Last Friday’s massive DDoS attack against Dyn.com and its DNS services slowed down or knocked out internet connectivity for millions of users for much of the day. Unfortunately, these sorts of attacks cannot be easily mitigated. We have to live with them for now.

Huge DDoS attacks that take down entire sites can be accomplished for a pittance. In the age of the insecure internet of things, hackers have plenty of free firepower. Say the wrong thing against the wrong person and you can be removed from the web, as Brian Krebs recently discovered.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

Krebs' warning is not hyperbole. For my entire career I’ve had to be careful about saying the wrong thing about the wrong person for fear that I or my employers would be taken down or doxxed. Krebs became a victim even with the assistance of some of the world’s best anti-DDoS services.

Imagine if our police communications were routinely taken down simply because they sent out APBs on criminal suspects or arrested them. Online hackers have certainly tried. Plenty of them have successfully hacked the online assets of police departments and doxxed their employees.

Flailing at DDoS attacks

Readers, reporters, and friends have asked me what we can do to stop DDoS attacks, which break previous malicious traffic records every year. We're now seeing DDoS attacks that reach traffic rates exceeding 1Tb per second. That’s insane! I remember being awed when attacks hit 100Mb per second.

You can’t stop DDoS attacks because they can be accomplished anywhere along the OSI model -- and at each level dozens of different attacks can be performed. Even if you could secure an intended victim's site perfectly, the hacker could attack upstream until the pain reached a point where the victim would be dropped to save everyone else.

Because DDoS attackers use other people's computers or devices, it’s tough to shut down the attacks without taking out command-and-control centers. Krebs and others have helped nab a few of the worst DDoS attackers, but as with any criminal endeavor, new villains emerge to replace those arrested.

The threats to the internet go beyond DDoS attacks, of course. The internet is rife with spam, malware, and malicious criminals who steal tens of millions of dollars every day from unsuspecting victims. All of this activity is focused on a global network that is more and more mission-critical every day. Even activities never intended to be online -- banking, health care, control of the electrical grid -- now rely on the stability of the internet.

That stability does not exist. The internet can be taken down by disgruntled teenagers.

What would it take?

Fixing that sad state of affairs would take a complete rebuild of the internet -- version 2.0. Version 1.0 of the internet is like a hobbyist's network that never went pro. The majority of it runs on lowest-cost identity and zero trust assurance.

For example, anyone can send an email (legitimate or otherwise) to almost any other email server in the world, and that email server will process the message to some extent. If you repeat that process 10 million times, the same result will occur.

The email server doesn’t care if the email claims to be from Donald Trump and originates from China or Russia’s IP address space. It doesn’t know if Trump’s identity was verified by using a simple password, two-factor authentication, or a biometric marker. There’s no way for the server to know whether that email came from the same place as all previous Trump emails or whether it was sent during Trump’s normal work hours. The email server simply eats and eats emails, with no way to know whether a particular connection is more or less trustworthy than normal.

Internet 2.0

I believe the world would be willing to pay for a new internet, one in which the minimum identity verification is two-factor or biometric. I also think that, in exchange for much greater security, people would be willing to accept a slightly higher price for connected devices -- all of which would have embedded crypto chips to assure that a device or person’s digital certificate hadn’t been stolen or compromised.

This professional-grade internet would have several centralized services, much like DNS today, that would be dedicated to detecting and communicating about badness to all participants. If someone’s computer or account was taken over by hackers or malware, that event could quickly be communicated to everyone who uses the same connection. Moreover, when that person’s computer was cleaned up, centralized services would communicate that status to others. Each network connection would be measured for trustworthiness, and each partner would decide how to treat each incoming connection based on the connection’s rating.

This would effectively mean the end of anonymity on the internet. For those who prefer today's (relative) anonymity, the current internet would be maintained.

