InfoSec Insider

Rogue Waves: Preparing the Internet for the Next Mega DDoS Attack

Why many attack techniques can be reused – but organizations can’t defend against them.

When you think of a distributed denial-of-service (DDoS) attack at this point in the age of the internet, you might be thinking they’re old news. But when a multi-million-dollar business can be easily taken offline by an unskilled adversary and a $5 rent-a-DDoS service, I would argue that the issue is still very much relevant. Because of this, I decided to take a look at what might be on the horizon for malicious attackers, not in terms of who they’re going to hit next (that’s a game everyone can play but no one wins), but instead how it’s most likely to happen, and possibly from where.

In this article I’ll be talking about some of the attack vectors we are most likely to see in the next 12 months, and I’ll carefully analyze some of the most recent and successful adversarial groups and the types of attacks they deployed for maximum impact. More importantly, I’ll talk about why many of those same attack techniques can still be carried out with little to no ability for organizations to defend against them on their own.

Let’s take a look at some threat actor groups and the techniques that made their DDoS attacks successful:

Izz-al-Din-al-Qassam (aka QCF, aka al-Qassam Cyber Fighters)
Izz al-Din al-Qassam (a.k.a. QCF or the al-Qassam Cyber Fighters)

Attack Profile:

Attack Type: UDP reflection, SYN flood, RIP v1 reflection

Time Seen: September 2012 – January 2014

Max Attack Size: 190 Gbps

Attack Target: Financial services in the U.S. and Canada

Motivation: Hacktivism protesting “The Innocence of Muslims” video posted to YouTube, but it’s suspected other motivations drove further attacks

OurMineOurMine Team

Attack Profile:

Attack Type: UDP reflection, NTP amplification

Time Seen: December 2015 – September 2017

Max Attack Size: 117 Gbps

Attack Target: WikiLeaks, Minecraft, Pokemon Go; unclear if there were more because the group is known for taking credit for attacks it did not carry out

Motivation: Hacktivism, cyberextortion

DD4BC & the “Armada Collective”

Attack Profile:

Attack Type: Booter and stressor sites

Time Seen: July 2014 – January 2016

Max Attack Size: 50–60 Gbps

Attack Target: Financial services globally (Armada Collective – private mail providers such as ProtonMail)

Motivation: Cyberextortion (Armada Collective copied the M.O. to piggyback on DD4BC, although it did have some capability of its own)

As the years have gone by, DDoS capabilities have progressed in a big way. But one trend happened in response to amplification services such as NTP and Chargen drying up and vulnerabilities being patched in applications such as WordPress. These vulnerabilities were popular for some time for performing application-level reflection DDoS using XML-RPC pingback services. As expected, criminals needed to evolve, so the next generation of DDoS was born.

This next-generation DDoS has come by way of attackers compromising IoT devices such as security cameras or DVRs. This was seen in the Mirai botnet, which was able to generate a massive 620 Gbps against security investigative journalist Brian Krebs’ website, KrebsOnSecurity, in 2016. The Mirai botnet has continued to evolve, being used to attack French web host OVH, DYN, and many others.

Although we have the largest DDoS attack to date coming in at 1.3 Tbps on March 1, 2018, using the exploitable service Memcached to amplify attack traffic toward a target, I believe the next mega-DDoS attack will occur because of a mix of malware and the compromise of IoT or similar home user devices.

Let me explain:

In the United States, we have nearly 400 million digital subscribers who have an average of 25 Mbps of bandwidth available each (if that sounds low, just wait). Now, take the top 100 cloud environments on the internet, with an average available capacity of 5 Tbps each.

Let’s do the math:

400 million internet connections x 25 Mbps each = 10,000 Tbps.

100 top networks x 5 Tbps each = 500 Tbps.

So, if we have those 400 million connections trying to go to the top 100 networks, which have just 5 Tbps of capacity each, then according to the above equation, the top internet networks have only 5 percent of the available capacity they need to handle the requests from the home users’ last mile. This is the topic of the U.S. Patent No. 6108703 issued on August 22, 2000. The top networks on the internet cannot withstand the potential size or volume of inbound requests from the users’ last mile; thus the need for the invention of content delivery networks.

From an attacker’s point of view, nothing has changed. Let’s take the following attack scenario as my prediction for how the next mega/terabit DDoS will occur. Everything needed for such an attack is already available to criminals through two malware tools. One is called DNSChanger, and the is other GhostDNS. These tools work by scanning for vulnerable (and popular) home internet routers with default credentials still unchanged. Once discovered, the tool connects to them and changes their DNS settings to intercept and affect outbound traffic leaving home user or business environments.

The part I want to highlight is where that malware makes its decision of what devices to attack. In one attack campaign, the DNSChanger malware was targeting routers deployed by Brazilian ISPs to their customers. What if this malware were to target ISP routers in Singapore, where the average download speed is 60.39 Mbps?

I looked up the install guides and default services for devices issued by one of the major ISPs in Singapore, and I found some interesting things.

As with many home IoT devices, the hardware ships with either default credentials that need to be changed (something history has shown that many home users simply do not do) or with services running by default, which could be insecure or not needed. Singtel’s popular router, the Cisco C881 integrated services router, has a root password of “admin” for users connecting its local network interfaces, and it also ships with telnet services enabled, which more than likely allows for root user access, as well as some models shipping with the NetBIOS service enabled to the internet, something that a simple Shodan search validates quickly.

Knowing this, I think attackers are going to generate the next 1 Tbps + DDoS attack from an area of the world with high bandwidth and poor configuration and deployment practices, where the attacker can generate raw traffic directly from a home user network against a target network or website. Compounding this issue is the fact that mitigation techniques are used to seeing traffic come from hosting providers, but traffic coming from home networks is usually treated with white gloves. Of course, you know, I could be wrong about all these complicated theatrics. There’s always another memcached service lying around waiting to be discovered and exploited.

(Tony Lauro manages the Enterprise Security Architecture team at Akamai Technologies. With over 20 years of information security industry experience, Tony has worked and consulted in many verticals including finance, automotive, medical/healthcare, enterprise, and mobile applications. He is currently responsible for Akamai‘s North America clients as well as the training of an Akamai internal group whose focus is on Web Application Security and adversarial resiliency disciplines. Tony‘s previous responsibilities include consulting with public sector/government clients at Akamai, managing security operations for a mobile payments company, and overseeing security and compliance responsibilities for a global financial software services organization.)

Suggested articles