TLP WHITE. Denial of service attacks: what you need to know

Transcription

1 Denial of service attacks: what you need to know

2 Contents Introduction... 2 What is DOS and how does it work?... 2 DDOS... 4 Why are they used?... 5 Take action... 6 Firewalls, antivirus and updates... 6 Use specialised equipment... 6 Seek advice and share experience

3 Introduction TLP WHITE Denial of service (DOS) attacks and distributed denial of service (DDOS) attacks are disrupting business and costing the UK immeasurable amounts of revenue from disrupted services and follow-on attacks. This paper will explain what is meant by DOS/DDOS and how this type of attack works, examine why an attacker might choose to launch such an attack and the effect that it might have. Finally, some general guidelines will be provided that may help to mitigate any DOS attacks. What is DOS? A denial of service attack, often referred to as a DOS attack, is a method of stopping a website or service from running. The outcome of this may be causing a website to stop displaying content, or preventing a system that operates on the Internet from working properly. DOS attacks can range in duration and may target more than one site or system at a time. It becomes a distributed DOS, referred to as DDOS, when the attack comes from multiple computers (or vectors) instead of one, as is the case in DOS. A server, or anything connected to the Internet, works by passing data to and from multiple devices in a network, known as nodes. However, each node can only handle a certain amount of traffic the amount of data being passed between nodes. This happens millions of times a second on the Internet 1 but when traffic gets busy, data rates slow down. A good example of this is Black Friday or Cyber Monday, where millions of people attempt to buy gifts online but can be greeted with error messages rather than the webpage they expect to see. This is because the amount of traffic is too great for the host to handle and so it simply can t serve each user. There needs to be a two-way communication in order for the customer to be able to interact with the website, but the host has stopped responding because its resources are being completely used up by others

4 The communication between (for example) a laptop and a website is happening in the background without the user s interaction. There are many ways devices communicate on the Internet 2, and this means that there are many different ways in which an attacker can disrupt these services. Many different types of DOS/DDOS attacks exist, all working for slightly different purposes, but the goal is always to deny the service, by overloading it. How does it work? When a user clicks to load a webpage, a three-way handshake begins between the user and the server hosting the webpage, much like making a phone call. A user calls up the webpage to initiate a conversation; the webpage answers ( hello? ) and the user responds ( hello, it s [name]... ), after that the two participants can converse freely, knowing that each party is active. The diagram shows this handshake between computer and server annotated with their associated flag (SYN and ACK, standing for synchronise and acknowledge). The flags are what is actually communicated by the devices. This process is happening millions of times a day for more popular sites and so the servers that host those sites are designed to handle lots of traffic. A small independent company s website however, might be hosted on a server that can t handle as much traffic

5 The SYN flood The three way handshake can be maliciously manipulated in order to create an excessive amount of traffic for the server. An attacker can repeatedly send out the first step to initiate the handshake (SYN) but then not respond to the server once it communicates back (SYN-ACK). Because the server is waiting for the third step (ACK) it is using up resources. When the server then receives what it thinks is another user trying to start a conversation it dedicates a small amount of resources to keeping that session open. If this step is repeated thousands of times then the server is making room for thousands of sessions but with no one actually using them. The attacker continues to create traffic until the server can t handle any more resulting in no legitimate users being able to log on. Failure to connect to a website can be for any number of legitimate reasons, the Internet connection may have temporarily dropped for example, but this will persist in the event of a DOS attack. The message seen by most is ERROR 404 PAGE NOT FOUND and this is the computer telling the user that, because it has not been able to complete the handshake with the desired service, it is unable to display the content. The attack described here, known as a SYN flood, is only one example of many different types of attack. Other types of DOS/DDOS have the purpose of creating an overload for a system. In the SYN flood it is an overload of processing when trying to deal with the amount of traffic. There are many different types of data protocol 3 used on the Internet which, in turn, can be used to form different types of flood attack. Other attacks can overload the bandwidth of a network, which is the amount of data that can be sent and received. DDOS A DDOS attack differs in that a malicious actor can attack from different sources using multiple devices, known as attack vectors, in order to bring down the victim site or server. This makes DDOS more suitable to attackers who want to deny more sophisticated services to sites that may be hosted on multiple servers, such as an application. Because more computing power will be required in order to create a successful attack, multiple computers will be used, though they might not necessarily belong to the attacker. In what would be only a small part of a complicated attack, the DDOS would be controlled by the attacker s machine but using (potentially hundreds) of other machines via the Internet. These extra machines would have been infected with malicious software 4 previously and specifically so that they could be remotely activated to launch an attack and the computer s owner won t even know that it is being used in a DDOS attack