But people like me and the companies I've worked for that want more safety would be able to get it. After all, many services already offer safe and less safe versions of their products. For example, I’ve been using Instant Relay Chat (IRC) for decades. Most IRC channels are unauthenticated and subject to frequent hacker attacks, but you can opt for a more reliable and secure IRC. I want the same for every protocol and service on the internet.

I’ve been writing about the need for a more trustworthy internet for a decade-plus. The only detail that has changed is that the internet has become increasingly mission-critical -- and the hacks have grown much worse. At some point, we won’t be able to tolerate teenagers taking us offline whenever they like.

Is that day here yet?

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security Adviser

blog-prevent-ddos-attack_sqConsidering the magnitude of the recent DDoS attack on Dyn, that almost brought down the internet, all sysadmins must take action to prevent their devices from taking part in future attacks.

As many of you might have noticed, at least from the news headlines, a few weeks ago there was a huge internet outage that impacted availability of dozens of major sites, including popular ones like Twitter, Reddit, CNN, the Guardian, and many others. This was a result from a devastatingly simple attack on one of the main providers of core services underpinning of the Internet.

Dyn, one of the major providers of DNS services on the Internet, with customers ranging from end users to some of the most recognizable names on the web, experienced what may prove to be the largest Distributed Denial of Service (DDoS) attack in history, with a reported attack strength of 1.2Tbps. While Dyn was the target, potentially millions of people were victims. Unfortunately, many of those victims were also unwitting accomplices in the attack.

I called the attack simple, because at its heart, a DDoS attack is simple. To execute such a Denial of Service attack, you simply need to overwhelm the target with so many requests that it is unable to service valid ones. When the target has more computing resources than you can attack with, you need to leverage others in a distributed fashion, causing a DDoS. DDoS attacks are nothing new, but this particular one has several features that make it an historic event.

We all know how critical a high performing and responsive DNS is for all users of the Internet. By attacking one of the core providers of DNS services, the attack rendered dozens of marquee brands inaccessible, including Amazon, Netflix, PayPal, Spotify, and more, with an untold number of smaller sites. Odds are pretty good that many you use at least one of those companies on a regular basis, and if you are on the East Coast of the United States, you probably felt the impact of the first wave. There were as many as three coordinated attacks, with the second having more global impact and the third being successfully defended against.

Several different groups have either claimed responsibility, been accused, or at least didn’t deny allegations for responsibility, but we want to look at the participating nodes in the attack, rather than the mastermind who coordinated them. Because not only was the target new and high impact, but the method of attack was too. DDoS attacks are nothing new, but this attack leveraged the Mirai botnet, one of the many pieces of malware out there infecting untold numbers of systems. But in this case, based on the logs Dyn collected, we can tell that the number is at least 100,000 malicious nodes. The attack was compounded by legitimate DNS clients retrying their queries, and that number rose into the tens of millions.

What makes Mirai particularly unique is that it can compromise any number of devices, typically associated with the Internet of Things, to make them unwitting zombies and participants in a DDoS attack. Whether these are webcams, DVRs, programmable thermostats, temperature or light sensors, or any other IoT devices, they are all running a stripped down and optimized version of Linux which is built for simplicity of setup, not security. And when a user downloads an infected file and the Mirai malware executes, it scans the local network for devices it can recognize and attack, using known vulnerabilities and default passwords. Once it is in, that cool IoT device is now a zombie just waiting for orders to attack.

The scale of this attack, and the fact that it used devices we’re normally not taking care of, makes it a real wake-up call for IT administrators, but also for various IoT device users in general. Think not only about the flaws in your patch management strategy at work, but more about the complete lack of patch management strategies that exist at the homes of most, if not all your coworkers, friends, and family.

Do they run vulnerability scans regularly? Manage and deploy patches to all nodes under their control? Run web filtering software or setup home firewalls so compromised devices cannot hit the Internet directly? Of course not! And that’s why Mirai was able to leverage so many hosts in its DDoS. It grabbed the low hanging fruit that we have all ignored, and we’ve only seen the tip of the iceberg here.

