This is the second in a series of blog posts “on all things Bot.” From bad to good and looking towards the future, Bots remain an information security issue which has the potential to impact all commercial and recreational online activity. This series will explore the security and business ramifications of the modern internet where you may be surprised by all the non-human visitors to your online services.
Bad to the Bot Bone – George Thorogood & The Destroyers, 1982
Internet bots have been wreaking havoc on exposed services, especially websites for some time now. Generally, a bot army is made up of compromised computers and/or IoT devices under the central command of a “bot herder”. The bot herder can offer services online ranging from launching DDoS attacks, brute force attacks, and all manner of online-ad fraud. This blog will discuss the origins of bot based DDOS attacks and explore the future of DDoS attacks.
As it turns out DDoS attacks have been around, arguably since 1988 with the invention of the Morris Worm. The Morris Worm used a self-replicating feature which consumed plenty of system resources as it replicated. Although it was not designed as a DDoS attack, the general concept of exhausting system resources by consuming all available system ram, CPU power, disk space (for logs) and communications capability of the system established the early concepts of a DDoS cyber-attack.
Computer systems and the communication infrastructure to support them made rapid advances from the late 1980’s to the late 1999’s. But, it was really not until 2007 that the character of a DDOS attack – especially one which targeted web servers – moved from its activist roots to become a tool of nation-state cyber warfare. In 2007, a small network of computers trained their DDOS guns on a country and significantly impacted all manner of electronic services. That country was Estonia.
One has to keep in mind that the communications technology and computer systems were far from being as powerful and robust as they are today. A technical analysis of the DDoS attack prepared by the Hungarian CERT provided the following:
Estonian government websites and others have been the victims of denial-of-service
(DDoS) attacks from 27 April 2007 until 11 May 2007. The attacks are [were] gradually intensifying. The number on May 9th—the day when Russia and its allies commemorate Hitler’s defeat in Europe—was the biggest.
[There were] 128 unique DDoS attacks on Estonian websites during the above mentioned two weeks. Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others[.]
“I think we’ve got something, sir. The report is only a fragment, from a bot in the Hoth system, but it’s the best lead we have.” – Captain, soon to be Admiral Piett, 1980.
In 2012, a great deal of effort in academic circles and law enforcement agencies was spent on understanding the DDoS problem. In response to a growing number of DDoS attacks conducted by the hacktivist group Anonymous and its more malicious offshoot LulzSec. The Anonymous group crushed a number of websites by using a tool called: Low Orbit Ion Cannon (LOIC) with a feature known as “Hivemind”. The Hivemind feature put the LOIC tool under the control of a 3rd party to coordinate an attack. This capability resulted in knocking the US DoJ, RIAA, MPAA, and Universal Music Websites offline.
Since 2011, DDoS has been used as both a tool of protest and geopolitical hostility, one of the peaks in DDoS attacks was alleged to have been conducted by Iranian hackers from 2011 to 2012. These Iranian state-sponsored attackers were indicted in March of 2016, and the substantial impact of these attacks was realized.
“The alleged onslaught of cyber-attacks on 46 of our largest financial institutions, many headquartered in New York City, resulted in hundreds of thousands of customers being unable to access their accounts and tens of millions of dollars being spent by the companies trying to stay online through these attacks.”
In a ground-breaking paper released in 2012 [PDF], “Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art.” The conclusion indicates the magnitude of the problem.
Botnet-based DDoS attacks on the application layer are latest and most problematic trends in network security threats. Botnet-based DDoS attacks on the application layer limits resources curtail revenue, and yields customer dissatisfaction, among others. DDoS attacks are among the most difficult problems to resolve online, especially, when the target is the Web server.
With the release and development of DDoS software, it placed a dangerous cyber weapon in the hands of individuals who seemed to have an online ax to grind. One of the earliest groups was called the Electronic Tribulation Army (ETA). Four individuals were charged with a number of federal computer crimes including “Benjamin Earnest Nichols, a 37-year-old ETA member from Oklahoma City, pled guilty to intentionally causing damage with a distributed denial of service (DDoS) attack on mcgrewsecurity.com in 2010”
Although Bot driven DDoS attacks both large – some would say gigantic – and small proliferated, it was not until 2018 that law enforcement acted against the cybercriminals who constructed a DDoS as a Service platform called “webstressor.org”, which was available on the open web since 2015. This was essentially a payment gateway linked to a network of bots which were capable of performing on demand DDoS attacks.
More than audacious, it had 136,000 registered users which launched at least 4 million attacks against all manner of website targets. This major victory was preceded by law enforcement actions against Poodlestressor (created by members of the notorious LulzSec crew) and VDos an Israeli based DDoS as a service site which figured prominently in the computer hacking case against John Kelsey Gammell.
Although DDoS as a service proved lucrative for cybercriminals, it was a very loud cyber-attack and clearly attracted maximum, coordinated and international law enforcement effort against facilitators. Almost in parallel and dating back to 2006, entrepreneurial cybercriminals were putting their bot armies to work on more lucrative activities such as online fraud.
Join us in future blog posts to explore the exciting, dynamic and dangerous world of bots. To read the first part of this series follow this link.