• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Lessons from Blackhat 2016 – Investigating DDoS-as-a-Service

August 10, 2016 By Marc Laliberte

FBI_750

Last week at the Blackhat and DEFCON security conferences in Las Vegas, I had the privilege of attending several presentations by some brilliant information security researchers. My next few editorials will cover my favorite presentations and what we all can learn from them.

Last Thursday at Blackhat, FBI special agent Elliot Peterson and Andre Correa, co-founder of Malware Patrol, presented their research into DDoS attacks including DDoS-as-a-service purchased on a hacking marketplace. Peterson and Correa’s talk covered the history of DDoS attacks, the different attack methods from both past and present, and their first-hand experience in renting out DDoS-as-a-service.

Originally, cyber criminals used DDoS attacks to prevent access to online bank accounts while they drained funds from their victims. Presently, DDoS is becoming a common tool for a wide range of motivations, whether they be criminal, political or simply for the “lulz.” Historically, DDoS attack methods included application exploitation (see Brobot), botnet toolkits (like Dirt Jumper), specific application vulnerabilities (such as NTP monlist), and the LOIC tool. In their research, Peterson and Correa found attackers are now becoming more sophisticated in their methods by leveraging amplification and reflection techniques and IoT-based botnets. Furthermore, DDoS-as-a-service is becoming increasingly more accessible, opening up attacks for anyone with a credit card or bitcoin wallet.

As part of their research, Peterson and Correa visited a common marketplace for DDoS as a service and contracted out several service providers to blast their test target. After their testing, they ended up with several interesting findings. First, as you could probably guess, a large portion of the service providers turned out to be scammers that simply accepted payment and never launched an attack. For those that actually did perform a DDoS attack, none of them hit their advertised bandwidth. In fact, despite nearly every single provider advertising 250Gbps+ in attack bandwidth, not a single one exceeded 30Gbps and most topped out at 1-5Gbps. Furthermore, the peak bandwidth was never maintained longer than a few minutes and very rapidly declined regardless of the paid duration for the attack. Unsurprisingly, those dealing in a shady business have shady business practices when it comes to advertising their abilities.

Peterson and Correa also found and tested several providers of turnkey DDoS services. These providers rent out servers for their customers to launch their own DDoS attacks. The servers typically include attack scripts, API functionality, lists of destinations to pivot off for amplification attacks, and are hosted behind ISPs that allow IP header spoofing (to enable reflected DDoS attacks). Also unsurprisingly, the security of these servers was suspect at best, allowing Peterson and Correa to exploit several vulnerabilities and find lists of destinations targeted by past users of the server.

All in all, Peterson and Correa found DDoS as a service mostly ineffective and easily defended. All of the attacks were very short-lived and most were relatively low in peak bandwidth. While the targets of DDoS as a service may experience a brief service interruption from the initial blast, the attacks quickly die off. Most of the attacks are mitigated by ISPs adopting anti-spoofing practices such as RFC2827. On the client side, DDoS protection tools (such as those found in the WatchGuard Firebox) are effective in limiting most attacks. The final recommendation by Peterson and Correa was to be mindful of what services you allow at work. Specifically, they found that allowing online gaming puts you at an increased risk of DDoS attacks, typically as retaliation by sore losers. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles Tagged With: Security Education, Web Attacks

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use