Examining Past and Future DDoS Attacks: What Enterprises Can Do to Prepare

Tammy Moskites, CIO/CISO, Venafi

Tammy Moskites, CIO/CISO, Venafi

The Internet has technically been around since the 60’s, however academia has been using it since the 80s and commercial use actually began to grow rapidly in the 90’s. In the last 20 years the internet has grown over 100-times to well over 1/3 the world population. The history of cyber threats is quite incredible and extensive. From simple worms and viruses in the late 90s to more recent Advanced Persistent Threats (APTs) and state-sponsored attacks, one type of attack method remains tried and true: Distributed Denial-of-Service (DDoS) attacks. DDoS attacks, generally speaking, are a type of Denial of Service (DOS), which occurs when multiple systems are compromised and are often infected with a Trojan that is used to target a single system causing it to shut down or crash. They are also notably defined by the ease in which they can be executed.

Gaining Notoriety

DDoS attacks really came into the spotlight in 1999 with the first large-scale incident against the IRC server at the University of Minnesota. It left 227 systems affected, and the university’s server was rendered unusable for days. The attack also put DDoS on the map as an efficient tool for hackers. Immediately after the attack on the university occurred, there were a series of similar attacks at notable companies like Yahoo!, eBay, CNN, Amazon, and ZDNet. The consequences of these high-trafficked sites resulted in paralyzed systems, barring users from accessing their services for hours. Shockingly enough, the attacks were all brought down by a 15-year-old Canadian who called himself “Mafiaboy,” looking to show off his skills by infecting vulnerable hosts he found through network scans.

Soon after these large scale DDoS attacks, cybercriminals learned a new method that leveraged the tool to disrupt systems and wreak even more havoc. The new method gained a lot of publicity in 2005 with an attack called the MyTob worm. This new DDoS attack opened a backdoor on infected MS Windows hosts that connected to a remote IRC server and waited for further instruction from command and control, while also self-propagating when rebooted and copying itself onto other network shares. Famously, this attack’s outbreak was covered live by CNN, even as the TV station’s own computers were affected. Cybercriminals began to threaten large corporations with DDoS attacks, extorting tens of thousands of dollars. Many companies paid out rather than risk inevitable customer attrition and loss of reputation since, at the time, there were no effective remediation plans in place.

Hacktivism on the Rise

Beyond monetary gain, soon hackers were seeking to disrupt government and corporate

systems to make political statements and mobilize users to action through high-profile DDoS attacks. Although attacks brought on by political events and ideological issues were being launched for over a decade, in 2010, the media began to focus on these groups; one in particular called the “Electronic Disturbance Theater.” They made a name for themselves by developing a new DDoS called FloodNet, which was user-friendly and allowed anyone outside of the organization to join in on the attack by simply clicking the target you wished to attack from a drop down menu.

The idea of allowing others outside of the collective to join was immediately evolved by the group known as “Anonymous.” They used the software Low Orbit Ion Cannon, which allowed participants to connect their computer to a vast network, creating voluntary botnets linked together, giving them an incredible amount of power to yield behind an attack. They used this tool when they executed the Operation Payback attack on Visa, MasterCard, PayPal, and other sites, after these credit card and banking institutions had terminated services with WikiLeaks.

“Implement any DDoS prevention that your company's Internet Service Provider (ISP) offers-it will be able to scrub and clean your traffic in the cloud before allowing it onto your system”

Attacks of the Future

To fully see where DDoS attacks are heading in the future, we should first look back at one hacktivist group called “The Hacker’s Choice.” This group created a new type of DDoS attack in 2011, which exploited weaknesses in Secure Sockets Layers (SSL) to kick a server off the Internet. This new tool gained a lot of interest because of its clear departure from a typical DDoS attack—it did not require any bandwidth, just a single attack computer. It was able to achieve this by enabling attackers to perform transport layer service (TLS)/SSL denial of service for hypertext transfer protocol (HTTPS) websites, allowing immediate service interruptions. The group was hoping that this would bring attention to the features of SSL that they did not approve of, and push for implementation of a new security model that they deemed more adequate to protect citizens. This new tool for DDoS attacks did not gain much traction outside of the initial release in 2011, but it is incredibly important when considering protection for your network in the future.

Earlier this year, on the heels of the Office of Personnel Management (OPM) breach, the Federal government mandated that all government websites must implement HTTPS-more encryption. To push this policy even further, Google encouraged TLS services by boosting SEO rankings for HTTPS services and programs like“Let’s Encrypt” launched, underscoring the importance of using encryption to protect data. However, what many don’t realize is that with more encryption, comes more opportunity for cybercriminals to mask their nefarious deeds. More encrypted traffic will require organizations to use more cryptographic keys and digital certificates to mount effective attacks.

Moving forward, with the use of more encryption, we do expect to see SSL/TLS DDoS attacks on the rise; however, there are precautions that can be taken by IT security teams:

1. Make sure your network has more bandwidth than you think you will need. This will accommodate sudden and unexpected surges in traffic. Overprovision by 100 or 500 percent, which may not stop a DDoS attack, but could give your system more time to defend against an incoming attack.

2. Implement any DDoS prevention that your company’s Internet Service Provider (ISP) offers–it will be able to scrub and clean your traffic in the cloud before allowing it onto your system.

3. Make sure you have complete visibility of your network and monitor continuously to make sure that you have complete control over the traffic on your network.

4. Scan regularly for expired digital certificates and cryptographic keys and revoke and replace them all immediately— especially in the wake of a data breach.

5. Conduct Black Hole Filtering, which is a technique that provides the ability to drop undesirable traffic before it enters a protected network.

6. Include DDoS attacks in your disaster recovery scenarios and test them annually.

It’s important to keep in mind that the exact answer for your enterprise will vary depending on the type of DDoS attack you are experiencing, your network infrastructure, and security tools that are available to you. While cyber criminals continue to evolve their DDoS attack methods, enterprises should at least take comfort in knowing they can take these key steps to stave off these types of attacks, now and in the future.