What is the state of distributed denial-of-services attacks and associated cyber security measures in 2015? Last year was a banner one for DDoS, in terms of not only what organizations were targeted, but also what technical routes the attackers used and the vast scale seen in the most notable DDoS campaigns:
- Feedly, Evernote and CloudFlare made headlines after their servers were overwhelmed with meaningless traffic. The cyber attacks were all highly disruptive. Evernote had around 100 million users last year, Feedly managed 40 million RSS feeds and CloudFlare was hit with what was, at the time, a record-breaking attack that peaked at 400 Gbps.
- Moreover, DDoS was used as a means to extort money from victims and, in some cases, to make political or social statements. The Feedly incident featured extortion, while a string of DDoS attacks against the online game “League of Legends” included at least one episode initiated by a hacker collective looking to harass a prominent Twitch livestreamer (Twitch is sort of like YouTube for live video games).
- The legacy Network Time Protocol became fertile ground for DDoS attacks throughout 2014, giving attackers an alternative to DNS reflection, traditionally the most common vector for DDoS. Last year, one online gambling site had to fend off DDoS from multiple vectors at once, including NTP amplification, DNS reflection and SYN flood. Targeting NTP has allowed for attainment of greater bandwidth with fewer security obstacles.
It’s really early in 2015, but there’s already plenty to talk about in terms of DDoS and where it’s heading. While we might not see the radical changes in tactics and scale that unfolded throughout 2014, CIOs and their teams will still have to come to terms with DDoS efforts becoming easier to execute as well as increasingly common components of targeted attacks against their organizations.
Holiday DDoS attacks highlight this evolution of tactics, motives
We mentioned gaming as a sector that has historically struggled with DDoS. The increasingly online nature of major gaming properties – “League of Legends,” for instance, cannot even be played offline – along with the professionalization of video gaming has created an almost ideal target for DDoS perpetrators.
On a small scale, using the IP address from someone’s Skype account is a popular way to conduct a mini DDoS attack to ensure that a match in a game like “League of Legends” can’t be lost. However, much broader DDoS campaigns often affect gaming, creating service outages that affects millions of players.
This past holiday season, both the PlayStation Network and Xbox Live went down for while after a group called LizardSquad began putting pressure on these online services on Christmas Day, for no other reason than to apparently annoy as many people as possible and show off the power of its DDoS tools. The same collective is known for its frequent attacks against the website of security blogger Brian Krebs and for marketing DDoS infrastructure called LizardStresser. How did it succeed in bringing down the vast networks that support Sony and Microsoft’s gaming consoles?
For starters, DDoS attacks have become easier to execute. Whereas initiating DDoS may have once required copious in-house computing resources as well as technical and financial wherewithal, the bar for entry has been lowered in recent years. How-to videos are freely available on YouTube, plus there are Web-based tools that simplify the entire process.
Across the board, loosely secured IT infrastructure has also become a key asset for opportunistic DDoS attacks, as Krebs explained in reviewing the attempts against his own site. In that case, attackers leveraged compromised systems, using infrastructure from legitimate industries to power their DDoS attacks. LizardStresser may be built on top of a botnet consisting of thousands of compromised home routers.
“[W]hat’s most interesting about these compromised and/or misconfigured systems is how many of them are located at legitimate companies that have been compromised by miscreants,” wrote Krebs. “[M]ost of the malicious sources were Windows-based servers powered by Microsoft’s IIS Web server technology. The top five industries where those compromised systems reside are in entertainment, banking, hosting providers, software-as-a-service providers and consulting services.”
Computing resources are being hijacked and harnessed for DDoS. While it is unclear if any of the specific systems mentioned by Krebs were used in the attacks against PlayStation Network and Xbox Live, it is becoming apparent that anyone interested in initiating DDoS has an increasingly wide set of options to choose from, whether they end up opting to use the power of someone else’s computers or learning effective techniques for tutorials.
DDoS-for-hire and the future of DDoS mitigation
LizardSquad’s approach to DDoS requires a lot of moving parts to work in concert. More specifically, LizardStresser has a user interface and API, with backend support coming from the botnet of routers and a cloud-based content delivery network that masks the system. It’s designed to be easy to use and highly effective against its targets.
The proliferation of tools in this mold enables a sort of “DDoS-for-hire,” with botnet controllers able to market and sell their experience and infrastructure to anyone looking to carry out a DDoS attack. DDoS has gone from a black market activity to one that groups like LizardSquad are promoting out in the open.
For enterprises, the changing contours of DDoS attacks and their perpetrators will require renewed attention to network security. Teams must ensure not only that DDoS attacks are identified and mitigated through techniques such as out-of-band management, but also that company infrastructure is secure enough that it does not become enlisted into a DDoS botnet.