6 Once a computer is infected with malware so it can be used in a DDOS, the machine is then referred to as a zombie and a network of zombie machines is known as a botnet 5. Why are they used? It is illegal to launch a DOS or DDOS attack, but their use has increased in the UK 6. While the criminal aspect of these attacks is apparent to many, the motivation is not always clear. Several high profile attacks occurred in 2014, notably the raised profile of the Lizard Squad hacking group that brought down Sony and Microsoft gaming services on Christmas Day 7, the reason for which one alleged member stated was for laughs 8. Denying an Internet service could have severe consequences for many different types of organisation. In 2007 and 2010 respectively, Estonia and Burma suffered DDOS attacks from a botnet known as Conficker 9. Both attacks used so many machines that Burma was almost entirely cut off from the Internet for more than ten days ahead of an election. Estonia suffered compromised financial institutions and government communications networks were forced to use radio for a brief period. Creating an overwhelming amount of traffic Estimated potential cost of a DDOS attack can also be a cover for a different type of cyber-attack altogether. An investigation after a DOS attack will examine the logs that automatically collect data about connections to and from servers. The DOS will create many thousands of logs thus making the real attack vector extremely difficult to find. Committing a DOS/DDOS attack however is not difficult. An Internet search will detail step by step guides for those with even limited technical ability, and for those with none, it is possible even to pay for an attack, with costs dependant on duration and ranging from minutes to weeks. A company may even be contacted and then ransom the return to normal service. In 2013, almost 30% of reported DDOS attacks cost their victims in excess of $100,000 per hour 10. Many DDOS attacks are not even politically or commercially motivated but rather a personal test of skill to the hacker or even a show of force. In 2000, a 15-year-old Canadian boy brought down the world s most popular search engine and several other websites including Amazon and Yahoo causing an estimated $1.7bn in damages. In February 2014, what was thought to be the biggest DDOS attack in history targeted the content delivery network of online security company, Cloudflare 11. This attack utilised a major timing protocol using a tool that was found in hacking circles only six months prior to the event $100,000 per hour 5

7 Mitigation advice It is important to note that some companies legitimately offer services of DOS/DDOS attacks for network testing purposes. The simulation of attacks can help to find weaknesses and test responses and business continuity plans. While this may not be proportionate for small and medium enterprises, there are other defences that may be suitable. Firewalls, antivirus and updates CERT-UK recommends the use of an appropriate firewall and antivirus software (which should be updated regularly). New vulnerabilities are constantly being discovered and so a system s defences are only as good as the day they were updated. A culture of safety and good housekeeping should be encouraged as per the UK government s 10 Steps to Cyber Security 12. Think about your servers Smaller companies might lease servers to host their business platform. Whether this is the case or not, consideration should be made to the configuration of servers and it should be clearly stated what resources an application can access and how the server will respond to requests from clients. Not only does strong configuration of servers help to reduce the risk from other cyber-attacks, it may actually ensure continued service during some types of DDOS attack 13. Use specialised equipment A DOS attack often utilises legitimate traffic and so badly designed firewalls will allow all the traffic through because the firewall itself is only concerned with content and not quantity. Intrusion detection systems (IDS) can provide a capability to detect when valid protocols are being used as an attack vehicle and IDS, in conjunction with firewalls, can also monitor traffic levels and automatically block certain traffic. Specialised equipment can often require installation and monitoring by trained professionals and it is possible to procure services for business needs. It is important however that these needs be scaled in line with the business risk linked to the website or service you are trying to protect and independent advice should be sought. Seek advice and share experience Network defence can be a daunting prospect to understand. DOS is just one of many threats to businesses in the UK and globally. CiSP contains groups and spaces where users can share and receive information about specific vulnerabilities and events, such as DOS/DDOS attacks. Members can post in forums and request advice and help from the community while sharing experiences

8 Summary DOS attacks are a significant threat to many online services that are used every day and can cost businesses significant amounts in lost revenue. They can often be a cover for a different kind of cyber-attack, most notably theft from networks. Organisations of all sizes, including small and medium sized enterprises, should take this threat seriously and are recommended to follow the mitigation advice in this paper. With greater cyber awareness and better working practices, the threat from DOS attacks can be reduced and make the UK a safer place in which to be online. 7

9 A CERT-UK PUBLICATION COPYRIGHT