Lessons From the WikiLeaks DDoS Attacks

By Alex RothackerDenial of Service (DoS) attacks are a common method used to take down Websites, servers, or even sections of the Internet. These attacks typically come in two forms: Distributed DoS (DDos) and DoS attacks. DDoS create a flood of traffic to a Website, server, or section of the internet that overwhelms it to a degree that it cannot function and eventually shuts down.  Regular DoS exploits a vulnerability in a Web server, database server, etc. to crash the server.

Denial of Service (DoS) attacks are a common method used to take down Websites, servers, or even sections of the Internet. These attacks typically come in two forms: Distributed DoS (DDos) and DoS attacks. DDoS create a flood of traffic to a Website, server, or section of the internet that overwhelms it to a degree that it cannot function and eventually shuts down.  Regular DoS exploits a vulnerability in a Web server, database server, etc. to crash the server.

When you try to access Twitter and get the dreaded failwhale saying Twitter is over capacity, it’s often due to an unintended DDoS. The Web servers cannot handle the traffic to the site.
During Black Friday, you hear of shoppers waiting in line at Wal-Mart to be the first in the door in hopes to land that big ticket item with the slashed price. Just like a Web server, Wal-Mart’s door can only fit so many people at any time. When traffic exceeds what the Web server can handle, the server becomes overloaded and fails to reply to requests.

The most infamous DDoS involving database servers was in 2003 when a computer worm called the SQL Slammer compromised more than 75,000 servers and slowed internet traffic to a halt.

How Did The SQL Slammer Happen?
A worm exploited a flaw in Microsoft SQL Server and self propagated itself to other SQL Servers around the Internet at unprecedented speed. However, the entire attack could have been prevented by implementing a Microsoft SQL Server patch.

But what caused this to happen? Answer, unpatched Microsoft SQL Server databases.
The vulnerability exploited by the SQL Slammer worm was fixed by Microsoft fairly quickly – six months before the attack surfaced. Unfortunately, many DBAs didn’t patch their databases in a timely manner and because of it; the Slammer literally took down the Internet.
To mitigate risk and ensure critical databases stay up and running, it is critical that organizations patch all databases with the latest vendor patches as quickly as possible.

DDoS and WikiLeaks
The recent WikiLeaks and associated rebuttal attacks have again made DoS attacks a popular subject. There were two different DDoS attacks that occurred because of WikiLeaks. First, there was the DDoS against the WikiLeaks Website. According to many sources, this was allegedly done by one person, or hacker, who claimed WikiLeaks was “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations…”

Secondly, there were the attacks against MasterCard, Visa and PayPal’s corporate Websites. These attacks were more of a flash mob of people, loosely organizing as the ‘anonymous’ hacker group, and orchestrating a coordinated and simultaneous attack on the sites. The attacks used a simple software called low orbit ion cannon (LOIC) to hammer away until the sites were overwhelmed. Typically, these attacks target social media Websites like Twitter and Facebook to recruit a large mob of attackers. As word spreads, these hackers get unintentional help to overload the Websites that the have been taken down. Due to curiosity, people want to test the sites for themselves to confirm the claims.

How to Prevent DDoS
There is no way to completely prevent DDoS attacks. For the SQL Slammer, unpatched databases were to blame, but typically, there is nothing you can do to prevent this type of attack. If a Website is getting specific DDoS attacks from a small number of IP addresses, they can block those IP addresses or increase server space for traffic, but when it’s from a vast number of different IP addresses it’s virtually impossible to stop. Websites like MasterCard and Visa aren’t scaled for the volume of traffic that occurred last week. In order to take down a large, active, site like Facebook, there must be a much larger mob of attackers to take it down.

DoS in Database Servers
Researchers are still finding DoS vulnerabilities in major DBMS software. MySQL fixed more than ten DoS vulnerabilities in recent patch releases. The fact that these vulnerabilities exist – and may not be patched – makes it easy for attackers to take down or lock up a Website.
For example the ‘MySQL Large Packet Processing Flaw in my_net_skip_rest() Lets Remote Users Deny Service‘ vulnerability allows an attacker to send a specially crafted network packet that is exceeding the maximum allowed packet size. This causes the MySQL server to read packets indefinitely, causing the server to lock up.

DoS That We Can Prevent
Unlike DDoS attacks, this class of DoS attacks is easy to prevent. Keep your databases patched with the latest available security patches and avoid this assault!

Alex Rothacker is the manager of Application Security’s Team SHATTER research group.

Suggested articles