Mass Ddos

[Jeannine Lander]

Therecord high year for DDoS attacks coincided with mass exploits of the novel zero-day vulnerability HTTP/2 Rapid Reset, which threat actors used to launch DDoS attacks that broke records during the third quarter of 2023.

Some DDoS attacks are causing more significant damage, such as a series of DDoS attacks against Microsoft in June that led to disruptions across multiple services including Azure, OneDrive and Outlook.

The decline in HTTP DDoS attack traffic and increase in network-layer DDoS attacks follows a similar trend, as the former requires significantly less computation and bandwidth but has the potential to yield similar results.

On October 21, 2016, one year ago this past weekend, the customers of a company called Dyn found themselves knocked off the Internet for all intents and purposes. A massive distributed denial of service attack (DDoS) was underway and it had managed to render thousands of websites inaccessible. The attack specifically targeted the domain name servers (DNS) for the provider Dyn (now Oracle).

The initial attack began at 7 am in the morning of Oct 21st. Just over two hours later the attack had been mitigated by the company. This however was not the end of the assault. Two more attacks were launched against the service provider throughout the course of the day. The attack caused millions of Internet users to be unable to connect to numerous websites when the website addresses could not be resolved. This was an unfortunate result.

Through research from Akamai Technologies (full disclosure, I work there) and the security firm, Flashpoint, it was disclosed that this attack was facilitated in part with the attackers use of the Mirai botnet [.pdf]. This was a botnet that was built out from a rag tag collection of Internet of Things (IoT) related devices. The botnet was comprised of all manner of internet connected devices from home routers to digital video recorders.

How was a botnet like Mirai possible? In most cases the IoT devices that were conscripted into the Mirai botnet had default credentials stored. These default credentials allowed the attackers to compromise the devices in a simple manner. In point of fact, there were default credentials for some 60+ devices found in the source code for Mirai that was dumped online several days after the initial attacks.

Now here we are a year later and what have we learned? The lessons learned are often the overlooked aspect of many security incidents. It is always good to review. With regards to the customers that were taken offline as a direct result of the denial of service, the lessons learned here was that it is essential to have a secondary or even a tertiary DNS provider. If one goes offline for any reason then the chance of the customer also going down is mitigated if they have other DNS providers that they can use until service is recovered.

From the Mirai angle I would have hoped that IoT related manufacturers would have made a programmatic change to force customers to change default passwords on initial login once the shiny new device was powered on for the first time. This is a change that I continue to hope for as it would go a long way to helping to limit the spread of botnets such as Mirai.

To make matters worse, we now find a news of a botnet which is reportedly spreading on IoT devices again. This new botnet is based, in part, on the source code from Mirai. In addition to checking for default credentials this new malware is also using security vulnerabilities to infect devices.

While disconcerting, these were and are all lessons that we can learn from to collectively increase the security and stability of the Internet as a whole. Strong security practices in IoT device development, resilient DNS and vigilance are some of the key aspects that we need to rely on for a more secure Internet.

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.[1] The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.[2]

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack; simply attempting to block a single source is insufficient as there are multiple sources.[3] A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade and losing the business money. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge and blackmail,[4][5][6] as well as hacktivism,[7] can motivate these attacks.

Panix, the third-oldest ISP in the world, was the target of what is thought to be the first DoS attack. On September 6, 1996, Panix was subject to a SYN flood attack, which brought down its services for several days while hardware vendors, notably Cisco, figured out a proper defense.[8] Another early demonstration of the DoS attack was made by Khan C. Smith in 1997 during a DEF CON event, disrupting Internet access to the Las Vegas Strip for over an hour. The release of sample code during the event led to the online attack of Sprint, EarthLink, E-Trade and other major corporations in the year to follow.[9] The largest DDoS attack to date happened in September 2017, when Google Cloud experienced an attack with a peak volume of 2.54 Tb/s, revealed by Google on October 17, 2020.[10] The record holder was thought to be an attack executed by an unnamed customer of the US-based service provider Arbor Networks, reaching a peak of about 1.7 Tb/s.[11]

In February 2020, Amazon Web Services experienced an attack with a peak volume of 2.3 Tb/s.[12] In July 2021, CDN Provider Cloudflare boasted of protecting its client from a DDoS attack from a global Mirai botnet that was up to 17.2 million requests per second.[13] Russian DDoS prevention provider Yandex said it blocked a HTTP pipelining DDoS attack on Sept. 5. 2021 that originated from unpatched Mikrotik networking gear.[14] In the first half of 2022, the war in Ukraine significantly shaped the cyberthreat landscape, with an increase in cyberattacks attributed to both state-sponsored actors and global hacktivist activities. The most notable event was a DDoS attack in February, the largest Ukraine has encountered, disrupting government and financial sector services. This wave of cyber aggression extended to Western allies like the UK, the US, and Germany. Particularly, the UK's financial sector saw an increase in DDoS attacks from nation-state actors and hacktivists, aimed at undermining Ukraine's allies.[15]

In February 2023, Cloudflare faced a 71 million/requests per second attack which Cloudflare claims was the largest HTTP DDoS attack at the time.[16] HTTP DDoS attacks are measured by HTTP requests per second instead of packets per second or bits per second. On July 10, 2023, the fanfiction platform Archive of Our Own (AO3) faced DDoS attacks, disrupting services. Anonymous Sudan, claiming the attack for religious and political reasons, was viewed skeptically by AO3 and experts. Flashpoint, a threat intelligence vendor, noted the group's past activities but doubted their stated motives. AO3, supported by the non-profit Organization for Transformative Works (OTW) and reliant on donations, is unlikely to meet the $30,000 Bitcoin ransom.[17][18] In August 2023, the group of hacktivists NoName057 targeted several Italian financial institutions, through the execution of slow DoS attacks.[19] On 14 January 2024, they executed a DDoS attack on Swiss federal websites, prompted by President Zelensky's attendance at the Davos World Economic Forum. Switzerland's National Cyber Security Centre quickly mitigated the attack, ensuring core federal services remained secure, despite temporary accessibility issues on some websites.[20] In October 2023, exploitation of a new vulnerability in the HTTP/2 protocol resulted in the record for largest HTTP DDoS attack being broken twice, once with a 201 million requests per second attack observed by Cloudflare,[21] and again with a 398 million requests per second attack observed by Google.[22]

Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed.[23]

Multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and the behavior of each attack machine can be stealthier, making it harder to track and shut down. Since the incoming traffic flooding the victim originates from different sources, it may be impossible to stop the attack simply by using ingress filtering. It also makes it difficult to distinguish legitimate user traffic from attack traffic when spread across multiple points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses (IP address spoofing) further complicating identifying and defeating the attack. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.[citation needed] The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a terabit per second.[28][29] Some common examples of DDoS attacks are UDP flooding, SYN flooding and DNS amplification.[30][31]

3a8082e126