software and green software to inject trojans. Most of the popular cracked and green Windows XP operating systems contained root-level backdoors, and they still do today. As a result, many people are fully controlled by hackers while they are conveniently enjoying free services.
Buy botnet services on the black market. Nowadays, black hat hackers have created a huge underground industry chain where almost everything is available, including personal information, databases, and botnets. Launching a medium-scale DDoS attack costs only thousands of dollars.