Denial of Service-as-a-Service is a booming business with many buyers and sellers. Virtually anyone with a little computing knowledge, some money and a target in mind can do serious damage by stopping communications and commerce for whoever their efforts are directed at. Right now, we are living in the age of Denial-of-Service (DDoS).
There have been plenty of truly excellent articles on this topic from nearly every tech publication on this subject. Google this subject and you’ll find out what it is, who is doing it, and how to prevent or mitigate the various types of DoS attacks. Forbes even did a piece on what these attacks mean for businesses and entrepreneurs.
So, why even bother to write about this topic? That’s easy. The rising undercurrent of cyberwarfare at the infrastructure level is something few are talking about. DoS attacks are possibly the prelude to deeper, more aggressive attacks that will do more than prevent data from moving within the infrastructure. Let’s examine the evidence that points to the beginning of a new era of public virtual combat.
DoS as the Smoke Screen
Whether you experienced or read about the massive Denial of Service attacks launched recently, starting with Brian Krebs’ (at the time) record-breaking DDoS attack, you may not understand that the overwhelming majority of DoS attacks are limited in bandwidth and can only be sustained for a very short period. In fact, the majority of DoS attacks are less than 30 minutes in length and use less than 5Gbps of bandwidth!
The goal of many DoS attacks is to tie up enough bandwidth and resources to alert the company’s IT security staff to keep them busy fending off the DoS attack. This provides a distraction while attackers attempt to gain access to IT assets.
If we scale this up to the cyberwarfare and cyberterrorism level, we have larger entities being hit with massive amounts of sustained bandwidth for longer while being simultaneously infected with spying software and data destruction infections. They can even have misinformation injected into their networks to create confusion, outages or scandals. In this way, a DDoS attack becomes a serious threat beyond the normal loss of revenue due to outage.
DoS isn’t Amateur Hour
DoS attacks have been around since the foundation of networking and the TCP/IP protocol. One of the oldest DoS attacks, known as a SYN Flood, exploits an inherent vulnerability in the network protocol.
Today I could teach a third-grade class to perform a SYN flood. Modern firewalls have advanced SYN flood, as well as other types of flooding protection that mitigate this kind of attack. This is one of the reasons why hackers and security experts have historically seen DoS attacks as amateurish, though this mindset is rapidly changing now.
As a result of modern defenses to older DoS methods, hackers have had to get more sophisticated when launching a DoS attack against a target. The most effective distributed attacks are layering SYN flooding with other types of DoS methods such as application layer attacks.
While it’s possible to overwhelm a network using any method, by combining attack methods the hackers can starve the resources of the targeted infrastructure faster and more effectively while using less bandwidth. Still, in a mass attack, being able to throw a massive amount of bandwidth and session traffic against your target while sustaining the attack is an effective way to render your target blind to Internet communication and connectivity.
And this is where we begin to looking at who is able to create and sustain an attack of this type.
Experienced Hackers and DoS Attacks
Experienced hacker teams can bring multiple worldwide resources down and, as we’ve seen recently, they’re effective at it. However, what they’re doing is hijacking resources, usually unbeknownst to the owner, and then using them to DoS a target.
Because they’re illegally flooding bandwidth, resources are slowly cut off. Internet service providers (ISPs) see the directed traffic and shut down their portion of the attacking bandwidth. People may change their passwords on systems and cut off the hijackers knowingly or unknowingly.
Some may even get rid of equipment in the middle of an attack due to the normal lifecycle of older equipment. So, while these attacks are effective, they could not be used in the long term against very large targets.
Enter the government. Many large governments with advanced cyberwarfare teams have very deep, typically worldwide, resources. They are capable of launching large-scale attacks free from ISP disruptions or loss of resources.
These teams have also been known to hijack resources worldwide, as we recently discovered when a hacker group known as the Shadow Brokers released a list of servers the NSA’s Equation Group had targeted with its highly specialized tools. In fact, DoS attacks have already been successful at the government level for a while now.
Between 2011 and 2013, seven Iranians believed to be working on behalf of Iran’s Islamic Revolutionary Guard Corps were involved in attacks under the name of Operation Ababil. Indicted in the United States, the charges revolved around sustained DoS attacks they launched against American financial institutions in an attempt to disrupt the economy of the U.S.
The belief is that Iran, already in a cyberwar with the United States, was attempting to retaliate for a joint operation between the U.S. and Israel. The operation had rendered Iran’s secret nuclear weapons development program useless by infecting the illegally obtained SCADA computer systems Iran needed to run the program. As we will see further along in this article, there is much more evidence of government involvement in this arena.
The Remote Control Proof of Concept and the Exploitation of Trust
As DoS attacks rise in strength and power, more bandwidth is needed, and non-government hackers need to be able to access and command large amounts of bandwidth at will. Traditionally, this has meant hackers will infect desktops, laptops and servers to use their Internet connection to attack the hacker’s target.
The problem this poses to hackers is that their infections need to stay ahead of virus inoculations and other threat management systems. Usually, it’s not a problem for the infection if conventional antivirus software is deployed, however, with the rise of the Internet of Things (IoT) the game is changing.
Many IoT devices are not built with security in mind, only connectivity and function. In April, I wrote an article on the issue of project teams not including a security expert during the development phase of a product and we are now reaping this whirlwind.
Hackers, exploiting the lack of security in many of these devices, have created infections that will test IoT devices for password weakness (i.e., admin/admin as the username and password). If it can log in, it will infect the device.
