Home > Subjects > IT/Technology > DDOS Attacks Incident Analysis

DDOS Attacks Incident Analysis

153 views

There was an incident that took place on September 18th 2010, when a website of Motion Pictures Association suddenly stops responding. Technically, a huge number of request were received by the web server, as a result, the server crashed in a process of giving a response to thousands of request demanding web pages one after another. Likewise, the distributed denial of service attack halted the server to respond to legitimate user request for a period of twenty hours. Moreover, the DDOS attack also focused and attacked on recording industry association of American along with British photographic industry. An Internet bulletin board called 4chan initiated the attack by using Internet bulletin board readers who participated in a campaign called ‘payback’ to launch a DDOS attack (McGARVEY, 2013). Similarly, an Indian organisation called Aiplex was apparently stimulated by the Motion Picture Association to conduct a file sharing website in opposition to piratebay.com. As a result, the Motion Picture Association was not accessible for more than a day and received media attention such as Reuters, British Broadcasting Company, London telegraph, etc. Mr Sean Paul, one of the security research experts or advisors, spoke about this incident in the media and called it ‘the future of cyber protests’. He also predicted that this would be part of a protest. Later, the security expert’s assumptions were true, as the same type of attack was organised again and the time was a credit card industry’s target. PayPal, MasterCard, Swiss banks and many others were the main players targeted in this attack, as the goal was to impose a penalty on these organisations for not providing Wikileaks website whistleblowing services (Mansfield-Devine, 2014). Conversely, an incident has been reported by Wikileaks, i.e. A DDOS attack soon after the release of highly confidential diplomatic cables from the United States. All servers were later transferred to the Amazon cloud to seek protection from these attacks (Crosman, 2014).

More than once in the last 24 months, another DDOS attack has targeted Russia’s most popular newspaper website. For a week, the attacks have been disabled, but Sokolov, who is chief executive editor, is still looking for a cyber-criminal behind these attacks. Similarly, he suspects that the ‘Kremlin Youth’ government-funded agency is behind these attacks, as no support was provided by the local authorities within the country. It is important that these DDOS attacks are now regarded as a major threat to all companies, government agencies, websites, online banking, etc. A security consultancy organization has completed a survey on major security issues for network operators. Likewise, the published survey in 2008 to 2009 illustrated the fact that every network operator has witnessed a DDOS attack within the last 24 months. Moreover, many network operators were also identified for maintaining extensive processes and procedures to combat DDOS attacks. In the past, DDOS attacks were linked with blackmailing cases, where hackers demanded protection money after compromising web pages of certain organization who conduct business online. Therefore, DDOS is used by hackers for political reasons as well as extortion (Perry & Costigan, 2012). Currently, the major network operators have found only one solution to mitigate that risk i.e. over provisioning more systems and servers that actually required. Moreover, they are also monitoring unwanted DDOS traffic by specialized sensing tools to respond on these attacks on initial basis and isolate the affected subnet from the network.  Furthermore, these network operators communicate and exchange information via a closed email group that is hidden from the outside world and assist them to mitigate potential threats from the Internet. Organizations often encounter DDOS attacks more than once in a month or may be more, but due to solid defence and fool proof controls, these attacks are eliminated. The website that were compromised by these attacks do not have solid security defence against this type of attack but the core systems do have a solid framework of security controls with up to date technology. We know that these types of attacks were influenced by political, military and extortion parties who invest funds to accomplish personal agenda (Perry & Costigan, 2012), as it leaves a question about the future of these attacks. In addition, this is an open question for the independent media network, human rights organization network and other associated bodies that represents human rights and independence for media (Ziccardi, 2012).

DDOS Review

In order to find the semantics of DDOS targeted on the independent media industry, four dissimilar research mechanisms are discussed i.e.