While defending against a DDoS may be beyond the capabilities and capacities of many of us, we can at least ensure that we are not contributing to the problem, so here’s a list of things all of us can do to help.

Everyone, even at home, can do these first two:

  • Ensure we keep all our devices; computers, mobile devices, tablets, network hardware, IoT devices, and anything else that is network capable, patched and up to date;
  • ALWAYS change the default passwords on EVERY device that has a network connection, even when it is a home use device on an internal network;

And at work, you can do even more:

  • Set up outbound egress filters at work to ensure that only devices which need to directly connect to the Internet can do so;
  • If you provide DNS services internally, then no other devices but your DNS servers should need to directly make DNS queries to external servers;
  • Web filtering is great way to protect users from downloading malware or executing malicious scripts, which is how Mirai started, and keeping an eye on your web traffic with tools such as GFI WebMonitor is also a good way to make sure your network is not taking part in anything shady;
  • End users don’t need to ping external hosts, but make sure your admins can, and that you allow ICMP internally;
  • Consider whether your end users really do need admin rights on their workstations, since there’s very little malware can do executing with regular user privileges;
  • Use vulnerability scanning software such as GFI LanGuard on all your systems regularly, to ensure you don’t have any vulnerable devices in the network you’re managing;
  • I mentioned it above, but for companies this is much more important: use patch management software to keep all your systems are up to date, for both operating system and third party application needs.

Keep in mind that while Mirai took out Dyn for hours by leveraging vulnerable devices with default configurations, it first got to those devices as malware executed on unguarded and unpatched workstations. With hundreds of thousands of systems hammering Dyn, most of us probably felt the impact of that attack, but never thought that we could be a part of the attack.

So, it’s in all of our best interests to help make sure we’re not a part of the problem, by patching everything that needs to be patched, and by preventing our devices from becoming an integral part of such attacks. Next time you angrily dismiss a Windows Update notification, remember these words.

You may also like:

  • IT automation comes to the rescue for sysadmins
  • Microsoft Patch Tuesday has changed and now all patches are…
  • Ransomware FUD strikes again, this time against Office 365

GFI Blog

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data

Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7]

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.


In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [8].
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[9]
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[10]
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

US-CERT Alerts

Security blogger Krebs says IoT DDoS attack was payback for a blog Credit: Thinkstock/Stephen Sauer

Security blogger Brian Krebs says a massive distributed denial-of-service attack that took down his website last week was likely the consequences for his outing of two Israelis who ran a DDoS-for-hire business.

The pair, whom he identifies as Itay Huri and Yarden Bidani, both 18, were arrested in Israel at the request of the FBI six days after Krebs posted his blog and are now under house arrest.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

He thinks this blog posted Sept. 16 irked them or their confederates to retaliate with the attack against Krebs' site using a botnet of hundreds of thousands or perhaps a million hijacked internet of things devices, mainly cameras, routers, and DVRs.

He says the attack include the text string "freeapplej4ck," an apparent reference to one of the two arrested Israelis who goes by the hacker name Applej4ck.

Huri and Bidani ran vDOS, a business that sold subscriptions to a DDoS attack platform for between $ 20 and $ 200 per month.

If Krebs' suspicions are true, it means that malicious actors with relatively modest means can summon up giant botnets comprised of IoT devices and deliver unheard of volumes of DDoS traffic.

+More on Network World: The IoT is uranium+

A similar attack against the French hosting provider OVH topped out at 1.5TBps using an army of bots. "This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS," according to a tweet by Octave Klaba, the founder of OVH.

The attacks are apparently continuing, Klaba tweeted today: "+6857 new cameras participated in the DDoS last 48H."

bruce schneierWikipedia

Bruce Schneier

Earlier this month, security expert Bruce Schneier warned in a blog that unknown parties seem to be systematically testing how resilient key internet infrastructure is to DDoS attacks. He says his information comes from companies that provide the infrastructure, but that he couldn't name because they spoke to him under conditions of anonymity.

