2017’s 5 Most Dangerous DDoS Attacks & How to Mitigate Them (Part 2)
This is Part 2 of our series on the top 5 most dangerous DDoS attacks and how you can successfully mitigate them. To read Part 1 of the series, click here. Let’s dive back in with Attack Type #4:
ATTACK TYPE #4: Fire & Forget: PDoS – Permanent Denial of Service
A permanent denial-of-service attack (PDoS attack), also known loosely as phlashing in some circles, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.
One method PDoS uses to accomplish its damage is via remote or physical administration on the management interfaces of the victim’s hardware, such as routers, printers, or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.
Why Bother with Temporary Outages when you can Achieve Permanent?
Imagine a fast moving bot attack designed not to collect data but rather to completely prevent a victim’s technology from functioning. Sounds unlikely, but it’s possible. Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself spectacularly to the public only time to time.
The most recent example was BrickerBot, which Radware discovered in April, 2017. Over a four-day period, BrickerBot launched thousands of PDoS attempts from various locations leveraging Telnet vulnerabilities to breach a victim’s devices.
In a recent article published by Help Net Security, they detailed how a new USB exploit can be inserted into a computer and render a computer bricked. In fact, according to Help Net, the latest PDoS USB attack “when plugged into a computer … draws power from the device itself. With the help of a voltage converter, the device’s capacitors are charged to 220V, and it releases a negative electric surge into the USB port.”
Another example, covered in a 2008 article in Dark Reading, additionally highlighted a tool uncovered by HP Labs called PhlashDance. This tool was leveraged to find vulnerabilities in often forgotten firmware and binaries that sit localized on computing devices. The risk lies in the lack of patches and upgrades made to the devices.
This article goes on to say that “remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue.”
Assessing Risks & Taking Action
The following behaviors and trends may increase the risk of a PDoS attack targeting your organization.
– Running a highly virtualized environment that leverages a few hardware devices, but powerfully overloads software functions. One PDoS on the platform can create a disaster recovery situation. This includes Software Defined Networks (SDNs).
– Organizations highly dependent on IoT. “Things” are highly susceptible to PDoS as they are often simple devices with little to no inherent security measures.
– Organizations with centralized security gateways. One powerful PDoS can punch a hole in your attack detection and mitigation capabilities.
– Organizations that are considered critical infrastructure.
The clear action to take is to conduct an assessment on the type of technology you are running at or below the operating system level. Develop a clear understanding of the different firmware versions, binaries, chip-level software (like ASICs and FPGA) and technology that is in use in your environment. Also consider batteries, power systems and fan system vulnerabilities.
Assessing the likelihood and risk of a PDoS attack can help your organization take the necessary precautions and onboarding controls to protect your most critical assets. Education is an important step in evaluating your risk of PDoS attacks.
ATTACK TYPE #5: IoT Botnets and the Economics Of DDoS Protection
2016 brought a long-feared DDoS threat to fruition: cyber-attacks that are launched from multiple connected devices turned into botnets. Botnets are one of the fastest growing and fluid threats facing cyber security experts today and have propelled us into the 1Tbps DDoS era.
First, here is a timeline of the most notable attacks in 2016/17 that propelled botnets into the front pages and onto the desks of C-suite executives.
June 28, 2016: PCWorld reports that “25,000 digital video recorders and CCTV cameras were compromised and used to launch distributed denial-of-service (DDoS) attacks, flooded targets with about 50,000 HTTP requests per second.” Though impressive and startling, this attack said nothing about what was still to come.
September 20, 2016: Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking 620Gbps volumetric DDoS attack from a botnet designed to take the site offline.
September 21, 2016: The same type of botnet is used in a 1Tbps attack targeting the French web host OVH. A few days later, the IoT botnet source code goes public—spawning what would become the “marquee” attack of the year.
October 21, 2016: Dyn, a US-based DNS provider that many Fortune 500 companies rely on, is attacked by the same botnet in what is publicly known as a “water torture” attack (see below). The attack renders many services unreachable and causes massive connectivity issues—mostly along the East Coast of the United States.
April 5, 2017: Radware discovers BrickerBot, which over a four-day period, launches thousands of PDoS attempts from various locations around the world. BrickerBot uses Telnet brute force – the same exploit leveraged by Mirai – to breach a victim’s devices.
The Appeal of Internet of Things (IoT) Devices
For hackers, IoT devices are attractive targets for several reasons:
- IoT devices usually fall short when it gets to endpoint DDoS protection implementation.
- Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices. Such regulations help ensure secured configurations and practices. Among them: changing default passwords and implementing access control restrictions (for example, to disable remote access to administrative ports).
- IoT devices operate 24×7 and can be in use at any moment.
According to Radware’s 2016 – 2017 Global Application & Network Security Report, 52% of security professionals indicated that they do not believe IoT botnets complicate mitigation or increase detection requirements.
Botnets: Making Use of Different Attack Vectors
The Mirai botnet provides a perfect example of the various attack vectors one IoT botnet can unleash on its victims. We can all thank a user named “Anna-senpai” for publishing the Mirai source code to a public and easily accessible forum. In short order, the code spread to numerous locations, including several GitHub repositories, where hackers began taking a closer look. Since then, the Mirai botnet has been infecting hundreds of thousands of IoT devices—turning them into a “zombie army” capable of launching powerful volumetric DDoS attacks. Security researchers estimate that there are millions of vulnerable IoT devices actively taking part in these coordinated attacks.
In a surprising departure from previous record-holding amplification attacks, attackers did not use DNS and NTP. Instead, these attacks consisted mainly of TCP-SYN, TCP-ACK and TCP-ACK + PSH along with HTTP and non-amplified UDP floods. In the case of KrebsOnSecurity, the biggest chunk of attack traffic came in the form of GRE, which is highly unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack followed by short bursts over 100Gbps each over a four-day period.
The Economics of Botnets
While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we believe one of the most disruptive changes is the new economics model of IoT botnets.
Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable servers, build their zombie bots army and then safeguard it against other hackers who might also want to claim ownership of them. All the while, hackers would keep continual watch for new infection targets that could join their zombie army.
Things have changed: There are now millions of vulnerable devices sitting with default credentials. Bot masters—the authors and owners of the botnets—do not even bother to secure their bots after infection. After all, as Mirai demonstrates, it does not even persist infection to disk, so a simple device reboot brings it back to clean and healthy state.
For a bot master, gaining control of powerful servers would cost hundreds of dollars every month. Often he or she would gain illegal access to it and work diligently to hide it from others. Finding these servers was and still is difficult and expensive.
Now with IoT botnets, instead of spending months of effort and hundreds of dollars to control a few powerful servers and several hundred infected PCs, bot masters can take control of millions of IoT devices with near zero cost.
Knowledge is Power
Botnets will be an ongoing tale as threats, detection and DDoS mitigation solutions continuously change. Knowledge is the key to staying ahead of the menace. Read When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies to understand what made this threat possible, how to protect IoT devices from becoming enslaved, and how to become a ‘botnet killer.’