By Paul Kearney, Chief Security Researcher in the Security Futures Practice, BT Innovate & Design.
All systems are inherently vulnerable to Denial of Service (DoS) attacks. This is because DoS attacks do not need to rely on bugs and loopholes, but rather prevent legitimate access to services by consuming or occupying resources. As all operations consume computational, memory and communication resources, an attacker simply repeatedly requests expensive operations until eventually resources are exhausted or are in such short supply that the system falls over or grinds to a halt. Queuing or rate-limiting requests may protect the systems themselves, but this is of little comfort to the legitimate user who is still denied access to services. The main defence is to characterise the request flows that are associated with an attack in progress and block or ‘black hole’ this traffic before it can consume key resources.
DoS has long been a weapon of choice for hacktivist organisations such as Anonymous. Anonymous has a large membership and claims to have no leaders or formal structure. Rather, any member can issue a call to action over some matter they feel strongly about. If sufficient support is garnered during a period of recruitment, a core of relatively-skilled hackers will try to compromise the target entity, e.g. by defacing its website or stealing embarrassing emails or user lists. If this fails, the fall-back is to call on the mass of support to perform a co-ordinated DoS attack using blunt instruments such as LOIC (Low Orbit Ion Canon). LOIC was supposedly created as a legitimate network stress-testing tool and simply floods the target address with a torrent of TCP or UDP packets.
Hacktivism is usually presented as libertarians acting in opposition to state oppression or corporate power. I have even heard it proposed that DoS should be protected in law as a means of peaceful protest.
Such mass action distributed DoS (DDoS) platforms are sometimes referred to as voluntary botnets to distinguish them from the centrally-controlled networks of compromised computers that are used by criminal organisations to perpetrate DDoS attacks. The motivation here is typically to extort money by threatening to disrupt business activities — the attacks we see are when companies defy the criminals or are demonstrations of power pour encourager les autres. The criminal gangs may build and operate the botnets themselves or, increasingly, rent them out as guns for hire.
DDoS has also been used as a means of applying political pressure and to support military activity. The two most famous examples are the pro-Russian attacks on Estonian websites in 2007 and the disruption to Georgian infrastructure during the conflict with Russia over South Ossetia in 2008.
The above is pretty well known stuff, but my eye was caught recently by an article that claimed that DDoS was being used by unscrupulous companies to gain market advantage by knocking their competitors offline temporarily. This is hard to prove or disprove given the relative difficulty of tracing the source of an attack. So should DDoS really be interpreted as Dodgy Dealings on the Side?
Either way, every enterprise is a potential target and no-one is immune from attack, so it’s important to engineer your online services to limit their vulnerability and invest in services or technology that can detect and block malicious traffic.