Since the first denial of service (DoS) was launched in 1974, distributed denial of service (DDoS) and other DoS attacks have remained among the most persistent and damaging cyber-attacks. These attacks reflect hackers’ frustratingly high levels of tenacity and creativity—and create complex and dynamic challenges for anyone responsible for cyber security
Introduction:
While cyber threats are by nature a moving target, this primer offers
an overview to help detect and mitigate attacks. Radware’s DDoS
Handbook delivers:
• Brief history of DDoS attacks plus a roundup of recent
cyber-attacks
• Overview of major attack types and tools
• Brief discussion of the ongoing evolution of enterprise security
• Actionable tools and tips for attack detection and mitigation
• Detailed vendor evaluation checklist for DDoS and cyber-attack
detection and mitigation
• DDoS dictionary to help communicate about and address threats
Throughout the handbook, you’ll also encounter some key findings
and analysis from Radware’s 2014-2015 Global Application &
Network Security Report—one of the industry’s leading pieces of
Research into DDoS and other cyber-attacks
A Quick Look Back:
In 2014, the DoS attack celebrated its 40th birthday. Born as the handiwork of a teenaged “computer geek,” these attacks
have since exploded in quantity—and sophistication
The Early Days
The first-ever DoS attack occurred in 1974 courtesy of David Dennis—a 13-year-old student at University High School, located across the street from the Computer-Based Education Research Laboratory (CERL) at the University of Illinois at Urbana-Champaign. David learned about a command that could be run on CERL’s PLATO terminals. PLATO was one of the first computerized shared learning systems and a forerunner of many future multi-user computing systems. Called “external” or “ext,” the command was meant to allow for interaction with external devices connected to the terminals. However, when run on a terminal with no external devices attached the command would cause the terminal to lock up—requiring a shutdown and power-on to regain functionality. Curious to see what it would be like for a room full of users to be locked out at once, David wrote a program that would send the “ext” command to many PLATO terminals at the same time. He went over to CERL and tested his program—which succeeded in forcing all 31 users to power off at once. Eventually, the acceptance of a remote “ext” command was switched off by default, fixing the problem. During the mid-to-late 1990s, when Internet Relay Chat (IRC) first became popular, some users fought for control of non-registered chat channels, where an administrative user would lose his or her powers if he or she logged off. This behavior led hackers toattempt to force all users in a channel to log out, so hackers could enter the channel alone and gain administrator privileges as the only user present. These “king of the hill” battles—in which users would attempt to take control of an IRC channel and hold it in the face of attacks from other hackers—were fought using very simple bandwidth-based DoS attacks and IRC chat floods
DDoS Attacks Spread
One of the first large-scale DDoS attacks occurred in August 1999, when a hacker used a tool called “Trinoo” to disable the University of Minnesota’s computer network for more than two days. Trinoo consisted of a network of compromised machines called “Masters” and “Daemons,” allowing an attacker to send a DoS instruction to a few Masters, which then forwarded instructions to the hundreds of Daemons to commence a UDP flood against the target IP address. The tool made no effort to hide the Daemons’ IP addresses, so the owners of the attacking systems were contacted and had no idea that their systems had been compromised and were being used in an attack. Other early tools include “Stacheldraht” (German for barbed wire), which could be remotely updated and support IP spoofing, along with “Shaft” and “Omega”, tools that could collect attack statistics from victims. Because hackers were able to get information about their attacks, they could better understand the effects of certain types of attacks, as well as receive notification when an attack was detected and stopped. Once hackers began to focus on DDoS attacks, DDoS attacks attracted public attention. The distributed nature of a DDoS attack makes it significantly more powerful, as well as harder to identify and block its source. With such a formidable weapon in their arsenal, hackers took on larger, more prominent targets using improved tools and methods. By the new millennium, DDoS attacks captured the public’s attention. In the year 2000, various businesses, financial institutions, and government agencies were brought down by DDoS attacks. Shortly after, DNS attacks began with all 13 of the Internet’s root domain name service (DNS) servers being attacked in 2002. DNS is an essential Internet service, as it translates host names in the form of uniform resource locators (URLs) into IP addresses. In effect, DNS is a phonebook maintaining a master list of all Internet addresses and their corresponding URLs. Without DNS, users would not be able to efficiently navigate the Internet, as visiting a website or contacting a specific device would require knowledge of its IP address.
From Script Kiddies to Geo-Political Events
As attack technology evolved, so have motivations and participants. Today, we no longer face only teenage “computer geeks” or “script kiddies” testing the limits of what they can do. While they still exist, they are not alone. Recent years have brought a continuous increase in the number of DDoS attacks—fueled by changing and increasingly complex motivations.
2014 – Energetic Bear malware targets US and Canadian critical infrastructure providers as part of cyber espionage attack
2014 – Mobile news application provider Feedly is taken down by a series of DDoS attacks
2014 – Hacktivist group #OpHackingCup takes down Brazil World Cup website
2012-2013 – Operation Ababil targets financial institutions
2011-2012 – Operation Tunisia, Operation Sony, Operation Syria, Operation MegaUpload, Operation Russia, Operation India, Operation Japan etc.
2010 – Operation Payback, Avenge Wikileaks’ Assange
2009 – Attacks on Facebook, Twitter, Google
2009 – Attacks on Iranian government websites
2009 – Attacks South Korean and American websites + Washington Post, NYSE
2009 – Attacks on UltraDNS, Register.com, the Pirate Bay
2008 – Attacks on Georgian government sites
2007 – Cyber attacks target Estonia, an early example of cyber warfare
2003 – MyDoom attacks 1M computers, Attacks on ClickBank and Spamcop, Worm blaster, Attack on Al-Jazeera website during Iraq war
2002 – Attack on Internet’s DNS Root servers DoS reflected tools
2000 – FBI site taken down, Seattle’s Oz.net down, Attacks on eBay, Yahoo, Etrade, Buy.com, Amazon, Excite.com, CNN
1999 – Trinoo, Tribe Flood Network, Stacheldraht, Shaft University of Minnesota taken down
1997-1998 – Smurf attacks; First DDoS tools - Teardrop, Boink, Bonk, WinNuk
1996 – First SYN Flood
1988 – Morris Worm, AOL’s Punters
I will meet you in the next blog!
0 Comments