Shulou(Shulou.com)06/01 Report--

Denial of service attacks have been part of the crime toolbox for two decades and will only become more and more common and powerful.

What is a DDoS attack?

A distributed denial of service (DDoS) attack is an attempt by an attacker to make a service undeliverable. This can be achieved by blocking access to almost any facility: servers, devices, services, networks, applications, and even specific transactions in applications. In DoS attacks, it is a system that sends malicious data or requests; DDoS attacks come from multiple systems.

Typically, these attacks work by flooding systems with data requests. This could be an attack on the page by sending a large number of requests to the web server, causing the page to crash under the request, or sending a large number of queries to the database. As a result, the available internet bandwidth, CPU, and RAM capacity are overwhelmed.

The impact can range from service outages to entire websites, applications, or even entire businesses.

Symptoms of DDoS attack

DDoS attacks look like many harmless things that can cause usability problems-such as server or system outages, too many legitimate requests from legitimate users, or even cable cuts. It usually requires traffic analysis to determine what is going on.

DDoS attack schedule

This is an attack that permanently changes how you view a denial of service attack: in early 2000, Canadian high school student Michael Calce (aka MafiaBoy) launched an attack on Yahoo! Managed to shut down one of the leading web engines at the time through a distributed denial of service (DDoS) attack. The following week, Calce targeted and successfully sabotaged other sites such as Amazon, CNN and eBay.

Of course, this is not the first DDoS attack, but this series of highly public and successful attacks have transformed denial of service attacks from novelty and hassle to what CISO and CIO consider to be forever powerful business saboteurs.

Since then, DDoS attacks have become a very common threat because they are often used for retaliation, extortion, as a means of online activism, and even to launch cyber warfare.

Over the years, DDoS attacks have also become more threatening. In the mid-1990s, an attack might include sending 150 requests per second-enough to destroy many systems. Now they can exceed 1000 Gbps, which is largely driven by the sheer size of botnets.

In October 2016, Internet infrastructure service provider Dyn DNS (now Oracle DYN) was plagued by a wave of DNS queries for tens of millions of IP addresses. The attack, carried out through the Mirai botnet, reportedly infected more than 100000 Internet of things devices, including IP cameras and printers. At its peak, the number of Mirai robots reached 400000. Services including Amazon, Netflix,Reddit,Spotify,Tumblr and Twitter have been disrupted.

In early 2018, a new DDoS technology began to emerge. On Feb. 28, version control hosting service GitHub suffered a massive denial of service attack, hitting the popular site with 1.35 TB per second. Although GitHub only went offline intermittently and successfully repelled the attack in less than 20 minutes, the scale of the attack was worrying because it exceeded the Dyn attack, which peaked at 1.2 TB per second.

An analysis of the technology used to launch an attack shows that in some ways it is simpler than others. Although the Dyn attack is a product of the Mirai botnet, which requires malware to infect thousands of Internet of things devices, the GitHub attack takes advantage of servers running the Memcached memory cache system, which can return very large blocks of data in response to simple requests.

Memcached is used only on protected servers running on internal networks, and there are usually few security mechanisms to prevent malicious attackers from spoofing IP addresses and sending large amounts of data to unsuspecting victims. Unfortunately, thousands of Memcached servers are on the open Internet, and their usage in DDoS attacks has soared. It is unfair to say that servers are "hijacked" because they gladly send packets without asking any questions.

A few days after the GitHub attack, another memecached-based DDoS attack attacked an American service provider with data of 1.7 TB per second.

The importance of the Mirai botnet is that, unlike most DDoS attacks, it takes advantage of vulnerable Internet of things devices rather than PC and servers. According to BI Intelligence, it is particularly frightening that by 2020 there will be 34 billion Internet-connected devices, and that most (24 billion) will be Internet of things devices.

Unfortunately, Mirai won't be the last botnet to use IOT. A survey of Akamai, Cloudflare, Flashpoint, Google, riskq and Cymru security teams found a botnet of similar size, called WireX, made up of 100000 Android devices attacked in 100 countries. A series of large DDoS attacks on content providers and content delivery networks prompted the investigation.

Today, DDoS attacks

Although the number of DDoS attacks has been declining, they remain a major threat. Kaspersky Laboratories (Kaspersky Labs) reported that, with the exception of the third quarter, the number of DDoS attacks declined in 2018 compared with each quarter of the previous year due to an "extraordinarily active September". Overall, DDoS activity fell by 13% in 2018.

Kaspersky says the recent discovery of botnets like Torii and DemonBot that can launch DDoS attacks is worrisome. Torii can take over a range of Internet of things devices and is considered more durable and dangerous than Mirai. DemonBot hijacked the Hadoop cluster, which gave it more computing power.

Another worrying trend is the availability of new DDoS launch platforms like 0x-booter. The DDoS attack exploits about 16000 Internet of things devices infected with Bushido malware (a variant of Mirai).

The Kaspersky report did find a reason to reduce DDoS attacks and the damage they caused. It cites the effectiveness of global law enforcement agencies in shutting down DDoS operators, which may be one reason for the reduction in attacks.

DDoS attack tool

Typically, DDoS attackers rely on botnets-collections of networks centrally controlled by malware-infected systems. These infected endpoints are usually computers and servers, but more and more are the Internet of things and mobile devices. Attackers will acquire these systems by identifying the fragile systems they have initiated phishing attacks, malicious attacks, and other large-scale infection techniques. More and more attackers are renting botnets from people who build them.

Three types of DDoS attacks

There are three main types of DDoS attacks-the first is an attack that uses a large amount of fake traffic to intercept resources such as websites or servers, including ICMP, UDP, and spoofed packet flooding attacks. Another type of DDoS attack is the use of packets to attack network infrastructure and infrastructure management tools. These protocol attacks include SYN flood and Smurf DDoS. Finally, some DDoS attacks target the application layer of the organization and are executed by sending a large number of maliciously written requests to the application. The goal of all three types is the same: to make online resources slow or completely unresponsive.

How DDoS attacks evolve

As mentioned above, these attacks through rented botnets are becoming more and more common, and this trend is expected to continue.

Another trend is the use of multiple attack vectors in attacks, also known as advanced persistence denial of service APDoS. For example, APDoS attacks may involve the application layer, such as attacks on databases and applications, as well as attacks directly on the server. "it's not just flooding," said Chuck Mackey, a successful managing director of binary defense.

In addition, Mackey explained that attackers usually target not only the victims directly, but also the organizations they rely on, such as ISP and cloud providers. "these are extensive, high-impact attacks, and well coordinated."

This is also changing the impact of DDoS attacks on organizations and increasing their risks. "companies are no longer just focusing on their own DDoS attacks, but on a large number of business partners and suppliers on which they rely," said Mike Overly, a cyber security lawyer at law firm Foley&Lardner. "one of the oldest proverbs in the field of security is that the security of an enterprise depends on its weakest link. In today's environment (as evidenced by recent violations), the weakest link may and often is one of the third parties," he said.

Of course, as criminals refine their DDoS attacks, technology and tactics will not stagnate. As Rod Soto, head of security research at JASK, explains, the increase in new Internet of things devices, the rise of machine learning and artificial intelligence will all play a role in changing these attacks. "attackers will eventually integrate these technologies into attacks, making it harder for defenders to catch up with DDoS attacks, especially those that cannot be stopped by simple ACL or signatures. DDoS defense technology must also develop in this direction," he said.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.