  • Media report review associated with DDOS occurrences
  • Independent media and human rights organization survey available online
  • Interview with the Independent media organizations affected by DDOS
  • Discussion Meeting with all the affected parties i.e. independent media organizations, human rights organizations, security consultants, network consultants and subject matter experts (Ziccardi, 2012)

After identification of these four methods, DDOS targeted countries were also shortlisted from different geographical locations, as DDOS attacks targeted human rights organizations (Ziccardi, 2012), independent media organizations and political agendas (Kerner, 2014). The shortlisted countries were: Burma, China, Iran, Russia, Kazakhstan, Tunisia, Uzbekistan, Egypt and Vietnam (Perry & Costigan, 2012). The independent media review was started in May 2010 and in the first three months; the target was to monitor sources that incorporates English language news sources for detecting any politically funded or targeted DDOS attacks. For extracting relevant news from the nine countries previously mentioned, Google news alert service was utilized to pull relevant news associated with DDOS attacks in those particular countries with a unique filter. Likewise, the results revealed around sixty stories per day in which three to four stories were accurate. In the primary languages of each of the nine sample countries, we also set up alerts with common translations for terms related to ‘DDoS,’ ‘hack’ and ‘intrusion.’ From this independent media organization research, the results revealed that 329 dissimilar attacks were found that were targeted to more than 800 websites hosted on different locations. Moreover, some of the security breaches were excluded, as they were not announced in public and the scope of this research was only English language news sites. A survey was carried out for identifying patterns of DDOS attacks on different websites. Likewise, the details of the results revealed (Olivero, 2014):

  • 72% were identified as network filtration at the national level
  • 62% have detected DDOS attacks
  • 39% have reported intrusion detection or intrusion penetration with in the network
  • 32% have witnessed website defacement

It is conclusive that DDOS attacks are not segregated issue for independent media organization websites; instead, it portrays an umbrella, where different type of attacks occurs against the websites. Moreover there is also an unscheduled or unplanned downtime for the sites for the past 12 months. The statistics shows below (Olivero, 2014):

  • 61% of the sites faced unplanned or unscheduled downtime
  • 48% of these sites experienced unplanned or unscheduled downtime for more than a week

The unscheduled or unplanned downtime cannot be linked to a DDOS attack, as other incident can also trigger a downtime of a website. For instance, improper configurations, hardware software compatibility issues, massive amount of visitors in peak business hours can also lead a website to stop responding. One more survey associated with the Internet Service Providers portrays the following statistical data for the past 12 months:

  • 55% websites were unplugged by Internet Service Providers due to DDOS attack
  • 36% clients has reported a successful defense against the DDOS attacks by an Internet Service Provider

The attacks on DDOS are not made through amplifiers or botnets in order to create destruction or inflict to any website. Conversely, a very tiny number of malicious codes can destroy any medium size website in no time. The attack on DDOS by the hackers can downsize an application without using botnets. The attack that is done by volunteers is hard to sustain due to its other requirements. In addition, the methods that are utilized for volunteer attacks causes destruction on larger levels.   

      In the year 2009 and 2010 the attacker named as “The Jester” (th3j35t3r) is identified while attacking the websites. The jester is supposed to be a “jihadist” that is attacking the websites. This attacker has created a tool named “Xerxes,” and is using this tool against the journalist. In addition, by using an individual machine jester is immobilizing the targeted sites and launching 40 attacks at one time. A number of techniques and methods are used by jester during this year. He is attacking at least 29 websites at a same time and mentioning his attacking strategies on social media. This example leads us towards the conclusion that the individuals that are well informed about the system can effectively attack the servers and can run a packet of volunteers. However, it is easy to manage these attacks for the specialized engineer due to the involvement of small number of IP addresses. On the other hand, there are a number of websites that do not hire professionals and these attacks cannot be handled appropriately resulting in destruction of servers. In fact, the initial step of filtration of IP addresses was not able to perform by many websites due to their unspecialized workers.  