The attacks seem carefully measured to reach a certain volume of traffic, then stop. Later, they resume at the same level of intensity and gradually increase, which is indicative of attempts to quantify just what it would take to break each victim's network, Schneier says.

The unknown attackers throw different types of attacks against the networks they are testing, he says, to evaluate what tools the victims have and how effective they are.

He says he doesn't know who is behind these probing attacks, but speculates it is a nation and a large one at that, but probably not an activist or researcher or even criminals. He mentions Russia and China.

"It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities," Schneier writes.

This story, "Security blogger Krebs says IoT DDoS attack was payback for a blog" was originally published by Network World.

The world's largest distributed denial of service (DDoS) attack has been clocked from the same network of 152,463 compromised low-powered cameras and internet-of-things devices which punted a media outlet off the internet.

Two concurrent attacks against French hosting provider OVH clocked in at a combined 990Gbps, larger than any other reported.

The same fleet of networked junk also scored the world's largest single DDoS largest attack when it offed cyber crime publication Krebs On Security in attacks tipping 620Gbps.

OVH chief technology officer Octave Klaba says the growing fleet of cameras and digital video recorders has the capability to deliver a multi-vector 1.5 Tbps DDoS attack.

Google is now bearing the brunt of the embedded device floods after it provided free DDoS mitigation services to Krebs on Security, stepping in after Akamai withdrew expensive pro bono support. ®

Sponsored: Fast data protection ROI?

The Register - Security

Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We're now seeing those warnings come true, with botnets made up of compromised IoT devices  capable of launching distributed denial-of-service attacks of unprecedented scale.

Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.

The OVH incident came after krebsonsecurity.com, cybersecurity journalist Brian Krebs' website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.

According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.

"There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called 'Internet of Things,' (IoT) devices -- mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords," Krebs said in a blog post after his website came back online under the protection of Google Project Shield.

On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.

Symantec's data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That's unfortunately all it takes today to build a large IoT botnet.

And while IoT-powered DDoS attacks have now reached unprecedented size, there have been warning signs for several years that they were coming. In October 2015, security firm Incapsula mitigated a DDoS attack launched from around 900 closed-circuit television (CCTV) cameras and in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built using Linux malware for embedded devices.

Securing the internet of things should become a major priority now that an army of compromised devices – perhaps 1 million strong - has swamped one of the industry’s top distributed denial-of-service protection services.

A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

It wasn’t that Akamai couldn’t mitigate the attack – it did so for three days – but doing so became too costly, so the company made a business decision to cut the affected customer loose, says Andy Ellis the company’s chief security officer.

+ MORE: Homeland Security issues call to action on Internet of Things security +

The delivery network has dropped protection for the Krebs on Security blog written by Brian Krebs after an attack delivering 665Gbps of traffic overwhelmed his site Tuesday. The size of the attack was nearly double that of any Akamai had seen before.

An IoT botnet generating this much traffic is a bellwether event that Ellis says will take some time to analyze to come up with more efficient mitigation tools.

Its impact is similar to the 2010 attacks by Anonymous using the open source, low-orbit ion cannon tool, or the 2014 DDoS attacks launched from compromised Joomla and WordPress servers, he says.

The lesson for enterprises is that the DDoS protections they have in place need to be tweaked to handle higher attack volumes, he says.

IoT exploited

The massive Krebs on Security assault is the work of a botnet made up primarily of internet of things devices, according to Akamai. So many devices were used, in fact, that the attacker didn’t have to employ common tactics that amplify the impact of individual devices, Ellis says.

The number of machines in the latest botnet is still unknown, and could be as large as a million. “We’re still trying to size it,” he says. “We think that might be an overestimate but it’s also possible that will be a real estimate once we get into the numbers.”

With estimates of 21 billion IoT devices by 2020, the scale of botnets that might be created by these relatively unprotected machines could be enormous, says Dave Lewis, a global security advocate for Akamai who spoke Thursday at the Security of Things Forum in Cambridge, Mass.

