From Tin00 malware to the Mirai botnet, distributed-denial-of-service remains a powerful weapon in an attackers' arsenal
In July 1999, a set of computers infected with the Trin00 malware attacked and took down the network of the University of Minnesota. The episode marked the first recorded case of a distributed-denial-of-service (DDoS) attack.
20 years later, DDoS has evolved into one of the most serious security threats from the arsenal of both cybercrime gangs and nation-state actors.
What is DDoS?
As the name implies, the goal of DDoS attacks is to prevent the target website from providing service to its users by flooding its servers with bogus traffic and starving its resources.
Before engaging in DDoS, attackers typically assemble a “botnet”. Botnets are sets of computers compromised with a malware that enables the attacker, the “bot master,” to send them remote commands. After assembling their army of zombie devices, bot masters can launch DDoS attacks by commanding their botnet to simultaneously send fake requests to the target.
With a strong enough botnet, an attacker can overwhelm the targeted server and cause it to crash, preventing it from responding to requests from legitimate users.
Since the attack against the University of Minnesota, DDoS assaults by criminals have accounted for massive financial losses and damage to the reputation of targeted organizations.
In the past year alone, web hosting and content delivery giant Akamai recorded hundreds of DDoS attacks per week. A recent report by cybersecurity vendor Kaspersky Labs also found an 84% increase in the number of DDoS attacks in the first quarter of 2019, The Daily Swig reported.
Aside from frequency, DDoS attacks have grown in size and extent of damage that they can cause.
Domingo Ponce, director of global security operations at Akamai, has been on the front line of fighting DDoS for over ten years.
“When I started, we were protecting against hacktivism (like Anonymous), script kitties, and companies attacking each other (shady gambling sites),” he told The Daily Swig.
“Now DDoS is all grown up – attacks are state-sponsored, large criminal syndicates are involved, and DDoS is a very significant revenue-based black market industry.”
IoT insecurity fuels the fire
The expansion of the Internet of Things (IoT) has played a major role in the recent growth of DDoS attacks. Many of these devices forgo security because of reliance on default credentials, making them easy game for botnet viruses.
“Mirai was a turning point highlighting the power of DDoS botnets comprised of IoT devices,” Patrick Sullivan, Akamai’s senior director of security strategy, told The Daily Swig.
The Mirai botnet was behind a major DDoS attack against DNS provider Dyn, which caused a major internet outage in October 2016. The botnet comprised a large number of internet-connected cameras, home routers, and baby monitors.
“Not only do the sheer number of vulnerable IoT devices present a challenge, but attacker willingness to use these bots to perform Application Layer Attacks leads to higher levels of sophistication,” Sullivan said.
Protect and survive
Shortly after the Dyn attack in 2016, the hackers behind the Mirai botnet declared they would rent out their massive botnet for $7,500, marking the rise in DDoS-as-a-service, where cybercriminals need little or not technical knowledge to implement an attack.
The spread of DDoS attacks has also given rise to a market for DDoS mitigation.
“The only viable option is to deploy mitigation in even more distributed architectures,” Akamai’s Sullivan said.
“Even a massively scalable cloud solution deployed to a small number of locations and ISPs will struggle to contain the truly massive attacks. Peering points aren’t designed to handle huge spikes in traffic, and congestion will occur before traffic can route to mitigation points.”