Proposed Solution

In the recent years technology has evolved immensely now fixing service attacks via technology is not an issue for information technology specialist. The main cause of service attacks on servers is based on the pitfalls related to Internet architecture. In addition, there are number of work stations that are not operated by the owners. Therefore, the chances of virus attacks, malicious codes and Trojan horses are high. These attacks can be handled by mitigating and securing workstations. The resolution of these problems can be fixed via projected solutions as proposed by the information technologist. In order to resolve the issues related to the botnets, the service should be turned off by enquiring through ISPs for the affected work station. Conversely, the proposed solution is often opposed by the ISPs. This is due to the high chances of users to switch the affected ISP with the new one. In this solution the users have to face “quarantine” or “walled gardens” and this will force them to go for an easy option like changing machines rather than fixing malicious system (Newswire, 2014). A lot of schemes are made on the internet for DDOS in order to take benefit from its easy to take-off an identity approach. In addition, the identity is taken off as by searching a particular system on a server (Newswire, 2014).

      The main purpose to identify the particular system is to find an IP addresses that are similar or identical on the internet. Moreover, the exceptional identifiers play a vital role on analogues along with the phone numbers on the internet. The IP address can easily be taken-off and can be misrepresenting their targets if the attacks are made particularly by DBNS amplifications “analgous to flooding a victim with phone calls by leaving the phone number of the victim as the call back number on the voicemail of many different phone numbers” (Sterling, 2002). Furthermore, to track down the DDOS attacks is not an easy task. The major complication comes while tracking the attack is that there is not particular way of connecting IP addresses with the persons. The attacker may not be punished according to local laws even if the hostile IP address is been tracked by the ISP (Newswire, 2014). The DDOS attacks are not discouraged enough due to the complications for ISP and tracking system. The techniques that are used for mitigating attacks mainly target the rate restraining and packet filtering. The requirements that are made from alleged hacker are not entertained in packet restraining thus focusing on the server performance to serve the genuine customers. The restrictions are made on the number of requests received by an individual IP by the rate restraining. Therefore, it is more difficult for the hacker to throw packets on a site for a system containing botnets. In addition, if the system has issued a number of blacklisted servers it is easy for the programmer to implement these techniques to control attacks. If the proxy servers are utilized by the genuine customers in order to enter into any website are badly affected by these attacks. This is because these techniques can only provide basic prevention measures and these measure can be evaded by the specialised attacker.   

      The Scrubbing technique works by arranging a huge server that is able to accommodate connections that are coming and can combine all the computerized and manual methods to techniques to allow or deny any traffic that is passing via servers. The scrubbing method is very effective in terms of identifying malicious code entering into the server. But on the other hand, scrubbing technique is not budget friendly and is very expensive. Initially, this technique requires a huge bandwidth in order to accept the attack that is made by the attacker. Secondly, a lot of time period is required by the CPU to process the attack and differentiate the genuine attacks from the traffic that is passing by the server (Newswire, 2014). Lastly, in order to identify the nature of attack from the traffic a specialist engineer is required to look into the whole matter and perform the given task. The engineer will instruct the scrubbing technique according to the nature of attacks however; sometimes different instructions are needed for different type of attacks. There is also a substitute method known as dynamic rerouting for allowing and processing the affected traffic. The dynamic rerouting technique is used other than allowing the traffic for ISPs (Newswire, 2014). The ISPs now save themselves from attacks by separating the networks from the service provider of that system. The dynamic rerouting works by transferring the “null routes” towards the attacking network sites in order to accomplish the task. Moreover, the null routes then send signals to the attacking devices for the unavailability of the valid routes thus stopping the attacker to enter into the server from the targeted machine. The attacks that are from the minute number of networks can only be prevented by the dynamic rerouting technique. However, very specialised and trained staffs are required to operate this technique effectively. For the other network traffic the use of dynamic rerouting technique by any organization can impact badly due its complex nature therefore, easy sourcing techniques are preferred instead of utilizing dynamic rerouting technique (Newswire, 2014).