Unlike a computer with the versatility to install and run multiple software applications, like virus scanners, IoT devices do not have this ability. Therefore, the virus can infect the device, turning it into a remote-controlled DoS time bomb that can be used at will by the hacker.
People trust that these IoT devices are either safe out-of-the-box and require no advanced configuration (i.e., changing the default password), or believe they’re protected because they’re sitting behind a firewall. It is this unfounded trust that is exploited over and over and causes major headaches in nearly every security system out there.
Looking at one of the latest and most prolific infections out there today, Mirai, anyone can see how effective this method of infiltration is. Mirai, an IoT infection, has successfully infected at least 500,000 IoT security cameras, DVRs and other devices.
It was also successfully used to launch massive DoS attacks against Brian Krebs, Level3 and Dyn in the past couple of months alone. If we don’t begin insisting on or standardizing a cybersecurity methodology in product development, these infections are only going to get worse.
Bigger Isn’t Always Better
Given that the recent DDoS attacks use overwhelming bandwidth and session traffic, we cannot forget that, like all hacking and attack methods, the DoS attack is an always-evolving life form.
Recently a new DoS attack method, using a twist on the older DoS style, has surfaced. Called BlackNurse, it can use a single computer to knock out a large-scale server. DoS attacks flooding the ICMP protocol have been around for ages.
BlackNurse, however, uses low volumes of ICMP Type 3 (a.k.a. “Destination Unreachable”) to generate large amounts of session traffic and starve the resources of the targeted system. An attacker can use about 15Mbps of bandwidth and 40,000 packets a second to fully knock out very robust systems.
Never forget the hackers have their own non-stop research and development, so as we, the white hats, are continuously looking for new methods and techniques to defend ourselves, the black hats are always innovating as well. Imagine what a hacker with one thousand hijacked computers using BlackNurse could do to a large infrastructure if it’s not fully defended against this kind of attack.
The Beta Test for “Nuclear” War
In 1967, Star Trek released an episode called “A Taste of Armageddon.” Briefly, it was about two civilizations that had been at war with each other for 500 years, however, the war they were in was simulated so that their civilizations and ecology would not be destroyed. Instead of actually bombing each other, a massive computer that linked both civilizations together would “bomb” the planets and declare who had been killed.
Not knowing any other way and fearing an actual war, citizens on both sides who were deemed “casualties” would willingly step into a booth to be disintegrated. Buildings and infrastructure still stood but only the people were affected.
This plot has an eerie parallel to the world we could be living in, but with a twist. Imagine a world war where no one fired bullets but instead fired bandwidth. We could knock out electrical grids, financial infrastructures like stock markets, communication systems, air traffic control and several other critical systems.
The ensuing breakdown of a functioning society could cause natural-disaster-level chaos and fear. This may be where we heading and governments are already preparing for this eventuality. The beta tests of large-scale DoS and other intrusion methods have already begun.
For example, the Russian government, during the height of the invasion of the Crimea region of Ukraine, allegedly hacked into Ukrainian power companies, shutting down power to more than 80,000 people. They then used a DoS attack against the phone and communication system to ensure that no citizens could call for help. Many cybersecurity and cyberwarfare experts view this as a beta test on the effectiveness of Russia’s cyberwarfare methodology.
The Chinese government was linked to the largest attack in GitHub’s history. As I mentioned above, governments can sustain attacks for much longer than rogue hacker teams. In this case, the DDoS attack leveled at GitHub lasted six days which is an eternity in the computing world.
Further, we know that an entity is probing the Internet’s infrastructure in an attempt to look for vulnerabilities. Given the scope and scale of this probe, it’s highly probable that a state-run cyberwarfare division is the culprit. We probe and test our clients’ infrastructures in a similar manner to catalog their vulnerabilities and exploitable weaknesses.
The methods that appear to be used in this massive probing use the same methodology we employ, only at a much larger level. Which government is doing this? No one is sure just yet given how easy it is to mask traffic information globally. Sadly, I think we’ll probably find out who is doing this sooner than later.
We Need to Work on Strengthening Threat Technology
As we gear up towards this future, it’s important to remember that mitigation is going to be the name of the game. Every major infrastructure provider is, or at least should be, actively working on strengthening their threat and denial of service mitigation technology as well as battening down the hatches for other kinds of attacks.
Businesses and corporations should be doing the same to their infrastructure but also devising a methodology to deal with DoS and other types of attacks running on the assumption that it’s not “if” but “when” they will be hit. We’re all in this together and while most DoS attacks will do nothing more than inconvenience a segment of the population, we all need to realize that it’s possible our lives could be affected more drastically than the inability to watch Netflix for a day.
Before we all turn into Doomsday Preppers here, let me say that our nationwide infrastructure is both robust and vast and would take a ridiculously massive amount of worldwide bandwidth to bring us completely down. Not to mention that the government has dedicated connections across the country that are protected from these kinds of attacks, though nothing is foolproof.
Protecting our critical chokepoints is a high priority for our ISPs and government. While no one can truly predict the future, we do know that we’re entering an era of increasing attacks, so let’s all make sure we’re ready for it.
LOCK DOWN YOUR NETWORK
FREE PENETRATION TESTING COURSE
Get our free Penetration Testing course delivered straight to your inbox! You’ll learn these tactics:
- Social engineering
- Port scanning
- SQL injecting
- Anti-virus evading
- Client side attacking
Learning these pen testing tactics will help you find gaps and lock down your network to keep your it safe from internal and external threats.