DDoS incidents have become more and more prevalent of late, so Aaron examines what they are and how they affect us
If you’ve got a computer or a games console, you’ll probably be familiar with the term DDoS and know that it’s often referred to as a hack and linked with the unavailability of various services. In the past, there have been numerous reports of groups of hackers launching DDoS attacks on specific companies, taking down services, inconveniencing users and causing the affected companies a lot of money. However, even with the term being more recognisable by the general public, the actual truth behind these attacks is often hidden or delivered in a misleading way. Let’s correct this and examine what DDoS incidents really are, what they can do and if they can be stopped.
The term DDoS (often pronounced simply ‘dos’) stands for ‘distributed denial of service’ and is an attack that’s launched on a company’s network infrastructure with the goal of overloading it, thus bringing down whichever service is targeted. It’s the kind of thing we’ve seen done in movies and TV for years, most of the time far from realistically, and in truth, it’s not even a hack at all.
Contrary to popular belief and common representation in the press and on TV, a DDoS incident is not always the result of hackers; it doesn’t even require any form of computing ability on behalf of the person or group launching it.
Instead, a DDoS is often simply the result of paid-for services that can be obtained by everyone if they know where to look, which can be used to swamp servers with fake traffic requests. There’s no scripting, bypassing of security or silly banter about the top five most used passwords in the world. No. There’s a simple transaction to buy a service and, for whatever reason, the aim to cause havoc.
DoS and DDoS attacks shouldn’t be confused. A simple DoS attack (denial of service) involves a single system and connection flooding a target with requests. A DDoS uses a whole network of systems and connections to do the same, with greater results.
Behind the scenes, there’s an element of hacking, used to create the botnet that bombards the target, but we’ll come to this later. The actual DDoS attack on the target, however, isn’t an internal threat.
It’s very important to understand this distinction and why DDoS incidents are not actual hacks. They’re commonly reported in popular news in a very unrealistic manner, with such reports often classing them as hacks and painting a much more worrying picture than is actually true. These reports often cause people to panic, worrying that their data has been stolen or worse. While actual hacks can, indeed, involve this kind of intrusion and data theft and botnets can be used for other things as well as DDoS tasks, a DDoS does not represent the same threat. A DDoS isn’t an actual intrusion and never becomes an internal threat. It’s simply an external tidal wave of traffic that causes servers to fail and networks to come down. No data, personal or otherwise is accessed. Just as too much traffic can cause a motorway to come to a standstill, so too can too much server traffic, with the same gridlock effect, only with digital communication instead of vehicles in rush hour.
An actual hack involves hackers bypassing system security with various methods in order to access the internal network of an organisation – often databases that contain personal data. Hackers can then extract this data and do with it as they like. This is a real hack and the real threat we should be concerned with. DDoS attacks are nothing more than an annoyance to most of us, but for the companies they affect, they’re almost as troublesome and dangerous as a real hack, as it always involves the loss of money from downed services and the cost of repair and customer compensation.
DDoS attacks aren’t restricted to a select few, and their availability is surprisingly wide, with far more DDoS attack happening on a daily basis than you may think. That said, it’s not like you can visit Amazon and buy a DDoS attack bundle. Of course not. For this you need to go to far more disreputable places, like the Russian black market and other nefarious online sources. According to research done by Trend Micro in 2012, it’s relatively easy to find and purchase a DDoS service, with prices at the time of research ranging from $30-70 for a one-day DDoS attack, to $1,200 for a month-long outage. This isn’t much for the kind of havoc such an attack can cause and only makes DDoS incidents more concerning potential threats. Those with an agenda, such as the various so-called hacker groups like the infamous Lizard Squad, could easily stump up the cash for this kind of service, and this has undoubtedly led to the growing trend of such incidents.
An analysis of global threats by Arbor Networks reports that there are over 2,000 DDoS attacks every day worldwide.
These attacks can range from minor, low bandwidth hits to large-scale assault, and we rarely hear about these. When a big name, especially one that provides a highly visible public service, is attacked, though, we often hear about it (although not always). One of the most high-profile attacks in recent times was Lizard Squad’s DDoS of Sony’s PlayStation Network during Christmas 2014. This DDoS took down the PlayStation Network for several days over a period where many people had just got new PlayStation 4 units. It upset gamers and caused a lot of trouble for Sony, both financially and in terms of customer relations.
Every day, companies and networks all over are targeted for one reason or another, the truth of which will only be known to those ordering such an attack. Everything from big companies to smaller online gaming services can be a target, and all it takes is one disgruntled customer to pay the meagre price for a DDoS to be launched. Attacks are usually publicly reported when they’re the result of a group or movement’s actions, but they’re also just as likely to come from a single person.
These attacks are so common that it’s been revealed by various sources, including research done by Verisign, that one in three issues of downtime were the result of a DDoS attack in 2014. Further, such attacks have increased by around 14% between Q3 and Q4 2014, and downtime can, on average, cost companies around $5,600 per minute or $300,000 per hour (from the research of Andrew Lerner of Gartner). One of the market’s most affected by DDoS attacks in 2014 was the entertainment industry, which includes the aforementioned Sony and its PlayStation Network, Microsoft and Xbox Live, as well as a lot of PC titles like online MMOs and online gaming in general.
Some underground hacker marketplaces offer many specialised services, including week-long ‘silence’ attacks, which are geared towards taking a website down for a period. This is often used by people wishing to hurt a company or organisation by stopping it dead for several days. All that’s needed is some cash (as cheap as $100-150) and a grudge or disagreement with a website.