      In order to release the pressure of risk attacks on servers a Load balancing technique is used for cache proxies. If the Caching proxies are stored in a server the impact can be seen on all  the stuffing such as, deliberate page loading, motionless files and content hanging issues. If a user request for a home page the cache proxy stores the data from the blog software. The generating of information on the request of customer might take some time. However, in the meantime the cache server will show the previously stored cached version of the home page (Newswire, 2014). According to this example the caching system will upload one thousand requests on the server per second. In order to provide defence system for major attacks the server must enlarge its capacity and improve its efficiency for caching proxy. On the contrary, the caching systems only provide the similar version on the home page of online website for only one minute therefore for other websites it might not work appropriately. The independent media organization and human rights organization should:

  • For the human rights organizations and the independent media field organizations must expand the record of genuine users for ISP and other organizations that include first class services for attack victims such as, the Director of Yahoo’s Business and Human Rights program, Ebele Okobi-Harris. Moreover, the need for the major ISPs and websites in order to hire new professionals is mandatory (Ziccardi, 2012).
  • Establish and maintain all the low cost web hosting providers who are legally agreed to host PII sites and not providing a null route for DDOS attacks.
  • Establish and maintain a list of all hosting providers who agree to host independent media organization and human rights organization data (Ziccardi, 2012).
  • There are two methods that can be applied for hosting the highly confidential site containing personal information. (i) The site can be hosted to a hosting provider on their secure server, as data centres of these hosting providers are 27001 certified and adequate level of security is promised. (ii) The website can be hosted on internal systems, where the cost can be an issue along with bearing the risk and being accountable for any security breach that may occur.
  • Find out methods for sharing information between subject matter experts and best practices information
  • Establishing relationships between the Internet security groups and communities and technical subject matter experts in order to provide guidelines and standard procedures in case of any security breach triggers.
  • For independent media organization, a coordinator is required to act between the security team and Internet organization to facilitate independent media organization to counter the attacks faced by the organization
  • In order to protect the websites from attackers it is important to find an advance establishment that provides protection for the web sites and service providers. The Global Network initiative is an example of system that is created to provide maximum protection against malicious attacks.
  • The users now can pressurize the affected organizations that contain flaws in delivering the services for the genuine users.

Legal and policy approaches: For the public related issues the Lawful and guiding principle approaches not often work fine in the instant outcomes however, there are many options available for the solution related to the problems. In any organization, the most powerful medium is to resolve any issue is dialog between the common public and organization representatives in order to obtain particular governmental proposals. 

Dedicated Website Hosting

The Information Technology experts suggest that the human rights fundamentals are very important therefore the discussion includes the establishment of a devoted DDOS-resistant hosting service that only provides services for the human rights organizations. The core element of the proposed version includes the implementation of a dedicated solution that is provided by the Prolexic. The Prolexic is considered as important anti-DDOS service providers. In addition, another version related to the proposed solution included easy and common security techniques that can be availed by any websites. This solution is implemented by a specialised Information Technology expert that is experienced in protecting DDOS attacks. However, the research shows that the second proposal is highly recommend as compared to the first proposal due to its effectiveness and simplicity. The main pitfall faced after implementing second proposal is that if the website is attacked along with other websites that are containing the identical infrastructure the adverse impact can be faced by all of them. Moreover, a hard-line filtration procedure is performed over all the websites containing identical infrastructure. If the malicious website is blocked by the authorities then all the websites that share same server can face the impact. Likewise, a number attacks may be attracted towards an identical architecture websites thus security risk suddenly elevates and cause negative effects. The human rights organizations have to face the impacts of high security risks as they include websites of identical infrastructure.

Conclusion

Initiating DDOS is a complicated process that imposes Internet security challenges for independent media organization and human rights organization. In spite of incorporating advance attack vectors and legitimate channel for injecting the DDOS within the organization’s computer network, still it is not considered to be one of the primary threats to the business. The results of the surveys indicates that the mass number of independent media sites are attacked with DDOS along with filtration attacks, website defacements, intrusions from the website are of high percentage. Likewise, the research also highlighted about interviews, meetings with dissimilar third parties targeting independent media organizations and human rights organization along with inclusion of filtration, offline discrimination, intrusion in websites, injection of malicious codes from the sites and DDOS attacks on the sites. All these results from research and surveys indicates for the DDOS attacks that needs to be marked with other attack vectors, as attacking a network from multiple attack vectors will be extremely difficult to mitigate at the same time. I believe that the increase in DDOS attacks on extortion for independent media organization and human rights organization is an indication to a massive issue to the shortfall of technical expertise for administration of the websites and their segregation from the core network to an individual hosting service provider. This is not an easy task, as it a technically debatable issue. The hosting providers hosts many websites pertaining to different customers, a single breach in security to the server may result in a breach of all the hosted sites on a particular system. Of course, human factor is also available that possess the greatest risks above all.

