• United States

The rise of artificial intelligence DDoS attacks

Jul 11, 201810 mins
Artificial IntelligenceHackingNetwork Security

The leaves may change color, but the roots are the same. Are you ready for AI-based DDoS attacks?

ddos attack
Credit: Thinkstock

What keeps me awake at night is the thought of artificial intelligence lying in wait in the hands of bad actors. Artificial intelligence combined with the powers of IoT-based attacks will create an environment tapped for mayhem. It is easy to write about, but it is hard for security professionals to combat. AI has more force, severity, and fatality which can change the face of a network and application in seconds.

When I think of the capabilities artificial intelligence has in the world of cybersecurity I know that unless we prepare well we will be like Bambi walking in the woods. The time is now to prepare for the unknown. Security professionals must examine the classical defense mechanisms in place to determine if they can withstand an attack based on artificial intelligence.

Fail to prepare, prepare to fail

The arrival of new technologies comes with an abundance of security threats. New products are released to cover the inadequacies in protocols. With today’s attack surface, no one can ever be fully secure. Being almost secure is good enough for most and security teams work on the basis that it’s not a matter of if, it’s a matter of when.

There are well-known mechanisms to combat distributed denial of service (DDoS) attacks. We can spread the perimeter, offload to a scrubbing center, and tackle the problem head-on. Then along came IoT-based attacks that raised the bar causing respectable networks to fall flat. However, there is only so much bandwidth out there and the headlines are often worse than the capabilities.

What I haven’t heard too much about is the repercussions of artificial intelligence in the hands of bad actors. A combination that will inevitably unlock a more powerful form of DDoS attack. A machine does not stop, get tired, lose concentration or panic. AI-based attacks keep their cool maintaining constant momentum while under pressure from defense mechanisms.

The only way to fight a machine is with another machine. Any other way is useless. Unless you want to be left blindfolded, security professionals must look to introduce artificial intelligence on the defense side and not rely on traditional defense mechanisms. An AI-based defense comes in two flavors, unsupervised learning, and supervised machine learning systems. Unsupervised learning being the superior defense mechanism of the two. L7Defense is a pioneer in the ability to defend from attacks in real-time using unsupervised machine learning.

From scripts with loops to automated AI-based attacks

Did you know the first DoS attack was carried out in 1974? It went mainstream with Classical Bots that started in the early 2000’s and consisted of a manual Denial of Service (DoS) approach. Essentially, DoS is when a bad actor sends traffic to overwhelm a system. Back then, they were pretty basic. Even if tools were not readily available those with medium technicality could carry out an attack. A single machine would send a single attacking signature. The automation was essentially done by manual keyboard entries.

This proved to be inefficient and bad actors quickly moved from manual to semi-manual. For example, this may include a simple script combined with a number of loops enabling a level of automation. However, we still only had a limited number of attacking signatures that were preconfigured in the script and only one IP source was used. The attack surface and vectors used were limited.

We then moved into a semi-automated wave consisting of multiple attacking IP sources. The introduction of command & control (C&C) servers presented a new shift in DoS, known as distributed denial of service (DDoS). C&C servers are centralized machines controlled by bad actors that are able to send commands and receive outputs. The C&C servers were not sophisticated, but they could control a number of infected end host computers, spreading the attack source. These infected computers were known as botnets.

The botnets would receive predefined commands from the C&C servers and carry out a set pattern of attack signatures. The signatures were set in stone regardless of how well the defense side was doing. The botnets were still static because the C&C Servers issue similar commands to each of them. The scale of the attack increased but the intelligence didn’t. We experienced more spread and a larger attacking surface but with the same intelligence.

Malware automation

The major turning point in the evolution of DDoS came with the automatic spreading of malware. Malware is a phrase you hear a lot of and is a term used to describe malicious software. The automatic spreading of malware represented the major route for automation and marked the first phase of fully automated DDoS attacks. Now, we could increase the distribution and schedule attacks without human intervention. Malware could automatically infect thousands of hosts and apply laterally movement techniques infecting one network segment to another. Moving from network segments is known as beacheading and malware could beachhead from one part of the world to another.

There was still one drawback. And for the bad actor, it was a major drawback. The environment was still static, never dynamically changing signatures based on responses from the defense side. The botnets were not variable by behavior. They were ordered by the C&C servers to sleep and wake up with no mind for themselves.

As I said, there is only so much bandwidth out there. So, these type of network attacks started to become less effective. Bad actors started to side step a little and target the application layer instead of the network infrastructure. Reflection style attacks started to appear along with its enhancement known as the amplification. Distributed reflection denial of service attacks was the worse at that time. Reflection attacks are used to abuse user datagram protocol (UDP) services. UDP by design is connectionless in which the receiver does not validate the IP of the source. This is the address of the client requesting a service. The lack of validation makes it possible for someone to pretend to be you using your IP as the source, known as IP spoofing.

