Introduction
Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade online services.
This blog post will explain, in extremely basic terms, a specific type of attack called a Reflection/Amplification DDoS Attack. This post is not intended to serve as a comprehensive technical guide, but merely a relatively non-technical overview for the novice. We will try to avoid jargon and explain it where we have no alternative.
Motivations
The Underground Economy (UE) is a term used to describe the massive communications and economic infrastructure used by criminals who engage in crime against, and facilitated by, the Internet and its users.
Primarily designed for financial crime, transactions seen in the UE generally tend to shy away from DDoS attacks, after all ‘nobody makes any money if you break the Internet’. However, DDoS attacks clearly do occur, for some of the following reasons:
Revenge –attacks against a rival, typically to take that person’s shell2 or home connection offline, traditionally part of petty disputes on Internet.
Demonstration – DDoS attacks normally utilize botnets: networks of computers that are all infected with the same virus that are all under the control of one person. DDoS attacks can be used to prove the size and power of a botnet before it is rented or sold in the UE. Many apparently motiveless attacks have been demonstrations with a victim picked essentially at random.
Extortion – a favorite of many Organized Crime groups, DDoS attacks on e-commerce, and legitimate online gambling sites in particular, can yield ransoms of a few tens of thousands of dollars in exchange for allowing the victim site to resume business. Interviews with perpetrators now in prison have confirmed that they will ignore potential victims who ignore their demands and move onto new targets in the hope of engaging in negotiations with them.
Competitive advantage – DDoS services can be rented to take a competitor’s website offline, causing lost business or embarrassment and forcing current or potential customers to use a rival who can often claim plausible deniability for any attack.
Collateral damage – often many thousands of sites will be hosted on the same server and IP address. An attack on one site will have the effect of taking them all offline. Due to the topology of the Internet, huge attacks will often cripple companies that provide connectivity, well before the attack even reaches the final intended target. Routers can be attacked just as websites and end users can be, resulting in connectivity issues for perhaps millions of users that the attacker had no reason to want to impact.
Combination attacks – one that is only theoretical at this stage, but involving a conventional attack in the real world (bank robbery…) that also disrupts communications links to cause panic and hinder first responders.
Political attacks – now a mainstay of all conventional conflicts, these attacks often involve regular, otherwise law abiding, Internet users or the re-tasking of botnets that are normally engaged in conventional UE activities. These attacks often impact IP addresses in geographic regions or the IP space used by specific function within a government, to further a political cause. Protest attacks are also generally considered to be a form of political attack.
A real ddos attack: Last week our partner reached out to us about a behavior inside his network. After investigation we found that his network under ddos attack: 2 waves of attacks targeting his network. The first wave reach 3.22gb/s and the second wave reach 2.88 gb/s.