The majority of distributed denial-of-service (DDoS) attacks against corporate and government websites can be easily filtered out by appliances and software, but one expert says a growing number of attacks are from technically savvy individuals and often trip up mitigation systems.
It's cheap and easy to launch an attack but the common person may not know how to go about it.
Jeff Lyon, CEO, Black Lotus
A wide variety of attacks that are driven by activists use relatively unsophisticated tools. They can cause an initial disruption, but business and government websites can recover fairly quickly, said Jeff Lyon, CEO of Los Angeles-based Black Lotus Communications, a DDoS mitigation firm. A growing threat are DDoS attacks driven by extortionists and technically savvy hackers, which are complicated enough to make it difficult to defend against, Lyon said.
"Those attacks tend to be extremely complex because the attackers know that the basic tools so prevalent in the wild aren't as effective because security providers can easily defend against them," Lyon told SearchSecurity.com in a recent interview.
DDoS mitigation has been gaining interest from enterprise IT teams of late. The financial industry has been especially hard hit by DDoS over the last two weeks. JPMorgan Chase and Bank of America both suffered intermittent website problems. U.S. Bank and PNC reported problems with their customer websites Wednesday. The attacks are believed to be originating from a group known as Izz ad-Din al-Qassam Cyber Fighters, a hacktivist group that has been announcing its campaigns on the Pastebin website.
Lyon said some of the DDoS campaigns are layer 7 HTTP attacks that look like real users. Systems that use behavioral analysis and signatures often have to be manually tuned to filter out the right traffic and rule out false positives, he said.
"In order to defend against that specific type of attack you have to have a method in place to determine which traffic is robots and which traffic is humans and be able to implement a filtering rule" Lyon said. "That's where the real challenge is right now."
In this interview, Lyon talks about the transition from extortion-driven DDoS attacks in 2003 to more hacktivist-style attacks, which began in about 2007. Today, hacktivists primarily use social networking to gain enough followers and collaboratively take out websites while a determined individual can rent a botnet or create their own DDoS tool to carry out a targeted attack, Lyon said.
Give us a brief history of DDoS and tell us about Black Lotus:
Jeff Lyon: Black Lotus is a managed availability security firm. We started our company up in 1999. Back then was when the first USCERT advisories came out saying there's this new phenomenon called a DDoS [distributed denial-of-service] attack. About four years after that, attacks really started occurring against the enterprise. Back in 1999 attacks were really against criminal enterprises or against ecommerce or larger start-up companies. Around 2003 is when attacks really started impacting online casinos, poker rooms and that's when extortion became a major target of a DDoS attack. As the years went on, namely about 2007 is when the hacktivism trend began to occur. It stopped being just an extortion tool. It started being used if you didn't like someone or you wanted to tell someone to do something, you could go ahead and use a DDoS attack. Consequently 2007 is where DDoS mitigation became a really big business.
Why do you think was there was an evolution from financially motivated DDoS attacks (extortion) to politically motivated or statement-driven attacks?
Lyon: Mainly it's because anonymity is much more prevalent. If you are making a statement against a company or an organization you can use a medium like Twitter or any other type of social media to generate opinions and get people to attack a target. What has happened with Anonymous is that everyone can get together and launch a low orbit ion cannon (LOIC) type of attack. Everyone stays relatively anonymous. It's more of a collective that's making the attack. This is very difficult for law enforcement to wrap their hands around and actually prosecute individuals even though they are undertaking those initiatives. With extortion, they are able to use more traditional tools to investigate the crime because there is a money trail. It may be difficult to figure out who launched the attack but when there is extortion involved you are able to say this is where the money went after someone made a ransom payment.
Are some hacktivist-driven DDoS attacks making it more difficult for Black Lotus and other DDoS mitigation firms?
Lyon: What we find is that the more common Anonymous type of attacks—the ones you see in the media—are actually relatively easy to defend against. These types of attacks take advantage of the collective and other people making a statement. When you see someone on Twitter announcing a target to attack, what they are doing is trying to take advantage of that company's inability to defend itself against the attack, but it's really not that complex to defend against.
It seems like a lot of DDoS attacks use fairly unsophisticated methods, flooding websites with malicious traffic that can be easily filtered out, is that the case?
Lyon: The attacks will run the gamut with different technologies in use. The ones we hear so much about, especially the ones that are launched by relatively unsophisticated folks wanting to take part in a protest, are pretty unsophisticated attacks. In order for them to occur the organizers of these attacks have to distribute tools to their followers. Once that tool is distributed then security experts and analysts can take it apart and figure out what needs to be done to defend against that particular type of attack and build those signatures used in mitigation appliances and other security products.
The ones that are extremely difficult are actually not in the realm of hacktivism. They could be extortion attacks. They could be attacks against competitors or they could be hacktivism, but not the mass-media hacktivism we're all so familiar with. Those attacks tend to be extremely complex because the attackers know that the basic tools so prevalent in the wild aren't as effective because security providers can easily defend against them. The attacker must build a tool or use a tool that is lesser known and much more difficult to raise a defense. The one that comes to mind are these layer 7 HTTP attacks that look like real users. No matter what your signature looks like there are attacks coming in that match your legitimate traffic. They look exactly the same. In order to defend against that specific type of attack you have to have a method in place to determine which traffic is robots and which traffic is humans and be able to implement a filtering rule. That's where the real challenge is right now.
So there are some hacktivist DDoS attacks that can be sophisticated?
Lyon: These will be the hacktivists that are themselves computer hackers. They are very well educated in the use of computers and computer networks. For example you might have a website with a religious or political view that is unpopular with a specific person or specific hacker and that hacker takes a personal interest in taking down that website. That particular type of attack still qualifies as hacktivism. It's still an activist style attack, but not the common type person launching an attack.
How difficult is it for a single person to carry out a fairly sophisticated DDoS attack?
Lyon: If you're not skilled in specifically designing a tool or already active in that realm of trading tools and coding for malicious purposes, your other option is to go to websites or underground forums and essentially buy access to the tools. You can go on a hacker forum and explain you want to attack a website. Someone might come forward and say they control a botnet that has 100,000 systems in it and I'll let you rent that for $10 an hour. It's cheap and easy to launch an attack but the common person may not know how to go about it. Your common person who doesn't know anything about hacking probably won't find these forums and successfully launch an attack.