Professional Documents
Culture Documents
Executive Summary
In the confidentiality, integrity, and availability metrics of information security, also known as the CIA
Triad, denial-of-service (DoS) attacks impact availability. In a broad context, the term 'denial-ofservice' has a general definition covering many types of attacks. This analysis focuses on the types of
attacks generally referred to as distributed denial-of-service, or DDoS, attacks. DDoS attacks are most
often used to extort or damage businesses whose websites or online assets are a major source of
revenue, are an indicator of brand value, or are critical to operations. Although major DDoS attacks are
a rare occurrence for most organizations, they can have devastating effects. Anyone can become a
victim at any time, so it's important to implement mitigations and practice DDoS incident response
plans prior to a DDoS event.
A SYN flood is a common TCP protocol-layer attack. A SYN packet represents the first part of the
connectivity handshake that must occur before a TCP connection can be established. The server
responds with a SYN+ACK packet to the client, the source of the original SYN packet, as an
acknowledgement. In a normal TCP handshake, the server waits to receive a final ACK packet from the
client before establishing a data connection. For a successful handshake, the client's IP address must
be correct. A SYN flood attacker acts as the client and the server is the target. The attacker sends SYN
packets. Because the attacker does not reply to the resulting SYN+ACK packets, or because the
SYN+ACK packets are sent to spoofed IP addresses of bogus or unresponsive destinations, the target
must wait for some predetermined time for the final ACK packets before giving up. Because network
devices have practical limits on the number of TCP connections they can accept, sending enough SYN
packets before that timeout is reached can exhaust all available connections. The result is that the
server will deny additional connection attempts.
SYN floods can be used to deny connections to common public-facing TCP protocol services like web
servers (HTTP), email (SMTP, POP3), and file transfer (FTP). These services use application-layer
protocols built on top of TCP. Modern DDoS tools also incorporate specific attacks to flood these
services with application-specific commands or requests designed to exhaust server resources. The
most common examples are web attack tools that send floods of malformed, difficult to service, or
bogus HTTP requests that occupy web server resources and deny availability of the targeted website
to legitimate users.
clandestine DDoS trojans with built-in command-and-control (C2) functionality that automatically
enlists them in an army of similar bots under the control of one or more C2 server operators. Trojan
installation is typically accomplished through social engineering and the exploitation of software
vulnerabilities. Existing botnets can also be commanded to add DDoS capabilities by downloading
additional DDoS tools or modules using the original bot's downloader functionality. DDoS bots
generally hide their presence and are controlled remotely over a network via Internet Relay Chat (IRC),
HTTP, or a proprietary protocol.
"Darkness" and BlackEnergy 2 are examples of fully-featured DDoS botnet kits. Operators use these
tools to create large botnets that are often sold as a commercial service to perform DDoS attacks for
hire, such as the GhostMarket.net service or the China-based IM DDoS service. A typical price for the
daily rental of 10,000 DDoS bots is between $100 and $300 USD, typically paid for via non-reversible
wire or cash transfer services or in virtual electronic currencies with real-world analogs or value. The
price may vary considerably based on the physical or logical location of the bots. Bots in the same
country as the target, or fewer network "hops" away from the target, are generally worth more to an
attacker because defenders may block traffic from entire countries or continents or use a
geographically distributed content delivery network. Price is also affected by the upstream bandwidth
available to each bot. A bot with a faster fiber-optic connection would be worth more than a bot on a
slower cable modem or ADSL line, for example.
An approach becoming more popular among cyber terrorists and activists who attack targets for
social or political motives is the voluntary installation of DDoS attack tools by supporters who
sympathize or mobilize around a particular cause. Often these tools can be operated by the individual
at the computer. Tools such as E-Jihad 3.0 and Low Orbit Ion Cannon (LOIC) provide state-of-the-art
DDoS capabilities combined with a user-friendly graphical user interface (GUI) for local configuration
and operation. Operational parameters such as target list and attack types are coordinated out-ofband, via posts to Internet forums, chat rooms or social networking sites by an operational leader for
the cyber attack, and the leader is often in the inner circle of the supporters for a cause or movement,
his or her authority emerging from a consensus of supporters. These tools can also be configured to
voluntarily turn remote control over to an operational team under the direct command of a leader.
This all-volunteer botnet allows easy use of donated computers and bandwidth to attack targets in a
very coordinated fashion using centralized C2 (typically over IRC or HTTP) without further active
participation by supporters. There is also evidence of DDoS tools configured with remote control
enabled and installed on compromised hosts without the owner's permission, in the same fashion as
traditional DDoS bots such as BlackEnergy. DDoS tools designed for volunteer use are developed and
provided free of charge.
Some tools are designed for security assessments or testing DoS attacks. Packet injectors and tools
like hping and httping are often used by authorized testers, but they can be used for malicious
purposes and adapted to distributed attacks.
versus the target's single domain name and limited number of IP addresses. The physical and
geographical limitations on mobilization are also removed. These factors amplify the effectiveness of
asymmetric attacks.
Although hacktivists - attackers who choose a target to exact revenge, punish, or make a point related
to the target's role or stance in regards to certain social or political issues - make headlines, their
activity may not be as common as that of commercial DDoS botnet operators. Commercial DDoS
operators typically launch attacks that are as efficient and effective as possible against targets that
attract as little attention or compassion as possible. Commercial DDoS targets are not linked to any
hot-button issues and are often not the type of victim that makes headlines.
