DDoS in the Time of COVID-19: Attacks and Raids
There is no escaping it. COVID-19 is dominating headlines and has impacted virtually every corner of the world. Like most people at this point, I’m 30 days into isolation and trying everything in my power to ignore the elephant in the room and the politics that go along with it.
Unfortunately, or fortunately, cyber security is an essential business. As a result, those working in the field are not getting to experience any downtime during a quarantine. Many of us have been working around the clock, fighting off waves of attacks and helping other essential businesses adjust to a remote work force as the global environments change.
Waves of Attacks
Along the way we have learned a few things about how a modern society deals with a pandemic. Obviously, a global Shelter-in-Place resulted in an unanticipated surge in traffic. As lockdowns began in China and worked their way west, we began to see massive spikes in streaming and gaming services. These unanticipated surges in traffic required digital content providers to throttle or downgrade streaming services across Europe, to prevent networks from overloading.
The COVID-19 pandemic also highlights the importance of service availability during a global crisis. Due to the forced digitalization of the work force and a global Shelter-in-Place, the world became heavily dependent on a number of digital services during isolation. Degradation or an outage impacting these services during the pandemic could quickly spark speculation and/or panic.
For example, as COVID-19 began to take a toll on Australia’s economy, there became a rush of suddenly unemployed citizens needing to register for welfare services on MyGov, Australia’s government service portal. This natural spike in traffic ended up causing an outage on the morning of March 23rd, requiring Government Services Minister Stuart Roberts to walk back his initial claims that the portal had suffered from a DDoS attack, naturally causing panic and speculation among those desperately seeking government assistance.
In France, Assistance Publique – Hôpitaux de Paris, the university hospital trust managing 39 public hospitals in the area, found itself a victim of a DDoS attack on March 22nd, just as France begin to deal with a surge in COVID-19 related cases. The attack was reported to have only lasted an hour and did not cause any significant damage.
The problem was, upon further review, in order to deal with the attack, there was a reduction in internet access. Typically, during any other day, this reduction would not have had an impact, but due to the pandemic and a remote, non-essential work force, employees outside of the hospital’s network were blocked from external access during this attack, resulting in the inability to access email, Skype or remote application.
In addition to this attack, the Brno University Hospital in the Czech Republic was hit a week earlier with a cyber-attack that force the hospital to shut down their entire network, resulting in the cancellation of surgeries.
And if that wasn’t enough, a food delivery service in Germany experienced a DDoS attack from an extortionist. Lieferando.de, also known as takeaway.com, is a takeaway food service that delivers from more than 15,000 restaurants in Germany. During this global pandemic, citizens of the world have become very dependent on take away food services as part of the effort to help flatten the curve. Unfortunately, an extortionist attempted to capitalize on this by launching a Ransom Denial of Service (RDoS) attack on Takeaway, demanding 2 BTC ($11,000) to stop the attack. As a result, some orders were able to be accepted but were never delivered, forcing Germans to find another option for the night.
Taking Down Cyber Criminals
It should come as no surprise that law enforcement agencies around the world are particularly interested in taking down those looking to profit from COVID-19. They are also interested in kicking down doors of those who are conducting DDoS attacks during the pandemic.
On April 10th, a 19-year-old from Breda, Netherlands, was arrested for conducting a DDoS attack on March 19th against MijnOverheid.nl and Overhied.nl. Both of these websites are government-related and were providing Dutch citizens with important government information related to the pandemic.
It’s truly unfortunate to see teenagers in the middle of a pandemic targeting critical infrastructure, preventing access to emergency regulations and advisories, but what did we expected? A cease-fire? In order to prevent additional DDoS attacks, a week prior to the Breda arrest, Dutch police shut down 15 stresser services. While these services were not listed, I can tell you, the raid was largely unnoticeable. Part of the problem can be found between the words of Jeroen Niessen, Dutch Police:
“With preventive actions, we want to protect people as much as possible against DDoS attacks. By taking booters and their domain names offline, we make it difficult for cyber criminals. We have now put quite a few on black. If they pop up elsewhere, we will immediately work on it again. Our goal is to seize more and more booters…”
If they pop up elsewhere, we will immediately work on it again….
But Are These Efforts Futile?
In my opinion, it sounds like the police finally understand that raids are a losing battle without total commitment. If there’s one thing we learned from the 2019 raid of KV solution, a bulletproof hosting provider, it was that when one criminal falls, dozens are willing to replace them.
The problem is, taking down a stresser service is pointless when there are so many criminals using public services and corporations to mask their identities. Until there is cooperation and commitment to removing the DDoS threat completely, it will always linger, rearing its nasty head in the worst moments. Due to the lack of commitment between the global law enforcement community and the security community, we are unable to see a meaningful impact in the DDoS landscape.
It’s really not that difficult to find a stresser service today. In fact, you can find these criminals openly advertising their services on major search engines–no Tor browser or Darknet Market required. While search engines could simply de-index these services, they choose not to. Instead, they elect to profit from your misfortune. Below are a handful of sites found on popular search engine using the terms ‘booter’ or ‘stresser’:
powerstresser.pro, freeboot.to, instant-stresser.to, meteor-security.to, layer7-security.to, stressthem.to, stress.to, stress.gg, booter.vip, bootstresser.com, bootyou.net, defconpro.net, str3ssed.co, ts3booter.net, vdos-s.co, webstresser.biz, hardstresser.com, havoc-security.pw, synstresser.to, dosninja.com, stresser.wtf, thunderstresser.me, ripstresser.rip, astrostress.com, botstress.to, dotn3t.org, nightmarestresser.to, silentstress.wtf, torstress.com, xyzbooter.net, databooter.to.
A Temporary Solution
After reviewing the list, Officer Jeroen Niessen’s statement becomes clearer. Whether or not these current websites are associated with the original criminal groups or cloned, multiple stressers with notorious names have been reappearing. In general, I think it’s fair to say that while raids are disrupting criminals, they have hardly put a dent in the overall activity or economy of the DDoS-as-a-Service industry. Takedowns only represent a temporary solution, and this has become clear during the pandemic.
Unfortunately, the threat landscape continues to evolve during a pandemic. Criminals are clearly not taking time off. Worst of all, not only is the public cloud fully in scope for cybercriminals looking to compromise enterprise equipment, but due to the ongoing pandemic and the remote digitalization of the work force, remote software and digital services have come under fire from opportunist criminals.
I think during this time of chaos and uncertainty we really need to reflect on our impact and ability to secure the digital workforce and ask ourselves, are we protecting criminals due to privacy concerns or is there more we could do to remove and eliminate the DDoS threat?