DDoS and the Luck of the Irish…

ddos-623x410

…which seems to have taken a hit recently. In fact, several hits, at any rate in terms of DDoS (distributed denial of service) attacks.

The Irish Independent reports Multiple government websites down as servers under ‘DDoS attack’. John Leyden, writing for The Register, has also followed the story/stories, with his most recent (at the time of writing) hinting at a link between attacks on the boards.ie discussion forum, on the Irish National Lottery, and on government sites as reported in the Irish Independent. This speculation is probably based on a pseudonymous claim that the first attack was the start of a ‘national security audit’.

Misattribution and Misdirection

However, that message also claimed that the next victims would be ‘news outlets and financial institutions’. It would be naïve not to consider the possibility that a tip from a pseudonymous source might be deliberate misdirection, and it certainly seems highly improbable that this might be some sort of officially-sanctioned testing.

It might, of course, be a highly unofficial group flexing its muscles at the expense of any target that takes its fancy. In that case, the implicit link some articles have made with recent attacks on the BBC might, at a stretch, make a little more sense: the BBC’s Rory Cellan-Jones asserts that he’s been contacted by a group in the US called New World Hacking. The group claims that its speciality is attacking Daesh/ISIS/Islamic State, and that it was simply using the Beeb as a target in order to test the group’s systems. Well, that’s all right then. However, it doesn’t seem particularly likely that the same group would be carrying out unofficial testing on sites in Ireland.

The fact is, though, that at the time of writing we don’t have enough information to establish links, or indeed much else. After all, the details of BBC incident remain misty (with a chance of goofballs), and as far as I know, links with other known attacks are speculative at best.

The Lottery incident is at time of writing ‘still under investigation’. And while I can’t say for sure that it wasn’t related to any of the other incidents, I tend to equate a lot of DDoS with ransomware, since it’s often used for purposes of extortion. That said, it can be used in other motivational contexts such as hacktivism (which I guess would include attacks on fundamentalist sites), even simple notoriety/hacker kudos. Still, gambling sites are a classic target for extortion-related DDoS.

Show me the Money

I remember being somewhat taken aback in the early noughties to hear at some conference or other that security services were expending a lot of resource on working with online casinos and such on mitigating DDoS attacks. That was at a time when DDoS was a comparatively recent phenomenon, and the more highly-publicized attacks were against big companies like Microsoft, Yahoo!, eBay and so on. So while I wasn’t particularly surprised at the phenomenon – after all, I’d been closely involved with a heavy-duty conference workshop on mitigation techniques hard on the heels of Stacheldraht, Trin00 et al – but at the prioritization. Of course, it makes sense for extortionists to go for gambling sites – as Willie Sutton might have said, that’s where [quite a lot of] the money is – and indeed they do. I did wonder if protecting such sites was the best use of tax dollars, though: I must have been more idealistic in those days.

DDoS and DDoeSn’t

It does slightly concern me that several articles give contradictory and inaccurate information about what a DDoS attack is. So here’s a very terse summary.

DoS is short for Denial of Service – any service. It isn’t necessarily an attack at all (you could call it a denial of service when a site stops working properly because it can’t handle the number of people trying to access it) but when it is – and that’s when the term is most often used – it frequently refers to an attack against a web site, with the result that legitimate users of whatever services are offered on the site are no longer able to access them, or access to the system and services is unreliable.

DDoS stands for Distributed Denial of Service. This is a DoS event where the attacks come from multiple systems: this is a common use for systems compromised by malware which have become – normally without the knowledge of the owner – part of a botnet. A botnet is a network of machines where agent software is installed that can be used to control their actions. (A botnet isn’t necessarily malicious or operated covertly, by the way, but these days they generally are.)

A Trouble Shared

Sharing an attack (or other malicious action, such as a spam campaign) means that not only is the specific malicious action amplified (that is, multiplied by the number of systems used), but the attack is harder to counter because of the Hydra-headed nature of the machines from which it originates.

To take a simple example, one type of DoS attack is to keep sending requests for service to a site so that the site is overwhelmed by the number of requests and unable to respond in a timely fashion (or at all) to a legitimate request. Even a single home computer can send lots of requests per second. However, if the server is reconfigured to reject requests from that PC, the problem is resolved. But if the malicious requests or packets (units of data) are being sent from thousands of PCs at the same time, breaking the connection with a single PC doesn’t help much, and it makes it harder to find the originator of the attack (the person who’s controlling the machines used to implement the attack). In that case, the service provider has to find other ways of distinguishing malicious traffic from legitimate traffic. Fortunately, there are many approaches to filtering out malicious traffic, but there are also many kinds of DDoS attack, so there is plenty of work for security and network providers in that market.

Opportunity, Means and Motive

We’ve already touched on a couple of the reasons someone might carry out a DDoS attack: extortion (“pay me or I’ll blitz your website so that people can’t use it” – major sporting events often coincide with extortion demands) and hacktivism (“I don’t like what your site represents and I’m going to stop you doing it”). It’s very common for groups of one political persuasion to attack sites owned by rival groups or groups and organizations holding opposing opinions. In fact, this kind of tussle is what is often meant by the rather woolly term ‘cyberwarfare’.

Other motives might include revenge, or damaging the reputation of a competitor and its ability to execute transactions. While it’s more common than it should be for ‘legitimate’ companies to pay a botmaster for DDoS attacks on their competitors, it’s also common for criminal gangs to use their resources against their criminal rivals.

Conclusion

To the everyday user, a DDoS attack is mostly an interesting news story, maybe the cause of some personal inconvenience if it stops him or her accessing a particular service.

But there may be more to it than that. I’ve seen DDoS described as ‘attacks without hacking’. I think what is meant by this is that a DDoS attack isn’t in itself used to install malware or steal data. (Though it can certainly be used in association with more intrusive kinds of attack.) In any case, it can certainly involve sophisticated programming at some stage in the process – for example, the malware that is used to infect a PC and recruit it into a botnet. And that means that it can affect you at a more personal level without your necessarily being aware of it.

If your computer has been compromised by malware, it could be that it’s being misused for a variety of malicious purposes, including DDoS attacks. And that’s before we even consider the direct impact that a malicious program might have on your own security, privacy, and financial well-being.

So that’s just one more good reason for being careful out on the Internet, being careful where you click, and running good security software.

by David Harley, ESET Senior Research Fellow

David Harley is an author and researcher with nearly30 years of experience in the security field. Before joining ESET, he managed the UK’s Threat Assessment Centre, and before that was a security analyst for a major medical research organization. His books include Viruses Revealed and the AVIEN Malware Defense Guide.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s