Hacktivist DDoS is the quintessential Internet-age manifestation of civil disorder. Only today, the social
or political issues typically don't have to matter to a large part of the public in order to elicit a
significant disruptive response. In recent cases, websites with national visibility have been knocked
offline over issues as petty as bumper stickers. DDoS activity perpetrated by hacktivists is not new, and
it's always been a part of the Internet landscape. DDoS activity in general is following the same natural
growth curve as Internet adoption by the general public. Despite a public perception anecdotally
reinforced by attacks on Estonia, Lithuania, and Kyrgyzstan by large, self-mobilized, "cyber militias", the
severity of hacktivist activity seems to track the availability of Internet bandwidth. That is, there appears
to be nothing special about the current environment that has led to increased activity or adoption
trends compared to historical averages.
That said, attacks can be very different in motive and severity, even among different attacks on the
same target. What has "changed" in recent attacks is the degree of awareness - the level to which the
issues, the perpetrators, and the targets have become part of the public consciousness. When DDoS
attacks were launched in conjunction with a Russian military strike on the country of Georgia, cyber
warfare became front page news.
Because an organization's domain name and primary website are integral to its brand, attacks affecting
the website's availability can have significant effects on brand value, public perception, and reputation.
This damage may be more difficult to measure quantitatively.
Both revenue and reputation can be targets of DDoS attacks by hacktivists. It's often difficult to predict
what qualities about an organization's business attract the attention of a hacktivist group, and in some
cases, attack targeting is based on abstract linkages or erroneous attributions by the attackers. When
DDoS attackers take aim at each other, one side will often attempt to subvert the other's target list,
sometimes with innocent bystanders' IP addresses and domain names. Participants in a DDoS battle
might update their DNS with IP addresses of third-parties to deflect an attack. Other times, a
misunderstanding (easyDNS instead of EveryDNS) or a simple typographical error (".es" instead of ".se")
can result in an inadvertent attack on the wrong target.
Attacks can and often do cause collateral damage. An organization that has shared network, data
center, or server infrastructure with a target may also be affected. In the instance where a business
relies on cloud services, the shared resource architecture exposes the business to collateral damage
from DDoS attacks, and mitigation depends almost entirely on the cloud computing provider's
capabilities. From a business risk management perspective, a DDoS attack on critical-path cloud
services becomes a supply chain attack. An organization can be completely neutral and still become a
victim.
Appliances, tools, and services can be used to assess the performance of network devices, network
services and applications under load.
Network devices and system networking protocol stacks should be tested for performance under load.
The performance of network devices and host interfaces is often overlooked when handling
fragmented, nonstandard (too large or small, or irregular structures), specially crafted (unusual
combinations of flags, options, source or destination addresses or ports) network packets and streams.
Load testing applications is an important part of the quality assurance phase of software engineering
lifecycles. Applications often fail before bandwidth is exhausted. Transactional integrity for databases
and graceful degradation of applications should be part of design requirements. This testing can be
critical to quick recovery by preventing attack-related corruption of data.
Because DDoS attacks have network vectors, organizations should discuss DDoS contingencies with
network and internetworking service providers, including those responsible for network peering and
upstream and downstream transit.
Sinkholing reroutes attack traffic to a destination where it can be analyzed. Sinkholes may reroute
known-good traffic, block traffic identified as malicious, and provide intelligence such as IP addresses
(if they are not spoofed) for source blocking by upstream network providers. Sinkholes are subject to
the effects of the volume of traffic redirected to them and may not operate effectively under large
scale attacks.
Upstream network providers and registrars may provide or partner with providers of specialized
blackholing, sinkholing services, and packet scrubbing services designed for large-scale DDoS attack
mitigation.
In dealing with attacks across national and political borders, every legal system is different. Even where
the foundational legal doctrine is similar, case law and public trust issues will impact how, and even if,
some parties will be charged and successfully prosecuted. Jurisdiction is usually determined by the
place where the act was committed. This concept presumes that a criminal act is committed by some
person, so the location of that person usually decides jurisdiction. However, this is not always the case
with all crimes under all circumstances, and there may be different rules in play if the actual location is
indeterminate or - as with many cyber attacks - unclear under current legal notions of what defines a
"location" in cyberspace. Some legal systems may operate under additional stipulations, such as the
jurisdiction must take into account the location or nationality of the victim or complainant. These
factors are often major hurdles, even when criminal activity has been concretely linked to the suspect
individual or party. In some recent cases, political and diplomatic roadblocks will likely play a larger
role than in the past.
In the United States, there is a movement toward classifying some incidents under the military
definition of an attack and putting a framework in place where the military could be authorized to
launch a counter-attack and the President would be empowered to order U.S. networks isolated from
foreign attacks to protect critical national infrastructure. Banking and finance are a critical national
infrastructure sector as defined by the U.S. national Critical Infrastructure Protection (CIP) program
and are the most common targets of DDoS attacks. However, in recent cases, DDoS attacks focus on
distractions or media battles, and are not attacks primarily intended to destroy or deny the use of
critical infrastructure.
In the current threat landscape, law enforcement organizations are ultimately responsible for
enforcing laws related to digital crimes. Impacted organizations are ultimately responsible for their
security posture. Perpetrators of computer crimes are ultimately responsible for the consequences of
their actions.
Learn More
Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and
business solutions they trust and value. Recognized as an industry leader by top analysts, Dell
SecureWorks provides world-class information security services to help organizations of all sizes
protect their IT assets, comply with regulations and reduce security costs. For more information, visit
www.secureworks.com.
THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY AND MAY CONTAIN
TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS
PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.