Arbor Networks and Radware, probably the two leading vendors focused on DDoS prevention and mitigation, have just published nearly in contemporary (probably not a coincidence) their 2011 reports which analyze, with similar methodologies applied to different stakeholders, one year of DDoS Phenomena occurred during the last year.
These reports are particularly meaningful since they come in a moment in which the waves of DDoS attacks unleashed by the OpMegaUploadas are not completely gone. To all the (too) many information security professionals whose sleep is disturbed by the booms of the Low Orbit Ion Cannons, I suggest to give a look to both documents:
- 2011 Worldwide Infrastructure Security Report issued by Arbor Networks;
- 2011 Global Application & Network Security Report issued by Radware.
As a matter of fact both reports provide a really interesting overview of this kind of attack which has become the flagship of the hacktivism movements.
From a methodological perspective both reports provide the results of a survey: the one conducted by Arbor Networks consisted of 132 free-form and multiple choice questions, covering a 12-month period from October 2010 through September 2011, whilst the one conducted by Radware consisted of 23 questions concerning the DDoS faced in 2011.
The participants of the Arbor Networks survey included 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, whilst the participants from the Radware survey included 135 organizations with large, medium and small size;ì,
Although the targets of the survey were not completely heterogeneous, and also the analyzed time windows were not exactly the same, I spent some time in comparing the results. In both cases, the message is clear: the DDoS attacks are becoming more and more complex, but the two vendors came to the same conclusion with a substantial difference. Does really size matter?
Hacktvism on the top
In both cases hacktivism ranks at number one among the attack motivations. The 35% of the Arbor Networks participants reported political or ideological attack motivations as the most common, immediately followed by Nihilism/Vandalism (31%). Analogously, the 22% of the Radware participants indicated a political/hacktivism motivation behind the attacks, immediately followed by “Angry Users” (12%). Curiously the 50% of the Radware participants indicated an unknown motivation, against the 19% of the Arbor Networks participants. Although hacktivism ranks undoubtedly at number one, the difference are not surprising: albeit the questions aimed to obtain the same information, they were slightly different: in one case (Arbor Networks) participants were asked to indicate Attack motivations considered common or very common, in the other case (Radware) participants were asked to indicate which motivations from a defined list, they considered behind the DoS /DDoS attacks experienced. Moreover also the different sample of participants may offer a further explanation. Arbor Networks participants are mainly operator, which have more sophisticated equipment to detect and counter attacks, Radware participants are heterogeneous organizations of different sizes, so their response may be “tainted” by emotive considerations or also by a smaller technological culture.
DDoS Attacks are becoming more and more complex assuming the nature of APTs
I was particularly impressed by a statement found in the Radware Report: “The nature of DoS / DDoS attacks has become more of an Advanced Persistent Threat (APT) and, therefore, much more serious.” The report is also more explicit and suggests that, for instance, during a DDoS Attack perpetrated by the Anonymous there is an external ring formed by the volunteers self-made hackers that use LOIC or similar tools (too often without any precautions), and an inner circle formed by skilled hackers who have access to more sophisticated attack methods and tools. The Arbor Networks report substantially agrees with this statement using the term Multi Vector DDoS, emphasizing a shift to Application Layer (Layer 7) DDoS Attacks. In both cases HTTP is the preferred protocol to convey Application Layer DDoS.
Size matters! Or not?
It is interesting to notice the opposite position of the two vendors with regard to the importance of the size for DDoS Attacks. Radware does not consider the size of the attack as the primary factor: the first myth to be debunked is the fact that not necessarily average organizations might experience intense attacks (according to Radware, in the observed period 32% of attacks were less than 10Mbps, while 76% were less than 1Gbps), the second myth to be debunked is the fact that the proper way to measure attacks is by their bytes-per-second (BPS) and packets per-second (PPS) properties. A smaller HTTP connection-based attack can cause more damage with much less traffic than a “traditional” UDP attack.
Arbor Networks has quite a different opinion: his respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis. Moreover, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack, which however represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.
At the end…
There are few doubts about the fact that DDoS attacks are becoming multi-layered and more and more complex, and even that they are mainly motivated by hacktivism. There are also few doubts about the fact that technology is enough mature to provide a crucial support to mitigate them. In any case, there is a further element to take into consideration that is the human factor: as usual technology is useless if the IT Staff is not prepared to face such a similar attacks, gaining an adequate awareness in terms of procedures and (I would say) culture. As Radware stated “the very public attacks last year raised awareness of DoS / DDoS and made organizations acquire better and more capable mitigation solutions” but maybe is not enough…
One of the most visionary information security predictions for 2012, was the one issued by Fortinet which defined the term Crime As A Service: “Crime as a Service (CaaS), [...] is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks“. At first glance I marked this prediction as exaggerated but then I could not imagine that I should have witnessed a huge demonstration only few days after. Of course I am referring to the #OpMegaUpload when, immediately after the FBI takedown, the Anonymous redirected users towards a website when they could DDoS a large group of targets with a simple web click and most of all, without the need to install the Infamous LOIC.
