On the 20th anniversary of the first distributed denial of service attack, cybersecurity experts say the internet must be redesigned to prevent them.

July 22, 1999, is an ominous date in the history of computing. On that day, a computer at the University of Minnesota suddenly came under attack from a network of 114 other computers infected with a malicious script called Trin00.

This code caused the infected computers to send superfluous data packets to the university, overwhelming its computer and preventing it handling legitimate requests. In this way, the attack knocked out the university computer for two days.

This was the world’s first distributed denial of service (DDoS) attack. But it didn’t take long for the tactic to spread. In the months that followed, numerous other websites became victims, including Yahoo, Amazon, and CNN. Each was flooded with data packets that prevented it from accepting legitimate traffic. And in each case, the malicious data packets came from a network of infected computers.

Since then, DDoS attacks have become common. Malicious actors also make a lucrative trade in extorting protection money from websites they threaten to attack. They even sell their services on the dark web. A 24-hour DDoS attack against a single target can cost as little as $400.

But the cost to the victim can be huge in terms of lost revenue or damaged reputation. That in turn has created a market for cyberdefense that protects against these kinds of attacks. In 2018, this market was worth a staggering €2 billion. All this raises the important question of whether more can be done to defend against DDoS attacks.

Today, 20 years after the first attack, Eric Osterweil from George Mason University in Virginia and colleagues explore the nature of DDoS attacks, how they have evolved, and whether there are foundational problems with network architecture that need to be addressed to make it safer. The answers, they say, are far from straightforward: “The landscape of cheap, compromisable, bots has only become more fertile to miscreants, and more damaging to Internet service operators.”

First some background. DDoS attacks usually unfold in stages. In the first stage, a malicious intruder infects a computer with software designed to spread across a network. This first computer is known as the “master,” because it can control any subsequent computers that become infected. The other infected computers carry out the actual attack and are known as “daemons.”

Common victims at this first stage are university or college computer networks, because they are connected to a wide range of other devices.

A DDoS attack begins when the master computer sends a command to the daemons that includes the address of the target. The daemons then start sending large numbers of data packets to this address. The goal is to overwhelm the target with traffic for the duration of the attack. The largest attacks today send malicious data packets at a rate of terabits per second.

The attackers often go to considerable lengths to hide their location and identity. For example, the daemons often use a technique called IP address spoofing to hide their address on the internet. Master computers can also be difficult to trace because they need only send a single command to trigger an attack. And an attacker can choose to use daemons only in countries that are difficult to access, even though they themselves may be located elsewhere.

Defending against these kinds of attacks is hard because it requires concerted actions by a range of operators. The first line of defense is to prevent the creation of the daemon network in the first place. This requires system administrators to regularly update and patch the software they use and to encourage good hygiene among users of their network—for example, regularly changing passwords, using personal firewalls, and so on.

Internet service providers can also provide some defense. Their role is in forwarding data packets from one part of a network to another, depending on the address in each data packet’s header. This is often done with little or no consideration for where the data packet came from.

But that could change. The header contains not only the target address but also the source address. So in theory, it is possible for an ISP to examine the source address and block packets that contain obviously spoofed sources.

However, this is computationally expensive and time consuming. And since the ISPs are not necessarily the targets in a DDoS attack, they have limited incentive to employ expensive mitigation procedures.

Finally, the target itself can take steps to mitigate the effects of an attack. One obvious step is to filter out the bad data packets as they arrive. That works if they are easy to spot and if the computational resources are in place to cope with the volume of malicious traffic.

But these resources are expensive and must be continually updated with the latest threats. They sit unused most of the time, springing into action only when an attack occurs. And even then, they may not cope with the biggest attacks. So this kind of mitigation is rare.

Another option is to outsource the problem to a cloud-based service that is better equipped to handle such threats. This centralizes the problems of DDoS mitigation in “scrubbing centers,” and many cope well. But even these can have trouble dealing with the largest attacks.

All that raises the question of whether more can be done. “How can our network infrastructure be enhanced to address the principles that enable the DDoS problem?” ask Osterweil and co. And they say the 20th anniversary of the first attack should offer a good opportunity to study the problem in more detail. “We believe that what is needed are investigations into what fundamentals enable and exacerbate DDoS,” they say.

One important observation about DDoS attacks is that the attack and the defense are asymmetric. A DDoS attack is typically launched from many daemons all over the world, and yet the defense takes place largely at a single location—the node that is under attack.

An important question is whether networks could or should be modified to include a kind of distributed defense against these attacks.  For example, one way forward might be to make it easier for ISPs to filter out spoofed data packets.

Another idea is to make data packets traceable as they travel across the internet. Each ISP could mark a sample of data packets—perhaps one in 20,000—as they are routed so that their journey could later be reconstructed. That would allow the victim and law enforcement agencies to track the source of an attack, even after it has ended.

These and other ideas have the potential to make the internet a safer place. But they require agreement and willingness to act. Osterweil and co think the time is ripe for action: “This is a call to action: the research community is our best hope and best qualified to take up this call.”

