About two years ago, I witnessed an Anonymous operation unfold, in which a commercial company was targeted. The threat, in the form of a solemn YouTube production, was of course taken very seriously. The entire hosting infrastructure was upgraded, various security solutions were put in place, and an all-hands-on-deck policy was implemented.
What followed were two very anti-climactic 1Gbps blips, each just a minute long. And then calm. Afterwards, everything was back to normal.
It seems the narrative of these threatened DDoS attacks (such as OpUSA, OpIsrael) mostly go like this: the threat, subsequent frenzy and expenditure to protect against the attack, and finally the low impact of the actual attack. Still, organizations take these attack threats seriously, shuffling priorities and changing focus to meet the threat. No one wants to be the one to have ignored the threat, and thus be blamed for a humiliating and expected outage.
Threats that mask weakness
These threats reveal an underlying weakness: Whoever has the capacity to cause real harm, would want to strike immediately. The most devastating attacks, such as attacks on U.S. banks by the “Izz ad-Din al-Qassam” group came with little early warning because the tools to deploy the attack were already in place, getting coverage out of actual disruption rather than anticipation of it.
Traditionally, distributed denial-of-service (DDoS) threats served two purposes. The first, and obvious one, is media attention. If warned weeks in advance, there are weeks of possible pick up and an unfolding story. Hyped as DDoS attacks have become, these threats actually cause serious damage by disrupting the plans and productivity of target organizations, as they run for cover.
In the past, early warning also had to do with the social structure of these attacks. Groups such as Anonymous, relied on an army of hacktivists that band together using desktop tools like the “Low Orbit ION Cannon” (LOIC). Such coordination took time, organization and internal alignment. This coordination was actually aided by successful media pickup, because successful campaigns tended to attract more participants.
In the last two years however, the world has moved on. It no longer takes a volunteer army to build up massive firepower. A single LOIC application running on someone’s desktop can generate a mere 10-100 Mbps, depending on bandwidth. To raise a 100 Gbps attack, you need around 5,000 volunteers concurrently. Coordinating a 5,000 person flash mob is not an easy task.
A knowledge war, not a social war
These days, the capability to generate large-scale DDoS has moved from the hands of congregating volunteers to professionals, and the scale has grown tremendously. You can now replace 5,000 volunteers with just 200 hijacked servers, which can be easily coordinated centrally. Professional hackers use vulnerability and password scanners to look for unpatched software, or weak passwords in order to breach your server and steal your data. These scanned sites have no significance in and of themselves, except their access to network bandwidth. Once their vulnerabilities are exploited, they join the botnet, and are on-call 24/7, to be used in an attack at a moment’s notice.
Scanning the internet and using Open Domain Name System resolvers to launch attacks, as with Spamhaus is yet another technique favored by professional hackers. DNS resolvers are what translate Internet domain and host names to IP addresses. When left open, hackers take advantage of this vulnerability to send queries with spoofed IP addresses that will direct responses back to their target. Since the DNS response can be many times larger than the initial request, the DNS response amplifies the traffic sent to the target, thus enhancing the power of a DDoS attack. Thus, hackers can use open DNS resolvers to replace an army of 5,000 volunteers and orchestrate an amplified attack with a single machine.
This is a knowledge war, not a social gathering, so there really isn’t any need to give all that advanced notice. If you have the firepower, you’ll shoot, not just sit around talking about doing so.
So is it just a PR stunt? Not quite.
One might argue that these threats are simply PR stunts, bluffs waiting to be called, but there is a note of caution here for website owners who find themselves on the receiving end of these threats: the social structure of the attack serves another purpose.
In the past, DDoS attacks by Anonymous and other hacktivists were preceded by efforts to find exploits and vulnerabilities in the target websites. A successful DDoS attack is less of a public and customer relations nightmare than a data breach. Long before resorting to DDoS, attackers employ all the tools in their disposal to find these vulnerabilities. It is not uncommon that these are the real primary vectors behind organization breaches:
- Unpatched vulnerabilities that exist in underlying software, such as an outdated WordPress widget;
- Password theft that often occurs by the hackers guessing weak passwords, like ‘ninja,’ or by phishing campaigns that trick employees into divulging sensitive password information; and
- Detection and exploitation of application vulnerabilities like SQL injections, granting immediate access to an organization’s data.
The time it takes to exhaust their arsenal is the primary reason for the delayed attack after a threat – the threat is merely a decoy. In fact, organizations should probably be partially relieved when an attacks starts. It means the hackers did not find anything better, or rather more damaging, to do.
Gur Shatz is the CEO of Incapsula