INSIDER: 5 ways to prepare for Internet of Things security threats

“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.

Some of the attacking machines are running clients known to run on cameras, he says. “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks,” he says. “There are indicators that there are IoT devices here, at scale”

The attack didn’t use reflection or amplification, so all the traffic consisted of legitimate http requests to overwhelm Krebs’s site, Ellis says. “It’s not junk traffic.”

A lot of things about the attack are still unknown such as who’s behind it and what method the botmasters used to infect the individual bots.

Ellis says some other providers Akamai had contacted report similar but smaller attacks likely from the same botnet. Many of them were aimed toward gaming sites, and Krebs has written about such attacks, so there may be a connection there, he says.


Akamai will analyze the attack and devise tools to fight similar attacks, Ellis says.

Krebs has tweeted about the attack after Akamai stopped protecting his site. “I can't really fault Akamai for their decision. I likely cost them a ton of money today,” he wrote. “So long everyone. It's been real.”

This story, "Largest DDoS attack ever delivered by botnet of hijacked IoT devices " was originally published by Network World.

InfoWorld Security

Google has provided free distributed denial of service attack (DDoS) mitigation services to security publication Krebs on Security, stepping in after Akamai withdrew support.

The information security site was last week hammered with a 620Gbps DDoS attack, widely rated one of the world's largest by volume of junk data.

Mitigation platform Akamai soaked up the attack traffic under pro bono protection it offered Krebs until it cut the site loose claiming it could no longer shield the site without impacting paying customers.

Krebs went offline to shield his hosting provider and returned today under Google's free DDoS attack mitigation service Project Shield. Google provides the shield to verified journalists and non-profit organisations.

Krebs on Security focuses on information-security-related crime and is known for revealing the suspected identities of those behind attacks.

As a result it has sparked the ire of many online criminals who launch regular DDoS attacks against the site, and often mock Krebs on Security journalist Brian Krebs in crime forums.

The site recently exposed vDOS a DDoS attack service, known as a booter, which provided what it called stress testing services to customers.

Booters are sold as legitimate tools for admins to test their own network resilience against DDoS, but are more often than not used in illegal DDoS attacks against various sites. The service saw its alleged operators arrested in an FBI sting. ®

Sponsored: Boost business agility and insight with flash storage for analytics

The Register - Security

The dust, waves and jubilation have settled on the sports festivities of this past summer. Since we’re in the business of cybersecurity, let’s reflect on one of the malicious activities that attempted to derail focus from this spirited event.

Going into the games, many analysts expected the event to be marred by cybercriminal activity spanning multiple types of network attack vectors. A reported attack by cybercrime group Anonymous seems to have confirmed those fears. Perhaps the most concerning part of this attack is the development of a custom tool that enables bad actors to conduct distributed denial-of-service (DDoS) attacks. Are targeted tools the next big concern for those in charge of securing high-profile, global events?

Anonymous Tip

The first phase of the DDoS attacks primarily focused on several targets within Brazil. According to HackRead, the targets included the official websites of the Brazilian federal government, the state government of Rio de Janeiro, the Ministry of Sports and others. The second phase emphasized the retrieval of financial data and login credentials belonging to organizations such as the Brazilian Confederation of Modern Pentathlon, Brazilian Handball Confederation, Brazilian Confederation of Boxing and Brazilian Triathlon Confederation.

According to research by IBM X-Force, Anonymous posted a spreadsheet of this information to its private Internet Relay Chat (IRC) channel, alongside hashed passwords corresponding to registered users of all these sites. Anonymous tweeted about its website takedown initiative and posted the results on its Facebook page.

Takedown Tools

In the old days, users within the anonymous IRC channels had to use a tool called Low Orbit Ion Cannon (LOIC) to join coordinated DDoS attacks. The LOIC tool is connected to IRC in a way that enables remote control of its activity. Along with a capability called hivemind mode, computers equipped with LOIC can behave as part of a large botnet. That’s how IRC channel operators were able to quickly take down targeted websites.