Ref: arxiv.org/abs/1904.02739 : 20 Years of DDoS: A Call to Action

 Source: https://www.technologyreview.com/s/613331/the-first-ddos-attack-was-20-years-ago-this-is-what-weve-learned-since/

Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.

Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.

Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.

Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.

“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.

The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.

No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.

Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.

As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.

While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.

Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.

Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.

He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.

Source: https://techthelead.com/ecuador-claims-it-suffered-40-million-cyber-attacks-since-julian-assanges-arrest/

A cloud-based approach to DDoS protection is central to the security strategies of many organizations. As DDoS attacks become much larger, frequent and more sophisticated, we need a new approach to mitigate them.

Record-breaking terabit DDoS attacks 
In February 2018, GitHub was hit by a record-breaking DDoS attack that peaked at 1.3 terabits per second. This record was short lived, because just five days later, NETSCOUT Arbor confirmed an unnamed service provider suffered a 1.7 terabit per second attack. Fortunately, its defenses proved strong enough to prevent any outages.

The increasing number of terabit-level DDoS attacks stem from hackers that hijack thousands of poorly protected or unprotected IoT devices, including home routers, video cameras, smart TVs, and many others. These devices can be compromised en masse by a botnet that coordinate an attack to flood a company with bogus traffic to make their website and servers unavailable.

In a recent report, Nokia found that 78% of total detected activity is due to IoT botnets, while an Akamai study showed that 99% of all DDoS attacks targeted the network infrastructure. Volumetric DDoS attacks that swamp network resources are the most potent and protecting against them is top of mind for most executives and recognized at board level.

The need for a new approach to DDoS mitigation
CIOs and CISOs tasked with protecting their companies against DDoS attacks are rightly worried about the potential impact on revenues and reputations, as well as the cost to repair and recover.

Recognizing they cannot protect against all attacks, CIOs and CISOs want to understand and reduce the risk of attacks and mitigate against them quickly when they happen. Unfortunately, both the processes and tools commonly used today may not be up to the task because of the increasing size, frequency and sophistication of DDoS attacks.

Most are not capable of reacting in real-time to high-volume attacks, giving attackers more time to cause disruption. Many rely on backhauling infected traffic to centralized or cloud-based scrubbing centers, adding to the cost to mitigate and impacting latency-sensitive traffic.

Pulling the plug on out-dated DDoS mitigation
With DDoS threats becoming more sophisticated and relentless, we need a more cost-effective approach that provides three key capabilities:

  • Analytics with intelligence to monitor and recognize sophisticated attacks
  • In-line packet filtering with massive scale at the network perimeter to protect against multi-terabit attacks in real-time
  • 360-degree symmetric protection against external attacks from the internet and internal attacks from hijacked devices

This approach requires analytics applied not just to network information, but to context information gathered from cloud servers and IoT devices. This provides a more robust way to identify sophisticated attacks and their sources. It also distinguishes between unexpected but legitimate traffic bursts and harmful DDoS attacks.

Protecting against terabit-level attacks quickly and cost-effectively requires a distributed rather than a centralized approach – one that makes the IP network part of the solution to act as the first line of defence against attacks.

Combining enhanced analytics and intelligence with massive packet filtering capacity provides an in-line approach that can be scaled to protect each interface at the network edge.

It also avoids the cost of backhauling terabit-levels of infected traffic to centralized or cloud-based scrubbing centers and reduces the need for application level security appliances. The cost savings can be dramatic – up to 85% at current peak DDoS levels compared to centralized DDoS scrubbing – making this approach much more cost-efficient and future proof.

Leveraging cloud genome and custom silicon
Cloud genome analyzes billions of endpoints and determines how traffic from these sources flows through the internet to reach a company’s network. It ingests dozens of data sources to provide a real-time view of what’s happening. When combined with a company’s own network and enterprise analytics, it tracks traffic through their network and how it reaches end users.

With this information, CIOs and CISOs have intelligence that spans their network and servers as well as cloud and IoT traffic. For the first time, they can identify the potential sources of volumetric DDoS attack, so they can understand and reduce the threat risk.

To mitigate against terabit-level DDoS attacks quickly and efficiently when they occur requires routers with custom network processors. This enables in-line, line rate packet filtering at each interface that connects to the internet.

It provides scalable terabit DDoS mitigation that is robust and efficient, and filters threats in real-time when and where they occur – right at the edge of the network.

The combination of analytics with intelligence and packet filtering on a massive scale gives CIOs and CISOs the visibility to detect and understand threat risks proactively. This improves the ability to shut down threats before they impact their network and servers, and most crucially, their customers and business reputation.

Source: https://www.infosecurity-magazine.com/opinions/ddos-mitigation-strategy-terabit/

There is a direct correlation between cryptocurrency and DDoS attacks. As the price of cryptocurrency dropped in 2018, leading to decreased profits from cryptomining, hackers on the black market began to divert prime botnet resources to DDoS attack activities, which increased month by month.

correlation DDoS attacks cryptomining

DDoS attacks in 2018

In NSFOCUS’ 2018 DDoS Attack Landscape report, NSFOCUS analyzed the threat landscape after a landmark year of technological growth related to cloud computing, big data, artificial intelligence (AI), Internet of Things (IoT), and Industry 4.0.

