FeatureThe growth and evolution of DDoS
Section snippets
Traditional model
The traditional model of a DDoS attack, if you can call it that, is where a criminal gang creates or hires a botnet – a collection of thousands of ordinary users’ PCs that have been infected with malware – to route large amounts of network traffic to a single target. Such attacks have been deployed for years as a means of blackmail. They first came to prominence in the online gambling industry, where attackers would threaten to take down a betting site just before a major sporting event.
Since
Rise in attacks
Verizon's annual ‘Data Breach Investigation Report’ for 2015 said that 2014 had seen a doubling in the number of DDoS incidents compared to the previous year.2 Intriguingly, when the analysts collated the data they found that, while there was a broad range of attack volumes, peaking at around 325Gbps, there were distinct ‘clusters’ of attacks at the 15Gbps (3 million packets per second, Mpps) and 60Gbps (15Mpps) levels. There isn't enough information to explain these groupings, the report said,
Amped-up
While the ‘traditional’ method of mounting properly distributed attacks has been to exploit the services of botnets, many attacks also employ reflection and amplification techniques.
“Most modern DDoS attacks rely on some form of amplification – that is, using resources that belong to other people to send Internet traffic to your target,” explains Andrew Conway, research analyst at Cloudmark.
The
Nation-state actors
Spring 2015 saw an attack that clearly demonstrated the potential of DDoS as a weapon to be used at an international political level – although it also highlighted that motivations for attacks, even against a single target, can be varied, so one has to be careful about attribution.
Although this particular attack wasn't the first time that a nation-state actor had been accused of deploying DDoS tactics, on this occasion the evidence was abundant and unequivocal.
On 26 Mar 2015, GreatFire.org – an
Making it personal
This idea – that DDoS attacks are now so easy to mount and within the reach of individuals, including those without significant technical resources or skills – has been amply demonstrated both within the hacktivism sphere and, recently, by the attack on Mumsnet.
Notoriously, the Anonymous movement employed a very crude tool – the Low Orbit Ion Cannon (LOIC) – to mount its attacks against the likes of Sony and PayPal. Followers were encouraged to download the code and run it from their own PCs.
Swatting Mumsnet
While the Lizard Squad almost certainly consists of just a handful of people, it's possible that the recent attack against Mumsnet was the work of a single person with a grudge, and its misogynistic nature suggests a personal, rather than a political or financial, motive.
In this case, DDoS was just part of a campaign that included account hijacking, redirection of the Mumsnet home page to the attacker's Twitter page, the compromise of around 3,000 user records, and the ‘swatting’ of site
The DD4BC gang
One of the leading motivations for DDoS attacks has always been extortion, and so it continues. Both Akamai and Verisign have warned about the antics of a particular group of attackers, dubbed DD4BC (‘DDoS for Bitcoins’).10 According to the Akamai report: “The DD4BC group has been responsible for a large number of Bitcoin extortion campaigns dating back to 2014. In the past year, the group expanded its extortion and DDoS campaigns to target a wider array of business sectors – including
Sneak attacks
Unquestionably, one of the most significant developments in DDoS attacks has been their use to mask other forms of network incursion. This has been seen with attacks on banks for some years now, but over the past year or so this form of attack has become common elsewhere, too.
“We are starting to see an increase as DDoS being used, not as the acronym describes (denial of service) but as a distraction tool for attackers to further profile network security infrastructure, exploit known or zero-day
Doing something about it
Attacks like the one against Mumsnet show that we are past the point where only banks and gambling firms needed to worry about DDoS attacks. Nor do you need to be a high-profile organisation that has incurred the wrath of activists. Now everyone is a potential target. The question is, what to do about it?
The first step, clearly, is to be prepared. Having a lot of inbound bandwidth helps, but is expensive when you're not using it – and if it's large enough to withstand a major attack, then it's
Having a plan
It's also a good idea to assume that any preparations you've made to head-off an attack will fail – and that means being ready for the worst. “Having a plan in place to deal with attacks is very important,” says Watkins. “The last thing a company wants to be doing is running around endlessly during a DDoS attack trying to work out both what is happening and what actions to take. Many DDoS mitigation providers offer specialist response services that can quickly perform traffic redirection, but
About the author
Steve Mansfield-Devine is a freelance journalist specialising in information security. He's the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts about infosecurity issues at Contrarisk.com.
References (11)
‘Greater Manchester plod site targeted by nuisance DDoS attack’
The Register
(3 Sep 2015)‘2015 Data Breach Investigation Report’. Verizon
‘Distributed Denial of Service Trends Report: Second Quarter 2015’. Verisign
‘State of the Internet’
Akamai
(18 Aug 2015)‘A New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry’
Level 3 blog
(17 Aug 2015)
Cited by (58)
A deeper look into cybersecurity issues in the wake of Covid-19: A survey
2022, Journal of King Saud University - Computer and Information SciencesCitation Excerpt :The number of DDoS attacks has surged thrice in the last three months compared to the prior three months. The overall number of reported DDoS attacks in the first quarter of 2020 was 242, while the number grew to 300 in the second quarter (Wu et al., 2020; Mansfield-Devine, 2015). The COVID-19 crisis has resulted in a considerable increase in fraudulent behavior.
A fine-grained classification and security analysis of web-based virtual machine vulnerabilities
2021, Computers and SecurityCitation Excerpt :NET VM, HTML5 VM, and PHP VM). These design flaws can cause vulnerabilities that may lead to a variety of dangerous exploits such as denial-of-service (DoS) (Bravo and Mauricio, 2018; Mansfield-Devine, 2015), cross-site scripting (XSS) (Amit, 2010; Backes et al., 2017; Neal Poole, 2012), cross-site request forgery (CSRF) (Vigna et al., 2009), remote-code execution (RCE) (Hayak and Davidi, 2014), code injection (Backes et al., 2017; Chatterji, 2008; Paola, 2007; Schwarz et al., 2018; Shahriar and Zulkernine, 2011), parameter injection (Amit, 2010), and control-flow hijacking (Backes et al., 2017; Constantin, 2012; Vigna et al., 2009). Dangerous vulnerabilities continue to abound in numerous web-based VMs, which execute web scripts that are not immediately executable directly by web browsers.
An overview on smart contracts: Challenges, advances and platforms
2020, Future Generation Computer SystemsCitation Excerpt :Distributed Denial-of-Service (DDoS) attacks are one of major security threats in computer networks. Attackers flood the targeted machine with superfluous requests to overload systems, consequently interrupting or suspending Internet services [102]. Recently, a collaborative mechanism was proposed to mitigate DDoS attacks [103].
Spreading viruses and malicious codes
2023, Handbook on Crime and TechnologyA tour of DDoS attack using Machine Learning Techniques under one umbrella
2023, 2023 International Conference on Advances in Computation, Communication and Information Technology, ICAICCIT 2023A Synthesized K-fold approach for Detecting DDoS attack using Machine Learning Solutions
2023, International Conference on Integrated Intelligence and Communication Systems, ICIICS 2023
About the author
Steve Mansfield-Devine is a freelance journalist specialising in information security. He's the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts about infosecurity issues at Contrarisk.com.