Last week at the Blackhat and DEFCON security conferences in Las Vegas, I had the privilege of attending several presentations by some brilliant information security researchers. My next few editorials will cover my favorite presentations and what we all can learn from them.
Last Thursday at Blackhat, FBI special agent Elliot Peterson and Andre Correa, co-founder of Malware Patrol, presented their research into DDoS attacks including DDoS-as-a-service purchased on a hacking marketplace. Peterson and Correa’s talk covered the history of DDoS attacks, the different attack methods from both past and present, and their first-hand experience in renting out DDoS-as-a-service.
Originally, cyber criminals used DDoS attacks to prevent access to online bank accounts while they drained funds from their victims. Presently, DDoS is becoming a common tool for a wide range of motivations, whether they be criminal, political or simply for the “lulz.” Historically, DDoS attack methods included application exploitation (see Brobot), botnet toolkits (like Dirt Jumper), specific application vulnerabilities (such as NTP monlist), and the LOIC tool. In their research, Peterson and Correa found attackers are now becoming more sophisticated in their methods by leveraging amplification and reflection techniques and IoT-based botnets. Furthermore, DDoS-as-a-service is becoming increasingly more accessible, opening up attacks for anyone with a credit card or bitcoin wallet.
As part of their research, Peterson and Correa visited a common marketplace for DDoS as a service and contracted out several service providers to blast their test target. After their testing, they ended up with several interesting findings. First, as you could probably guess, a large portion of the service providers turned out to be scammers that simply accepted payment and never launched an attack. For those that actually did perform a DDoS attack, none of them hit their advertised bandwidth. In fact, despite nearly every single provider advertising 250Gbps+ in attack bandwidth, not a single one exceeded 30Gbps and most topped out at 1-5Gbps. Furthermore, the peak bandwidth was never maintained longer than a few minutes and very rapidly declined regardless of the paid duration for the attack. Unsurprisingly, those dealing in a shady business have shady business practices when it comes to advertising their abilities.
Peterson and Correa also found and tested several providers of turnkey DDoS services. These providers rent out servers for their customers to launch their own DDoS attacks. The servers typically include attack scripts, API functionality, lists of destinations to pivot off for amplification attacks, and are hosted behind ISPs that allow IP header spoofing (to enable reflected DDoS attacks). Also unsurprisingly, the security of these servers was suspect at best, allowing Peterson and Correa to exploit several vulnerabilities and find lists of destinations targeted by past users of the server.
All in all, Peterson and Correa found DDoS as a service mostly ineffective and easily defended. All of the attacks were very short-lived and most were relatively low in peak bandwidth. While the targets of DDoS as a service may experience a brief service interruption from the initial blast, the attacks quickly die off. Most of the attacks are mitigated by ISPs adopting anti-spoofing practices such as RFC2827. On the client side, DDoS protection tools (such as those found in the WatchGuard Firebox) are effective in limiting most attacks. The final recommendation by Peterson and Correa was to be mindful of what services you allow at work. Specifically, they found that allowing online gaming puts you at an increased risk of DDoS attacks, typically as retaliation by sore losers. –Marc Laliberte