in Business, Consultancy, nSecurity, Uncategorized

All you need to know about Denial of Service (DoS) Attacks


Cyber attacks on high-profile businesses has become almost a daily news. One of the common type of cyber attack is the Denial of Service or the DoS attack, and as the name implies, it renders the use of the online resource or service unavailable to its intended users. This is usually done by flooding the network with high volume traffic or sending such information that will trigger a crash. It deprives legitimate users such as account holders, employees or members from using the service.

Initial DoS attacks were launched from a single source computer which later evolved into use of multiple computers at multiple locations. Early systems were reserved mostly for home internet users that have lower bandwidths through cable or DSL modems. The cyber attackers use their botnet having many ‘drones’ to send commands to attack a specific target.

Over the years, DoS attack technology has evolved greatly and DoS attacks have now become a grave threat to the internet landscape. The number of attacks has increased and giants like Apple, Microsoft, Google, PayPal, Visa and MasterCard have succumbed to it.

It is difficult to say when the first DoS attack was launched but there was one large scale incident in 1999 when University of Minnesota’s IRC server was attacked leaving 227 systems affected and the server remained down for several days.

Then there came the big February 2000 attack in which a 15-year old Canadian kid “mafiaboy” carried out a series of DoS attacks where major websites including Yahoo!, Amazon, eBay, CNN and ZDNet were attacked and paralyzed.

With the “My Tobworm” attack in 2005, cyber crime entered a new era – extortion of money. From around 2010, political and ideological issues drove DoS attacks that broke the 100Gbps barrier. Among others, there was the “Operation Payback” by global hacker group Anonymous that targeted credit and banking institutions like Visa, MasterCard and PayPal.   

September 2012 saw a new trend, a different method of attack by creating an even better botnet. Here, the attackers first scanned websites and CMSs for vulnerabilities, and then attacked them by injecting special DOS attack script in them.

The hackers used the notorious “Brobot” or the “itsoknoproblembro” botnet, a customized version of the Russian Toolkit. This toolkit works differently. Instead of placing the botnet drones on home computers having low bandwidth internet connections, they are placed on hosted, cloud and other data centers with high bandwidth connections. This, coupled with the fact that the servers are capable of managing heavy traffic, make up for a high packet rate, high bandwidth attacks. 2012-2013 saw some of the largest brobot attacks, upwards of 97Gbps.

This brobot was responsible for a series of cyber attacks launched in September 2012 targeting several US financial institutions. The attack was perpetrated by the cyber fighters of Izz ad-Din al-Qassam a.k.a. Qassam Cyber Fighters or QCF.

QCF announced in September 2012 on Pastebin that they would use DoS attacks on US financial institutions.  Targets included the New York Stock Exchange, major banks like Bank of America, JP Morgan, Chase Bank as well as other financial institutions. The campaign was dubbed “Operation Ababil” and the attacks continued sporadically through 2012 into the first half of 2013 using the powerful Brobot ion cannons.

QCF cited the controversial video “Innocence of Muslims” released on YouTube as the reason for the attacks, making it an ideological issue and a case of hacktivism. However, there were speculations that the hackers were sponsored by the Iranian government searching for weaknesses in US financial infrastructure in retaliation for economic sanctions imposed on them by the US and other western countries.

“Unfortunately, the multilayer command and control infrastructure utilized in botnet creation makes it incredibly difficult to say with certainty from open sources that Iran is indeed the wizard behind the green curtain, so we ultimately decided to go with the publicly stated purpose of the actors and chalk it up to hacktivism,” says the 2014 Verizon Data Breach Investigations Report.

Although the exact motivation for attacks by QCF is uncertain, the tactics used by them to launch these attacks are known. The Fighters used a variety of tactics including the traditional UDP and SYN flood attacks that use up server resources resulting in denial of service to legitimate users, to the more sophisticated application-layer attacks causing traffic congestion and overloading of the network or server causing a disruption in services.

“In these low and slow attacks the QCF would send multiple HTTPS GET requests for PDF files on the target site. These types of attacks are especially frustrating: they don’t require significant resources, they can be difficult to defend against, and they can be incredibly effective,” says the DBIR report about the Application-layer attacks by QCF. “The use of HTTPS is particularly problematic for mitigation because the packets are encrypted, which makes it difficult for defenders to determine junk traffic from legitimate traffic.”

These DoS attacks do not need a large botnet to cause destruction but another trend – the DNS reflection attacks- have been grabbing the attention lately. A DNS reflection attack is a type of Distributed, Reflected Denial of Service (DRDoS) attack which is more sophisticated compared to the clumsy and random botnet.

If you remember the world’s biggest cyber attack of March 2013 where a DDoS attack of unprecedented intensity was launched on the international non-profit anti-spam organization Spamhaus. The attack peaked to a whopping 300 gigabits per second causing massive internet disruption worldwide. The average traffic hitting Spamhaus ranged between 85 to 120 Gbps and the method used to launch such a large-scale attack was DNS reflection.    

The DBIR report explains how the DNS reflection attack works:

“Typically, an attacker sends a bunch of DNS queries to open DNS resolvers. The attacker forges the source address on his requests to make it look as though they originated from his desired target. The open resolvers then send their typically larger responses to the targeted address, which is quickly swamped with seemingly legitimate traffic.” The traffic sent is about 8 times more than what they themselves receive. Hence called “reflection”.

Like the “low and slow” attacks perpetrated by QCF, the DNS reflection attacks too do not need significant computing resources to produce highly damaging results. Over the years, apart from the Botnet and DNS reflection attack, little has changed. However, new DoS toolkits are cropping up and new set of attacks continue to happen, although the general principles as well as the targets remain the same.

A majority of attacks are targeted at financial institutions, public sectors, professional and retail services for various reasons. If the attackers have good financial resources, they “rent out a DirtJumper or Athena botnet and pummel the target of his choice for less than $10 an hour.” If not, they download open source toolkits such as LOIC (Low Orbit Ion Cannon) from the internet but then for the attack to be successful, they need the help of a lot of friends. If the attacker himself is a developer, he might write his own DoS script and build a botnet. cyber criminals are continuously active underground planning out the attacks.  

Some fear that the cyber criminals use DoS attacks as a “smokescreen” behind which they carryout fraudulent automated clearing house (ACH) transfers and other illegitimate activities. Although some scattered incidents of such happenings have been reported, the DBIR hasn’t found any substantial data in this regard.

Coming to some of the recent big DoS attacks, in August 2014 Sony PlayStation Network, Microsoft’s Xbox Live, Grinding Gears Games and Blizzard’s, all reported large scale DDoS attacks causing massive network disruptions. Sony PSN and Xbox Live again came under DDoS attack on Christmas day. Several other popular games were targeted too.  

The largest DDoS attack of 2015 of up to 334Gbps on an Asian Data center was registered by Arbor Networks. The arrival of 2016 saw what may have been the largest DDoS attack in history, peaking 602Gbps and directed at BBC by the New World Hacking Group. The same group also targeted the campaign website of the Republican presidential candidate Donald Trump.

The incidences and sizes of DoS attacks have increased multiple fold over the past decade have now become a serious threat to businesses. As the DoS attacks increase in severity, sophistication and frequency, proper security solutions are needed to counter these threats. Nexibeo can provide you with ideal solutions for protection against such threats. Check out our nSecurity package to prevent DoS Attack on your website