According to Cisco, global mobile data traffic grew 69 percent in 2014, reaching 2.5 exabytes per month. Facebook recently revealed that 78 percent of its US users are mobile. Apple is now the most valuable company in the history of the world. The mobile platform is quickly becoming the platform of choice for Internet users. Mobile phones have long performed far more tasks than just the phone application. Only recently, however, have they become a terrific platform to exploit and leverage to launch large-scale global DDoS attacks. Enter the age of LTE and high speed mobile DDoS botnets.
By now, we have all heard of the DDoS tool that Lizard Squad put out just after Christmas. For those that don’t recall the situation, on Christmas day, Lizard Squad DDoSed Playstation Network, Sony’s online gaming service, and Xbox Live, Microsoft’s gaming network. Connectivity to the online services was not restored until the next day. This was a big deal and got a lot of media coverage due to the fact that it was done on Christmas day, a day where people are off work and school, so the services see a lot more usage. People received video games as gifts, and found them to be useless with no network to support them.
Lizard Squad, having been using DDoS attacks against several companies already, quickly came out to claim responsibility. Soon afterwards, they announced the release of their stresser, a tool that anyone could pay to use to DDoS whoever they want. Having just sent two major companies offline and several others in the months before, they had proven the strength of their attacks in what would turn out to be an intelligent (although dubious) marketing strategy.
So what’s up with these stressers? How do they work? Why are there so many of them nowadays? Where were they all before?
Educational institutions have always played a pivotal role in breeding underground and counter-culture behavior. Many large DDoS attacks over the past 15 years have originated by students, often times no older than high school age. Historically, schools have had large connections with limited oversight and tracking, allowing their students to engage in nefarious behavior with little-to-no risk of getting caught. The tables have certainly turned in recent times. As corporate connections have become larger, schools are now finding themselves at odds with the underground culture they helped breed. Hacking groups are treating universities as both easy targets and easy sources of DDoS attacks.
China’s Golden Shield Project, also known as the Great Firewall of China (GFW), is a government controlled network firewall that monitors every bit of internet traffic generated inside of China. It is also used as a way to censor the internet in China through various methods, including: IP blocking, URL filtering, DNS filtering, and packet filtering. So what does any of this have to do with DDoS?
In part 1 of this series, a general history of the early rise of the Internet through IRC was discussed, as well as the beginnings of DDoS. What it was used for, and who was targeted. I covered the late 90s to the mid 2000s. These were the tame years, as far as DDoS was concerned. Although it is true that there was some amount of destruction to large online services during this time, it was relatively infrequent and hardly got any sort of the press that it gets today. In this article, I will discuss DDoS over the last 10 years: specifically hacktivism, the rise of Anonymous, the rise in the size of DDoS, and what the future holds as far as DDoS is concerned.
Hacking has really taken on bad meaning over the past two decades. What began as software augmentation on a rapid development cycle has been popularized by movies like “Hackers” and “Swordfish” as underground and often sociopathic perpetration of evil. Interest has again been stirred with the holiday attacks against video game services and the release of the film “Blackhat”, which has since encouraged a lot of confusion through public ignorance of the subject and sensationalism.
The concept of hacking began many decades ago and to this day is used by software developers around the world for its original meaning. Virtually all software developers are hackers. Not all hackers are evil though. According to its widespread definition, a modern day hacker is someone who gains elevated privileges or access to systems and resources, often intercepting data and commandeering systems. A “bad” hacker is a software developer who has malicious intentions, whether or not those intentions are criminalized under law.
On the other hand, DDoS attacks have very little positive use. By its very nature, a distributed denial of service attack is an attack which forces the denial of service to legitimate users or requests. Their main purpose is to cause harm and negative impact. In recent times, some have argued that DDoS attacks are a form of social protest.
Are the perpetrators of DDoS attacks hackers? Do all hackers launch DDoS attacks? Is launching a DDoS attack a form of hacking? Which is worse?
The Internet has become one of the most pervasive things in the lives of modern people. We use it for streaming videos, we talk with friends and family, and we share our day to day experiences with a wider audience than could ever be imagined. Online games and services have become the bread and butter for the entertainment of millions of people world-wide. However, it wasn’t always like this. In fact, it wasn’t like this even 20 years ago.
When the internet was first becoming popular, there wasn’t as much to do online like there is now. During its hey-day in the late 90s, Internet Relay Chat (IRC) was where all of the tech savvy people used to go hang out. Invented in the 1980s, IRC is, as a famous bash.org quote puts it, just multiplayer notepad. Like most bored and curious people will do, there were those that learned to manipulate weaknesses in it, and IRC soon became a breeding ground for the bad things one could think of to do on the internet: hacking, software pirating, and Denial of Service attacks.
The researchers at Qualys found a widespread bug in the Linux GNU C Library called glibc that affects a wide cross-section of exposed systems on the Internet. The vulnerability allows malicious players to remotely commandeer a system using a technique known as heap buffer overflow. You may remember Qualys from their popular webapp vulnerability reports such as one of the Drupal SQL vulnerabilities they discussed back in October 2014. Qualys provides sound research in this space so this vulnerability should be taken seriously.
The exploit is performed by leveraging a malformed DNS (domain name system) argument to a remote application that performs a DNS lookup, specifically to trigger gethostbyname() which calls __nss_hostname_digits_dots(). The hacker can then initiate the execution of shell code to remotely take over the system, likely elevating them to the root user. Despite the seemingly severe nature of this security hole, the problem was not classified as a high severity security risk, and thus many distributions have not patched the problem. This will undoubtedly result in a large number of compromised machines which will naturally be used for the execution of DDoS attacks and other associated malicious tasks. How severe will the problem be? Are we looking down the barrel of another era of NTP floods?
Clients may have noticed a couple of updates to your interface when logging into the client panel recently, and we’re happy to say it’s here to stay.
The previous version of our client panel, while functional, was feeling a little bit on the legacy side of the web. As such, we’ve streamlined a few things for convenience and aesthetics. We have brightened things up, improved text visibility, used less buttons, and overall improved the speed of the menus. The inherent structure of the interface remains unchanged, so all the essentials should be in the place you remember it. We’re hoping this will help you be able to focus on your own business and spend less time looking for service controls and features.
As always you have full access to your billing history, traffic usage, and the ability to fine-tune your SecurePort settings according to your needs. While the changes this time have largely been cosmetic, we’re looking to add some informational content for our clients in the near future, including more comprehensive graphs and statistics. If you ever have any questions, need help making revisions, or find a bug, open a ticket and the staff will give you a hand at any time. We’re open to suggestions as well, so if you think there’s a useful or cool feature that improves business, productivity, and your own customer-base, we want to hear about it.
It’s a start for an exciting 2015, and we look forward to improving your experience.
Imagine you’re a self-employed professional such as a lawyer. You worked hard to obtain your degree, put in many hours at another firm to learn your field and profession, and you decided to start your own practice. You need to market yourself and like a good entrepreneur, and decide to setup your own website. You pick some random host, build your site, and start spending money to market it to drive business. Little do you know, your host goes down for hours at a time due to DDoS attacks because they lack effective DDoS mitigation. You never realize this because you don’t monitor your website and every time you’ve visited it, it worked. However, you’re losing 5-10% of your leads because one of your neighboring websites is being attacked and you’re simply collateral damage.