Even if this has been, so far, the most noticeable example, is not the only one of a malicious tool used as a service for criminal (in this case one shot) campaigns. More in general, using very familiar terms (borrowed and adapted from Cloud Terminology) I believe the CaaS is assuming three shapes:
- Software As a (Crime) Service or Saa(C)S, in which the criminals offer malicious software (and the needed support) as a service. An example? The latest Zeus Variant dubbed Citadel, recently spotted by Brian Kerbs, which provides the purchaser with help desk and even a dedicated Social Network;
- Infrastructure As (Crime) Service or Iaa(C)S, in which the criminals offer malicious services (or infrastructures) to attack specified targets, services may include complex “traditional” infrastructures such as botnets, but also “innovative” large scale fashioned services such as DDoS or also sharper services such as password cracking. Try to surf the web and you will discover how easy it is to purchase such a criminal kind of services.
- Platform As a (Crime) Service or Paa(C)S: in which the criminals offer malicious platforms that users may adapt to fit their needs. An example? The brand new HOIC (High Orbit Ion Cannon) the new DDoS tool, evoluti0n of the infamous LOIC, that may be assimilated to a real malicious service platform that users may tailor to fits their needs thanks to the booster scripts. I believe we are not so far from criminal organizations selling customized booster scripts for every kind of need and, why not, offering support services as well.
Last but not least this services are self provisioned, and this is the reason why I used the term “Crime as a Self Service”: in every scenario, be the malicious service a Saa(C)S, Iaa(C)S or Paa(C)S, the user selects directly the target (or the victim), and that’s it!
As you will probably know, as a consequence of the takedown of the famous storage site Megaupload and the consequent indictment and arrest of seven people (all accused of online piracy), the Anonymous have launched #OpMegaUpload, a giant DDoS attack defined “The biggest Internet attack ever” targeting, among the others: The White House, the FBI, Viacom and DoJ, (at this link a complete list of the targets). As a consequence, last night the LOIC cannons have shot once again, leading to a global fluctuation of the global Internet traffic is between 13 percent and 14 percent above normal.
Unfortunately it looks like that many habitual Megaupload users turned themselves into extemporaneous wannabe hackers, giving their contribution to this questionable cause: equipped with the Low Orbit Ion Cannon they started to fire against the designated targets. By midnight on January 20th, @AnonOps declared the operation a success with over 5,635 people using the Low Orbit Ion Cannon to bring down the targeted sites:
Curiously the night of January the 20th, my blog was flooded with an unusual number of requests coming from search engines looking for several strings with a common pattern. Scrolling down the Search engine terms list directed to my blog (ordered in rigorous ascending order), you may easily guess the common pattern:
using loic arrested
arrested for using loic
is using loic dangerous
can we be arrested for loic
risk of using loic
may i be arrested for using loic
arresting people for using loic
how to safely use loic
being arrested because of loic
can you be arrested for useing loic
anonymous loic safe
can i be arrested for using loic
loic not safe
danger of using loic
may i be arrested for using #loic
Yes, unfortunately it looks like that too many people have decided to use the Megaupload shutdown as the trigger for an improvised career of hackers, considering LOIC as a kind of magic wand capable of turning anyone into a hacker in few minutes. Maybe Several of these “wannabe hackers” were not that stupid and wondered if their action might have legal consequences. For those, the fundamental question and age-old dilemma is: “Is LOIC dangerous?”
Since I already dealt with this topic in a couple of posts during the hot summer of the Lulz Boat, their googling brought them to my blog. For sure this morning, before understanding what had happened during the night (in Italy) I was surprised by the unusual number of clicks for the two articles concerning LOIC, which you may read (No One has ever been arrested for using LOIC and Someone has been arrested for using LOIC), if you just need an answer (or maybe you do not need since the title of the latter is meaningful enough).
But please consider the fact that the fundamental question is not if using LOIC is dangerous or not, but rather “if I should play to be a hacker or not”, and the answer is quite straightforward…
BTW, I gave my humble contribution to the #SOPAblackout but, whether or not I agree with the Megaupload shutdown, I absolutely do not agree and do not support similar methods of protest.
- Anonymous Launches Largest Attack Ever Following Megaupload Closure (techfleece.com)