Every organization needs:

  • To maintain a live mirror that needs to be hidden from the outside world. Likewise, the primary objective of the mirror is to access the infrastructure that is independent
  • A strategy that needs to be initiated in case of a security breach or a DDOS based attack. Likewise, facts that need to be considered involved organizational appetite in terms of acceptable downtime, interruption window, recovery time objective and recovery point object required for each business function after discussing their requirements
  • A monitoring policy is deployed for the sensitive information that is been uploaded during page load and transformation in page elements. In fact, the slow processing time during page loading is particularly from the mutilation or malicious code. This can also affect the contents that are available on the page. However, this malware attack should be informed to the administrator by the monitoring policy system that is deployed in order to prevent future attacks. The website named as CyberSpark.net is one of the leading service provider for human rights organization and independent media organizations that contains all the functionalities needed for the prevention from DDOS attacks.
  • The obvious and undeniable possession of domains must be ensured. In addition, the quick and easy recovery measures must be taken in order to substitute the (TTL) time to live related to the IP/domain. For the Organizations that are at the stake of DDOS attacks should maintain their domains according to the functionalities of Time To Live (TTL) in order to recover quickly and easily from the attack. The time interval must be less than five minutes. Moreover, a variety of new measures must be introduced by the Organizations in order to secure the domain from attacks. The need for new techniques demands an authorization from PGP-signed email. Furthermore, the registrar should be informed about the changes made by the authorization for the implementation of new techniques. The website mowjcamp.org avoid has implemented these new techniques and received a long term advantage from the DDOS attacks.
  • The attack of DDOS must be mentioned to the company from its hosting its services. Moreover, the host company must provide assurance of zero null route attacks on the server. The organization must ensure that the host company possess a substitute routes if the core route gets affected by the DDOS attacks. Also, the procedure to cure from the DDOS attacks must be mentioned in detail.

We need study the attack magnitude in order to establish a solution for a trap. For instance, honeypot networks show a replication of the actual network and they are separated from a screened subnet from the internal network. The DDOS can also be fooled in such a way there a threshold needs to be defined in the security device to grant only realistic web request that are occurring on daily basis. Increase in those request maybe considerer as a DDOS and traffic coming on that specific port can be blocked for a certain period of time. However, there is still a question of how the intruder or hacker will penetrate within the network and what will be methodology that will be applied!

References
  • Crosman, P. (2014). DDoS attacks are still happening — and getting bigger. American Banker, 179(116), 9-9.
  • Kerner, S. M. (2014). DDoS attacks strike feedly and evernote. eWeek, , 3-3.
  • McGARVEY, R. (2013). DDoS growing; CUs unprepared. (cover story). Credit Union Times, 24(39), 1-15.
  • Mansfield-Devine, S. (2014). The evolution of DDoS. Computer Fraud & Security, 2014(10), 15-20. doi:10.1016/S1361-3723(14)70541-X
  • Newswire, P. (2014). Global DDoS prevention market 2014-2018. PR Newswire US, .
  • Newswire, P. (2014). First dynamic DDoS mitigation service launched by ISP. PR Newswire US
  • Newswire, P. (2014). Protecting your business from a DDoS attack. PR Newswire US,
  • Olivero, A. (2014). DDoS attacks at all-time high worldwide: Prolexic report. American Banker, 179(8), 17-17.
  • Perry, J., & Costigan, S. S. (2012). Cyberspaces and global affairs. Burlington, VT: Ashgate.
  • Sterling, B. (2002). The hacker crackdown: Law and disorder on the electronic frontier IndyPublish.com.
  • Ziccardi, G. (2012). Resistance, liberation technology and human rights in the digital age Springer Netherlands.

Related Posts

Leave a Comment