The LOIC tool’s unique capabilities also came with some interesting insights. For example, anyone could login to an Anonymous Operations channel to see how many bots were in the hive. This allowed channel operators to tout the level of strength they had for a DDoS attack when they threatened a victim.

DDoS for Dummies

For their DDoS endeavors against the global sporting event, Anonymous operators took a different path. The group posted a link to another custom tool to its channel, which is part of the CyberGuerrilla IRC network, as well as on its Facebook and Twitter feeds. The tool runs on multiple Windows platforms backboned by Python.

To enable participants to join the attacks, Anonymous included instructions on how to anonymize end user connections while performing DDoS attacks against predefined targets. Users accessed the channel to look for any updates to the target list before joining the DDoS attacks.

Taking a deeper look at the tool, we found an executable file simply called ddos.exe, along with a library of Python-compiled bytecode files that allow for speedy execution. We also found several batch files that simply contained the target IPs of the intended victims. Although the tool itself contains a hardcoded list of targets, the list could be altered with a simple edit of the batch files.

goldmedtalddostool 2

Figure 1. Example contents of tool package (Source: IBM X-Force)

Once a target is selected and the attack is initiated, the tool spawns 9,000 individual attack instances and continues the DDoS until the participating Anonymous end user issues a “stop all” command. This tool also has built-in Tor capability. Unlike LOIC, Anonymous’ tool doesn’t report the volume of simultaneous attackers, making it impossible to tell how large the attack base is at any given time.

DDoS Mitigation

Anonymous includes a warning in all its public communications and threats: “Expect Us.” Since Anonymous is capable of significant, large-scale attacks, threats from its operations center should be taken seriously. However, your DDoS mitigation strategy should be an ongoing activity, not based around one particular campaign.

Organizations can proactively defend against DDoS attacks by staying on top of software updates and patches, implementing intrusion prevention systems (IPS), ensuring proper configuration of firewalls and access control lists, installing managed security solutions to stop DDoS traffic in its tracks and establishing a cohesive incident response plan.

Test your protection and your team’s response capabilities by simulating DDoS attacks via stress tests. Regular attack simulations allow companies to measure reaction and protection levels within a controlled environment, understand the capacity of their resources and prepare a speedy recovery from an attempted takedown.

Read the complete IBM research paper: Extortion by distributed denial of service attack

Security Intelligence

Distributed denial-of-service (DDoS) attacks have been all over the news in recent months, with hacktivist groups taking major targets completely offline. According to IBM Managed Security Services data, the vast majority of DDoS attacks come in one of two flavors: SYN flood attacks, in which bad actors send multiple SYN requests to a victim’s webserver in an attempt to consume enough resources to render the system unresponsive, and UDP/DNS attacks on network layers 3 (network) and 4 (transport), also known as reflection attacks.

We know, however, that attackers are constantly tweaking their techniques. With this in mind, we decided to take a look at a newer DDoS tactic. The tool in question, dubbed the Saphyra iDDoS Priv8 Tool, targets network layer 7 (application) and results in an HTTP flood DDoS attack. This tool was responsible for taking down the NASA website earlier this year, according to Yahoo Tech. Other modifications of this tool are called Sadattack, Thor and Hulk.

What Is an HTTP Flood Attack?

An HTTP flood attack is a type of layer 7 application attack that utilizes the standard, valid GET/POST requests used to fetch information, as in typical URL data retrievals, during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques.

How Saphyra Works

The Saphyra iDDoS tool is a Python script that can be run on virtually any device, including mobile phones. Let’s take a look at this relatively simple script to understand how it operates and why it is hard to defend against.

Figure 1. Saphyra iDDoS Tool Command Line Interface

Figure 2. Saphyra iDDoS Tool script header

The script contains over 3,200 unique user agent strings and over 300 unique referrer field strings. This would allow for more than 1 million possible combinations of user agent string/referrer instances. When the tool is executed, a unique combination is sent in the form of HTTP requests to the victim’s website.

