Botnets and DDoS attacks - What are they?



Around this time last year DDoS attacks were all over the news. Dyn DNS and KrebsOnSecurity both were hammered by record-size attacks. See these two articles for a rundown of what happened:

  • https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  • https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Recently more news of a botnet called "Reaper" or "IoTroop" has surfaced.  In summary, experts believe this botnet is intended to be used as a part of a DDoS-for-hire service. Let's dive in and see how DDoS works and why it's effective.

DDoS and Botnets


So what is a DDoS attack? You may have heard the term before (especially those who keep up with the video game industry). DDoS is an acronym which stands for "Distributed Denial of Service", and the purpose of DDoS is to take down a website or service on the Internet. What this means is that on a normal day the website will be up and available for you to use, but under a DDoS the site will either be extremely slow or won't load at all. Think of a DDoS attack from the victim's perspective like trying to drink out of a fire hose. The victim will simply not be able to process all of the incoming traffic and will end up discarding a majority of the traffic.

The "distributed" part of the term means the attack traffic itself is coming from more than one or a few sources, rather it originates from hundreds or thousands of unique sources. This is where botnets come in.

A botnet is a group of computers connected to the Internet that have been taken over by a malicious actor. The actor can control the botnet at will, using it to do one of many things:

  • Spread malware
  • Deliver spam email
  • Spy on individuals
  • Mine cryptocurrency
  • Launch DDoS attacks

As for how the devices get taken over, it can be one of a few ways:

  • Software vulnerabilities
  • Default or nonexistent passwords
  • Malware distributed via email, other social engineering techniques, or advanced vectors such as a supply chain attack

Reflected and Amplified

Botnets are not the only way to launch a distributed attack. Arguably the most commonly used type of DDoS attack technique is known as a reflection with amplification attack. A reflection attack uses someone else's device which is not under your control to send traffic to the victim.


Amplification refers to getting a lot more traffic sent to the victim than you originally sent to the reflection point. A few protocols widely used on the Internet are very effective at amplifying an attack. A couple of top protocols used for this purpose are DNS and NTP. The amplification factors for each are up to 54 for DNS and up to 556 for NTP.

By the way, you can use a botnet to launch a reflection attack, but a botnet is not required.

DDoS against individuals and organizations

Gamers who experience "lag" while online gaming may claim to be under a DDoS attack. While this is certainly possible, it may not always be the case. Consider what it takes to launch a DDoS attack against you. In addition to having the resources to launch an attack, the attacker must know one important piece of information about you: your public IP address. One way an attacker may try to ascertain your IP address is by sending you an email attempting to get you to click a link which then can reveal your IP address to the attacker. In general, it will be otherwise difficult for your IP address to be discovered by the attacker.

When it comes to organizations, many different types of targets are out there. The gaming industry is not alone - financial institutions, hospitals, and schools need to pay attention as well. Imagine a school that uses online platforms for its curriculum. G Suite (formerly known as Google Apps) for Education is a pretty popular platform used by schools. It's important to recognize that it is not Google who is more likely to get taken offline by an attack, rather your school's Internet connection.

How do we stop DDoS?

Due to the open nature of the Internet and the fact that it is composed of devices all over the world, there is much difficulty in getting rid of devices that help facilitate crippling DDoS attacks. Also culpable to a degree are the manufacturers of devices with vulnerabilities that allow them to be easily taken over and controlled for malicious purposes. The manufacturers who are not doing their duty to the Internet community are those who either do not release patches or make the patches difficult for the average user to install. Have you ever installed a firmware update to your home router? If you have (like I have), kudos, but I suspect most haven't.

No single person or organization can stop DDoS as it exists today. It will take the community banding together and holding people and organizations responsible for securing their networks and devices.

Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this. This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email. I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station. Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict  here . So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server. Let's dig so
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more