when a pretty simple attack gets serious

January 14, 2013 — 2 Comments

bozo's botnet

Typically, a distributed denial of service attack, or DDoS, is not really that big of a deal. A few sites will slow down or will be temporarily unavailable, the packets from the attacking IPs will be blocked or null-routed, and everything will be restored with no long term side-effects. This is why few computer security professionals were bothered when Anonymous sieged RIAA, PayPal, and even FBI.gov and CIA.gov with their DDoS kits. They made waves in the news and that’s about all that happened. No data was lost or stolen, and no servers were compromised. However, that was your typical DDoS and one conducted primarily by humans. Laying hidden across the web are sleeping botnets of such monstrous size that they could actually be used as a weapon, and what’s worse, they’re for rent. In my usual regimen of industry news, I came across this account from a Russian-speaking newtork admin of what he called a thermonuclear weapon in the online world: a botnet capable of unleashing a horrifying, server-crushing 130 Gbps attack.

For those of you who don’t know what this means, imagine a network of computers that together flood a victim’s servers with roughly 127 megabytes of data every second. Those who own these computers don’t even know they’re doing it. They’re being controlled by attackers who could be half a world away through a back door installed by some casual game or toolbar they decided to download even though they’ve probably been told a thousand times that downloading a random freebee from the web is like having unprotected sex behind a dumpster in a seedy part of town with someone desperate for meth money. Sorry, sorry, I’ll calm down now. At any rate, when the botnets grow big enough, they can be instructed to bombard a site with a torrent of junk data. It would be a painful enough attack as is, but there are ways to make it worse and DDoS attackers are using them. One of these methods is to call a DNS server open to the entire web posing as the victim IP and make a request that spews out far more data than their botnets could.

It’s known as an amplification attack and you can think of it as introducing someone you just do not like to an extremely chatty guest at a party who replies to the simplest question with so many words, you start wondering how it’s humanly possible to talk so much. Your victim is now stuck in the vocal firing range of the chatty guest who keeps following him around as he tries to run for it without causing a scene. In the technical sense, the attackers are asking the DNS server to give them as much data about itself as possible and forwarding the reply to their victims to boost the sheer amount of data aimed for the target servers by a factor of 50 or 60. Keep doing that long enough and entire subnets can be muscled offline. Amp up the amout of bots and the junk data being sent and you can leave a small country effectively cut off from the outside world. The post from the Russian admin describes how banks on the attacked servers had trouble connecting to each other and keeping their sites reachable among other pleasantries and hints that this may have been the work of an adult site owner renting out a botnet to settle an online dispute.

But how could this be used as a cyber weapon? Well, dictatorships tends to structure their ISPs’ resources in a way that lets them pull the plug on the internet. But what if they can’t just shut off the networks they want to disrupt communications between political dissidents or rebel groups? They can bombard them with wave after wave of powerful DDoS attacks, forcing them to set up new connections and waste a lot of time trying to get back online while they line up their forces for either a physical attack or a series of raids. The bigger the attacking botnet and the bigger a typical packet being sent every second, the longer it takes to block the attackers and recover to full speed unless you run a massive cloud service with thousands and thousands of servers that will let you absorb the blow as you reroute the offending packets into a virtual black hole. So an offensive tsunami of junk data from a huge botnet may not do any real damage, but it’s a rather effective nuisance tactic and if you’re a big e-commerce site, could cost you some real money if enough transactions are disrupted, which may just be exactly what the aforementioned 130 Gbps monster that reared its ugly head in Russia and Ukraine was actually trying to do…

Share
  • TheBrett

    They’re being controlled by attackers who could be half a world away through a back door installed by some casual game or toolbar they decided to download even though they’ve probably been told a thousand times that downloading a random freebee from the web is like having unprotected sex behind a dumpster in a seedy part of town with someone desperate for meth money. Sorry, sorry, I’ll calm down now.

    I thought a lot of them were computers in places like China, where most of the population is running software versions that are out-of-date and illegally acquired (particularly Windows, which used to be almost universally stolen in China). No software security patches = juicy target for bot nets.

  • gfish3000

    Seems like a perfectly logical train of thought to me. I don’t have the stats to tell you if that’s true or not, but it’s a good hunch. The random freebie download is the usual way you’d become part of a botnet because it’s those freebies that are designed to take advantage of unpatched systems with rampant vulnerabilities, and enlist a user willing to get the malware through whatever security features are installed in the first place.