Sunday Jan 22

Jart in the News

HostExploit Twitter

An Update on DDoS

Attention: open in a new window. PDFPrintE-mail

Denial-of-service attacks have been around for a long time, but due to Wikileaks they are now a hot daily news topic worth reviewing.

A DoS (denial-of-service) or DDoS (distributed denial-of-service) attack is simply an endeavor by hackers to make a computer resource unavailable to its users. These methods are now invariably used to take Web-based services offline, although they have taken whole countries offline, such as Estonia in 2007 and Georgia in 2008. A newer breed of cybercriminal DDoS is used for bank robberies and extortion.

There is no such thing as a good DDoS; whatever the motive or format, these attacks comprise unlawful digital sabotage, and they are damaging, from a moral perspective as well as a virtual one. In the case of WikiLeaks, John Perry Barlow, founder of the Electronic Frontier Foundation and lyricist for the Grateful Dead, reasonably tweeted (@JPBarlow): “Sorry, but I don't support DDoSing You can't defend The Right to Know by shutting someone up.”

Two wrongs do not make a right, so as we see one of the hacktivists in The Netherlands arrested for participating in the DDoS of Visa and MasterCard, hopefully we will see similar enthusiastic action taken by law enforcement against those who have DDoS'd WikiLeaks.

Cecilia Malmstrom, who is the European Home Affairs Commissioner, described the attacks on the WikiLeaks Website as “scary.” As DDoS-based cyber-attacks are on the increase, she hopes the awareness about them will act as the spur for changes in European law. She has now stated this will commence with proposals for a 24-hour EU attack alert hotline.

The attackers involved in the MasterCard and Visa DDoS used fairly basic tools; this was a Java-based port attack based on the Low Orbit Ion Cannon (LOIC) app. An ironic choice of weapon, as this is actually a tool originally developed to test a Website's resilience to DDoS attacks; but obviously, if enough users point it at a Website to overwhelm that site, the effect can be quite detrimental.

Still, as noted on the Internet Storm Center site, the DDoS volunteers involved in last week's attacks should also know their IP addresses are easily logged by Visa or MasterCard and are being handed over to law enforcement.

This kind of widespread publicity, ease of availability, and detailed description of a simple technique like the one just described foretells a further downside -- its low-level usage for cyberbullying and other cybercriminal acts.

For the higher-level cybercrime DDoS, we now have digital bank robbery in the form of “BlackEnergy,” of which the earlier version originating from the RBN (russian business network) operations was instrumental in the attacks on Georgia in 2008. Further, BlackEnergy now has a higher-specification competitor in the form of a botnet called “Destination Darkness Outlaw System”(D.D.O.S),” a.k.a. “Darkness.”

As described by Andre' M Di Mino of ShadowServer, Darkness can attack multiple hosts with ease, and a single Website can be easily overwhelmed by just 30 bots (enslaved, infected PCs).

Just to get a gauge of this monster: Around 5,000 bots could overwhelm a very big Website, even one equipped with anti-DDoS measures. An estimated 15,000- to 20,000-bot attack could theoretically bring down, say, FaceBook, or the Russian equivalent of FaceBook,

The Darkness service is now commercially available for cybercrime extortion, digital bank robbery, or commercial sabotage through underground sources for just $50 per 24-hour period.

When we view this environment for cyber-attacks, which seems to be worsening, it is clear why any DDoS or botnets in general have to be unequivocally unlawful and acted against by law enforcement and government.

As noted, Cecilia Malmstrom, the European Home Affairs Commissioner, has proposed to push through the European Commission’s cyber-security plans, which include improvements to the way that attacks are reported. Documents released by the Commission on November 22 show that the body wants to see a system where attack information is shared among organizations and member states by 2013.

Other countries are now considering similar action. Despite its focus on CableGate, hopefully the US government will also grasp this opportunity to push though similar plans for the benefit of all Internet users.

Jart Armin