Its main purpose is to generate unique requests, avoiding or bypassing caching engines and directly impacting the server load. This can result in website failure as the server becomes quickly overwhelmed by the volume of requests. The tool interface boasts an affiliation with almost 1.8 billion bots, but this could not be confirmed at the time of analysis.

The Tool’s Techniques

The Saphyra tool operates using a variety of techniques, including:

  • Obfuscation of source client: By using a list of known user agents, the user agent is constructed as a random value out of the known list.
  • Referer spoofing: This enables the sending of incorrect referer information in an HTTP request to prevent a website from obtaining accurate data on the identity of the webpage previously visited by the user.
  • Persistence: The tool uses standard HTTP commands to force the server to maintain open connections by using keep-alives with definable time window.
  • No cache: By requesting the HTTP server for no cache, the sever presents a unique page for each request.


Figure 3. Example of user agent strings in script

Figure 4. Example of referer strings in the script

Below is what the traffic looks like. Note the random GET request as well as user agent/referrer fields.

GET /?.o.=Uc.z^.P].. HTTP/1.1
Accept-Encoding: identity
Host: victim.com
Keep-Alive: 113
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/418 (KHTML, like Gecko) Shiira/1.2.2 Safari/125
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://techtv.mit.edu/search?q=SZCqT.U]..yy.U.d..n.cMU.Bjf.UgjtSyjTz.d.A^qX...{...Z...d.D
Cache-Control: no-cache

GET /?Ch.Bg^=.r.J HTTP/1.1
Accept-Encoding: identity
Host: victim.com
Keep-Alive: 141
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.google.com/?q=~o~.Es..Te...y^F.j....wCB~Lta..
Cache-Control: no-cache

GET /?IVC=sGQj.ck HTTP/1.1
Accept-Encoding: identity
Host: victim.com
Keep-Alive: 130
User-Agent: Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8g
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://millercenter.org/search?q=DRn}W.}q.H.w.~.QImfZb.H.H.oBU|L.N.aBG[…X.^rmumr.w.F…ZD..Vf|akaPhSs..Kj^.I..SYtbH.dUp..m
Cache-Control: no-cache

The figure below shows a small snapshot of traffic while executing the tool. We were able to generate over 7,500 individual connections per second against a test server in our lab.


Figure 5. View of traffic in Wireshark depicting randomized HTTP GET requests

Mitigation Methods

HTTP flood attacks are some of the most advanced nonvulnerability threats being perpetrated against web servers today. It is difficult for network security endpoints to distinguish between legitimate and malicious web traffic. This could create a high number of false-positive alerts. Additionally, rate-based detection engines are incapable of detecting HTTP flood attacks when the traffic volume of HTTP floods is under detection thresholds.

The Saphyra tool is designed to prevent server defenses from recognizing a pattern and filtering the attack traffic. There are, however, some tactics that can be deployed to both an IPS and to the web server itself.

First, consider using a rewrite modification on NGINX. In /etc/nginx/conf.d/default.conf or similar, add the following inside the server block:

if ($ args ~* “(.1,)=(.1,)” )
rewrite ^/$ /444_rewrite?;

location /444_rewrite
return 444;

The regex argument (.1,)=(.1,) tells Nginx to redirect all GET requests that have any characters with = between them and redirect them to 444 (No Response).

The example GET request below shows the equal sign that is common to all requests:

GET /?uQQ[oKYF%7DH=TPTYKsO%257D%257E%255C HTTP/1.1

This tactic can be used on other web platforms as well. Consult your server documentation for instructions to create a rewrite mod.

Distinguishing Between Legitimate and Malicious Traffic

With some DDoS attacks, it’s difficult to determine what traffic is legitimate and what is malicious. The best defense is a comprehensive incident response plan, including failovers and a methodology for identifying, analyzing and neutralizing the threat. As a secondary tactic, consider a managed security solution that deflects and absorbs DDoS traffic before it reaches the target.

Security Intelligence