This is pretty alarming stuff for company owners, and for the rest of us using these services, whatever they may be, it’s also a concern or at the least irritating. This is even more so if you’re paying a subscription or fee for a service and cannot access it.
We know the effect they can have and how easy they are to put into action, but what exactly goes on within the digital domain? How does a DDoS actually work? Let’s take a look.
DDoS attacks aren’t simply a single type of attack. There are actually various different kinds of DDoS that can be used, each with various effects. Let’s look at a few examples.
First we have the UDP flood attack. This is a DDoS that involves sending a huge number of UDP data packets to the target system. This isn’t used all that often any more by serious DDoS attacks, as it’s one of the older methods and one of the easier types to detect. As it uses UDP, it’s not encrypted, which makes it easier to deal with. TCP flood attacks are similar to UDP, but utilise TCP packets in order to monopolise network resources.
Next we have the TCP SYN flood attack. Like other DDoS attacks, this sends large amounts of requests to a target, which causes the system to open up more resources to deal with the traffic. It also sends a response packet back to the source of the traffic, expecting a reply. This never comes, however, which adds up, takes up more and more resources, eventually causing the denial of service.
Smurf attacks are a common form of DDoS that involves sending ICMP (internet Control Message Protocol) ping requests to a target using fake broadcast addresses. These addresses are created by spoofing IPs, making the source and requests harder to trace and identify. ICMP flood attacks are the same as Smurf attacks, but don’t utilise broadcasting.
There are also classes of attack (which the above methods fall into), each of which is specifically targeted. Application attacks are like DDoS scalpels, targeting specific applications or parts of programs. These are used to take down specific areas of a network and do so at a low traffic rate, making them harder to detect.
Fragmentation attacks send, unsurprisingly, fragmented TCP and UDP packages that make it difficult for the target system to read, causing obvious resource problems.
TCP connection attacks are launched to totally devour a connection’s resources, including all connected firewalls, balancers and servers. These can bring down even the largest systems.
Volumetric attacks are all about causing congestion and tying up traffic within a network or in between the target and the internet.
All of these kinds of attack cannot be launched without the core aspect of any DDoS, and that’s bots and botnets. This is where the actual hacking element of a DDoS comes in and is the part that most instigators who pay for a DDoS service are not involved with, hence the lack of actual hacking abilities in many so-called hacker groups.
A botnet is a network of slaved or ‘zombie’ PCs that are used to generate and send the various requests to a target. To create a botnet, a hacker first has to gain entry to a system. Once this is done, a daemon is installed (an often hidden, background process) to turn the PC into a bot using a DDoS bot kit. This is repeated on several other machines, forming the botnet required to launch the DDoS attack. Following this, the DDoS can be launched by using a master program to control all the zombie systems to attack the target.
Target PCs that become zombies can be anywhere in the world and any type of system, often with the owner of the PC never even knowing their PC has been used to take part in such an attack. This is just one of many reasons why our PCs need to be secured.
The aforementioned bot kits and software used to launch DDoS attacks, like the services themselves, are also up for sale on the black market. Anyone with basic knowledge of hacking and back-door access points into computers can attempt to launch their own DDoS. Again, as with the wide availability of DDoS services, this only serves to increase the growing threat. In fact, groups or individuals who want to use a botnet can purchase one, with prices in the range of $200 for 2,000 bots and $700 for a DDoS botnet. No technical knowledge required, because it’s all done for them.
Knowing what DDoS attacks are, how they work and what they do, the question remains: can they be stopped?
Unlike other kinds of threat, such as viruses and actual hacks into a network’s security, DDoS attacks are not actual security breaches, at least not for the target system. There’s certainly a security concern for the systems used in the botnet, but the target is simply assaulted with heavy traffic and not breached. Because of this, there are no real security measures as such that can be put into place to prevent DDoS attacks. These attacks simply send requests, just like legitimate users, but on a large enough scale to bring down a system. They’re designed to cause disruption and loss of income, rather than to steal data.
Still, there are ways for companies to help plan ahead and even prevent future problems. Traffic monitoring is one of the most important of these steps. All networks are monitored for traffic, as companies and their network management need to know they have the computing capacity and network bandwidth to cope with their normal day-to-day traffic. By ramping this up to a more detailed level and putting in place alarms to signify unusual amounts of traffic, companies may not be able to totally eliminate DDoS threats but can respond and deal with them in a much more timely manner. Indeed, it’s dealing with attacks that’s the most important and a company prepared for such matters will find it much easier, dealing with problems with less long-term cost. Failing to prepare and having no crisis plan of action in place means a DDoS will be much more severe.
Attacks can target any aspect of a network or system. Firewalls can be overloaded, servers can be directly attacked, internet pipes can be hit, even SQL servers can be on the agenda – there’s little aspect of a network that’s free from attack. Knowing that any network, computer or website can be a target is a first step, and this leads to proper prevention.
Sadly, a lot of companies have yet to make this move, as evidenced by even a company as large as Sony suffering so badly last year, and this is why DDoS is such a threat. Until methods of prevention and adherence to best practices is commonplace, there’s always going to be a larger DDoS threat than there needs to be. DDoS attacks may not be preventable, they’re too easy and effective, but they can be dealt with more efficiently, and this is where the focus needs to be.