Key findings include:

  • Attackers were more inclined to launch DDoS attacks when the short-term benefits from cryptomining activities declined in 2018.
  • In 2018, DDoS attacks kept expanding in size as DDoS-as-a-Service experienced a fast growth.
  • Of all internet attack types, 25% of attackers were recidivists responsible for 40% of all attack events. The proportion of recidivists in DDoS attacks decreased in 2018, making up about 7% of DDoS attackers that launched 12% of attack events.
  • Cloud services/IDCs, gaming, and e-commerce were the top three industries targeted by attackers.
  • The total number of DDoS attacks in 2018 reached 148,000, down 28.4% from 2017, driven by effective protections against reflection attacks, which decreased considerably.
  • In 2018, the most frequently seen attacks were SYN flood, UDP flood, ACK flood, HTTP flood, and HTTPS flood attacks, which all together accounted for 96% of all DDoS attacks.
  • Of all DDoS attacks, 13% used a combination of multiple attack methods. The other 87% were single-vector attacks.

correlation DDoS attacks cryptomining

“The fluctuation of Bitcoin prices has a direct bearing on DDoS attack traffic,” said Richard Zhao, COO at NSFOCUS.

“This, along with other report findings, can help us better predict and prepare for DDoS attacks. Attackers are after profits and as we watch bitcoin fluctuate, we will continue to see this correlation pop up. DDoS attacks have never stopped since making their debut – analyzing trends in this report helps companies keep up with the fluid attack and threat landscape.”

Source: https://www.helpnetsecurity.com/2019/04/15/correlation-ddos-attacks-cryptomining/

A new type of distributed denial-of-service (DDoS) attack is abusing a common HTML5 attribute to overwhelm targeted victims.

Security firm Imperva reported on April 11 that it has discovered a campaign where hackers abused the <a> tag ping HTML5 attribute in a DDoS attack that generated 70 million requests in four hours. The ping attribute is intended to be used by websites as a mechanism to notify a website if a user follows a given link on a page. Typically, a ping is a single action, but Imperva discovered that hackers have found a way to amplify the ping into a more persistent data flow, triggering the DDoS attack.

“The attacker, probably using social engineering, forced users to visit a website that contained malicious JavaScript,” Vitaly Simonovich, security researcher at Imperva, told eWEEK. “This script generated links with the target site in the ‘ping’ attribute and clicked it without personal involvement of the user. Auto-generated clicks reflected as ping back to the victim, continuously, the entire time the user stayed on the webpage.”

Imperva’s analysis of the attack explained that when the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From,” “Ping-To” and a “text/ping” content type.

“We observe DDoS attacks daily,” Simonovich said. “We discovered this attack last month. However, when we looked back in our logs, we noticed that the first time the attack occurred on our network in December 2018, it was using the ping feature.”

The attack that Imperva found was able make use of 4,000 user IPs, with a large percentage of them from China. The campaign lasted four hours, with a peak of 7,500 requests per second (RPS), resulting in more than 70 million requests hitting the target victim’s website.

How the Ping Attack Overwhelms a Server

A simple ping on its own is not enough to disturb a web server and, in fact, for basic availability web servers are regularly hit with ping requests. Ping requests are also low bandwidth and would not likely be able to constitute a volumetric DDoS attack, which aims to overwhelm the available bandwidth of a target server.

The DDoS attack discovered by Imperva, however, was not a basic ping and, according to Simonovich, could impact a web application server in a couple ways:

  1. Targeting the web server using high RPS, the server will be forced into processing the DDoS attack and not handle legitimate traffic.
  2. Targeting the web application by finding an injection point will cause a high resource consumption. For example, the login form will cause a query to the database.

“The attack is performed on the application layer aimed to clog server resources by processing several HTTP requests,” Simonovich explained. “As such, attack bandwidth is not the weakest resource in the chain, but CPU or memory of the server.”

He added that 7,500 RPS is far from the most powerful application DDoS attack, which can reach 100,000 RPS and more, but it is enough to deny availability for a midsize website.

Defending Against Ping DDoS

There are several things that organizations can do to minimize the risk of a Ping DDoS attack.

Imperva recommends that organizations that do not need to receive ping requests on a web server block any web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (firewall, WAF, etc.). DDoS services, including the one that Imperva offers, also can be employed to help limit risk.

“Attackers are constantly looking for new and sophisticated methods to abuse legitimate services and bypass mitigation mechanisms,” Simonovich said. “Utilization of the ping functionality is a good example of this, especially since most of the browsers by default support it. The challenge that attackers are facing is how to force legitimate users to visit the malicious page and stay on this page as long as possible to make the attack run longer.”

Source: https://www.eweek.com/security/how-html5-ping-is-used-in-ddos-attacks