Unknowingly the legitimate source that has it’s IP address spoofed is overwhelmed when the UDP server sends back requests. The UDP server is essentially acting as the reflector hiding the identity of the bad actor. Amplification exploits the fact that the size of responses is generally much larger than the size of server requests. A simple request sent to can include a response with many IP addresses along with additional information. If a DNS server can amplify requests to a factor of 200 a bad actor with bandwidth of 100Mbps using both amplification and reflection techniques can generate an attack of 200Gbps. Now, can you imagine what happens if there are thousands of reflectors?

Different variations of layer 3, 4 and 7 based attacks were well underway with readily available tools. It became easy and cheap to launch an attack. The major difference between these attack variations is the ability to create a session, for example, a secure sockets layer (SSL) session for the victim with an attempt to cause session exhaustion higher up in the stack. Alternatively, the bad actor may send a flood of internet control message protocol (ICMP) messages without waiting for a reply, making no attempt to take over the session.

Eventually, a combination developed to form a dangerous mix of layer 3, 4 and 7 based attacks. The classical volumetric was often combined with a layer 7 focusing on the application. The volumetric would simply act as a cover for the layer 7 based attack. Application attacks are heaven for bad actors. Each web application represents an infinite number of attack possibilities with so much variation for them to pick and choose from. There are so many tools available out there that can generate random pages attacks along with randomization techniques. Web security companies are on the back foot. They have the capability to scan and detect for hundreds of thousands of vulnerabilities but not for an infinite number of signatures.

Things got a bit more serious when bad actors started to combine the automatic spreading of malware with IoT. We experienced a mega-attack scale and solid networks started to hit the floor. While traditional C&C’s are not very sophisticated, the big brother IoT C&C servers are more dynamic and can control botnets with a number of optimizations that can change every few seconds based on the defense response.

They are heaps more intelligent than the classical C&C’s. The botnets are no longer static. Each botnet now controls its own unit of work representing many small armies working in isolation attacking a single destination.

The rise of artificial intelligence

Today, we are entering into a different wave of DDoS attack. This new era has all the power of IoT-based attacks along with artificial intelligence combined with various feedback loops and automatic optimizations.

Artificial intelligence is constantly optimizing, changing parameters and signatures automatically in response to the defense without any human interaction. It works alone keeping security professionals up all night unless the right precautions are in place.

There are two flavors of AI-based defenses; supervised and unsupervised machine learning. Supervised learning is similar to having a teacher with a predefined curriculum including specific questions and answers. With unsupervised learning, there is no teacher or a narrow curriculum. The curriculum is developing itself based on changing student’s needs.

Supervised learning needs to be fed with examples in order to deal with the situation. After enough examples, it becomes a closed problem. However, this represents a number of drawbacks in the world of AI-based attacks. If you have malware different from the current exampled one, will the system identify and appropriately deal with it? Probably not and this is where false positives start to increase.

Unsupervised learning is superior in the sense that you don’t need to feed the system with examples. This represents a major shift in how you protect against a machine that is constantly changing in response to the defense side. Unsupervised learning has the ability to change and adapt as the problem itself changes. The real issue hitting supervised learning is that traffic patterns are by their very nature, unpredictable. The source and destination IP endpoints may remain unchanged but there can be numerous alterations in the headers and message body. The variations are a major problem for supervised learning.

No one can predict and create examples for all application traffic profiles and potential attack vectors. As a result, we cannot cover the entire space and feed a supervised machine learning system with enough examples to cover every possible angle. If you can’t cover the entire space, then you need a system that can by itself analyze the environment and figure out by itself without human intervention the best possible path of action while still keep false positives to a minimum. A system that can dynamically learn and adapt to known and unknown environments.

Supervised learning can help to a certain extent but in a world that is full of dynamic variables, you really need a system that can adapt to these changes and predict the unknown future that AI-based attacks will bring.

Within the cybersecurity realm attackers are moving fast. Similar to moving from ice to water, yet the ice is not moving, so you need now, not a hammer for the ice but a device that can analyze the water to determine a poison ingredient in disguise. This is why you need to move from supervised to unsupervised learning.


Matt Conran has more than 19 years of networking industry with entrepreneurial start-ups, government organizations and others. He is a lead Architect and successfully delivered major global greenfield service provider and data center networks. Core skill set includes advanced data center, service provider, security and virtualization technologies. He loves to travel and has a passion for landscape photography.

The opinions expressed in this blog are those of Matt Conran and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.