SBA

Do You DDoS?

Out there in CyberSpace a common technique for preventing people accessing a website or using an Internet service is the “Denial of Service” cyber attack. The rules of the game are simple, pick on a website (or email service or cloud storage provider etc.) and give them so many requests or so much web traffic that their servers or Internet  connections can’t cope. The result is that their servers will either become so overloaded and unresponsive that for all intents and purposes they cease working, or they will actually crash. Either way the Denial of Service attack has succeeded because nobody can use the website, frustrating both the website operator and his customers.

There are many reasons why cyber criminals / activists perform DoS attacks - they may be outraged at the politics of a nation state and seek to take state websites offline, or they may hold a web-based business (e-shopping, e-gaming etc.) to ransom by denying their customers access so that the business cannot trade. Etc., etc., etc. DoS attacks are carried out by activists in revenge for myriad harms, real or imagined, and by crooks who extort large amounts of cash from legitimate businesses. 

Whatever the reason, the principle of the DoS attack is simple - talk louder and faster than the victim so he can’t get a word in edgeways. Executing a DoS attack is also simple; OK the majority of you reading this article can’t make a DoS attack on a website, but for a competent techie it takes less than a minute to set off a process to bombard another computer. 

Being so easy to do, DoS attacks used to be commonplace and website owners took reasonable precautions to prevent their services from being overwhelmed by making sure their web server and Internet hosting provider could cope with the extra traffic. The cyber attackers responded with an escalation, DDoS, the “Distributed Denial of Service” attack. The principle of a DDoS attack is the same as a DoS attack, except that instead of being a bombardment from a single computer the DDoS attack enlists multiple computers on multiple networks thereby making the DDoS attack much larger and more irresistible than a simple DoS attack. The cyber attacker’s strategy is simple and effective; enroll enough computers to attack the target and the assault will be impossible to withstand.

The Internet industry came up with a mitigation for DDoS - distribute multiple copies of the target website to different data centres around the world so that if one is bombarded the others are still available to serve the customer.  The DDoSers responded by enlisting more computers so that they could attack and overwhelm multiple targets simultaneously. A couple of weeks ago the website of a well known Cyber Security journalist Brian Krebs was taken offline, despite having first-class DDoS protection, by an attack which used 620 Gigabits of Internet bandwidth to overwhelm the DDoS protection systems. That’s equivalent to the combined upload speed of roughly 250,000 Manx Telecom “Ultima” broadband connections, and bearing in mind that the average e-commerce web server has a 100 Megabit connection it would be an overkill ratio of 6,200:1 for the typical online business.  Of course most people around the world don’t have broadband as fast as the Isle of Man; the security analysts for the DDoS protection provider have estimated that the number of computers attacking them was around one million.

How the heck does a cyber attacker manage to rustle up one million computers? 

That’s where you come in. The cyber attacker “borrowed” those one million computers from other people - you and me (well not me, but maybe you). Actually “computers” is stretching it a bit, might be better to call them “devices”, or “things”, because whilst they all contained computers and were connected to the Internet, the majority of the attacking computers were actually Internet cameras, broadband routers, and similar devices which have a small computer embedded within them. They all had one thing in common, the cyber attacker “recruited” those devices and enrolled them into a “botnet” - a collective of devices connected to the Internet which he could control. If you have a broadband router, or an internet connected baby monitor or security camera or digital video recorder or printer or similar then the cyber attacker may have borrowed one of his computers from you.

Cyber attackers obtain their botnets by finding insecure devices - those where the default username and password have not been changed, or where the chosen password is weak. Unfortunately huge swathes of people don’t change the passwords on Internet devices such as cameras, routers, central heating controllers etc. because they don’t understand them as being a risk in the same way that they do understand the need to set strong passwords on their computers which they use for Internet shopping, banking, social media etc. The result is that it is very easy for the criminal to create a huge botnet to mount DDoS attacks or spam email campaigns.

The campaign to take Brian Krebs’ website offline was, at 620 Gigabits per second, the largest DDoS attack recorded - for a few days. Just before the end of last month another DDoS attack, of around 1,100 Gigabits per second (1.1 Terabits) was mounted against Internet hosting provider OVH. This too was primarily achieved by using a massive botnet of Internet of Things devices such as web cameras.

The author of the DDoS software used to attack Krebs has now released his software into the public domain so that anyone so inclined can take it and build their own DDoS botnet, meaning that we can expect more massive attacks. His motivations are unknown, but he claims to have made his money and thinks it’s time to move on. 

So what about the money? Whilst some DDoS attacks are for political or revenge purposes, many are purely for criminal extortion. The criminal takes an e-commerce site offline with a DDoS attack, and sends the site owner a ransom note. There is good money to be had from computer crime. Actually the criminal doesn’t even need to know how to create a DDoS attack, because many botnets are openly for hire - the starting price is around twenty US dollars a month. The attack on Krebs is thought to be a revenge attack because he exposed the two young Israeli creators of a DDoS for hire service, vDOS, who are thought to have made 600,000 dollars over the past couple of years simply by mounting tens of thousands of DDoS attacks for anyone who stumped up the cash. Cyber crime definitely pays.

So, coming back to the title - Do You DDoS? The answer is quite likely. If you have an Internet-connected security system with digital video recorder and IP video cameras, at home or work, and the system passwords have not been changed then it’s a strong possibility that your equipment and Internet connection have been hijacked by global cyber criminals. The same goes for other devices such as network printers, broadband routers etc. 

The good news is that for most of these devices all you need to do is reboot them in order to flush out the cyber criminal’s malware which allows them to control your devices. The bad news is that if you don’t change the passwords for something stronger then the criminals will likely re-enlist your devices within hours. 

Security of the Internet of Things (IoT) is becoming a major issue. With all the hype around the IoT many devices have been rushed to market with insecure code and known administrator passwords, and many device owners have not understood why it is so important to make these devices secure. The forecasters are saying that the number of devices connected to the Internet will grow by ten billion over the next five years - and most of this growth will be in IoT devices. Obviously unless something changes in our approach to security the botnets will be able to recruit many more devices - a botnet of ten million slaves is easily foreseeable, and the criminals will have the power not only to take down individual websites; if they want (if someone pays them enough) they will be able to take whole countries off the Internet.

Protect yourselves and the rest of us - reboot your Internet devices, and check and change the passwords. If you buy new Internet connected devices then make sure that the first thing you do is set up strong passwords. If you’re in e-business then investigate DDoS protection - don’t make the mistake of thinking “it won’t happen to us”; for twenty dollars any aggrieved customer, ex-employee, competitor or whoever can try to take you off the Internet.