Skip Links

How cybercriminals and hacktivists use DDoS tools to attack

By Ted Swearingen, Director of Security, Neustar, Inc., special to Network World
August 29, 2012 10:38 AM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Network professionals know that distributed denial-of-service attacks are an ever-growing danger. The recent assault on Twitter is just the latest evidence. Using a mushrooming array of advanced tools, including pay-per-use services and mobile devices, attackers are taking down websites, DNS and email servers, often using these tools to destroy a company's online revenue, customer service and brand reputation. But the technology is only half the story. The thinking that shapes attacks — an evolving blend of careful planning, probing and improvisation—is often the difference between duds and strikes that leave victims begging for mercy.

So who launches DDoS attacks and why? The most common profiles: extortionists, ruthless competitors and "hacktivists," those attacking not for money, but in the name of social or political protest. The latter gets the most press, thanks to the media-savvy tactics of groups that have punished the likes of Bank of America and the U.S. Chamber of Commerce. However, even though reliable statistics about attacks are hard to find, it's likely that money, not justice, is the main motive.

AT&T hit by DDoS attack

Regardless of the attacker's identity or incentive, criminals use common tools and tactics in varying combinations. Many of these tools are cheap or free and easily available. They also require no more specialized skill than typing in the target's name and hitting "enter." The low-orbit ion cannon (LOIC), for example, is an open-source DDoS application which floods a server with enough UDP or TCP packets to disrupt service. The LOIC even offers multiple attack vectors. Attackers can send anything from packets with the text of their choice to random HTTP GET requests which imitate legitimate application-layer traffic.

The future of malware

The means to launch an assault doesn't stop there though, as there are many other resources for attackers to use. If someone rents a server from a hosting company, but doesn't secure it, an attacker could obtain administrative rights to the server, load scripts onto it and execute them at will. This is known as accessing a "shell booter."

There are also remote-access Trojans and DDoS bots, both forms of malware that infect PCs and mobile phones, letting criminals control them remotely to execute attacks. A group of such computers is a "botnet" and each computer infected is a "zombie." Each family of malware has its own destructive capabilities. The most advanced — the ones that avoid detection the longest and support the most types of attacks — are often sold as software or as a complete pay-by-the-hour service.

Attackers can also infect mobile phones to be used as extra resources. It's the same idea as launching attacks with other people's computers in a botnet. However, the added benefit is that there are billions of smartphones in use all around the world. And unlike desktop computers and laptops which are shut off for hours each day, mobile phones are always on, connected and able to abet attacks. In the DDoS world, it's all about how much traffic you can generate, which depends on the number of hosts under your control. Mobile phones are simply too tempting to resist, and a new weapon that network security personnel have to keep an eye out for.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News