By Jerry Whitehead III, re-posted by Jeffrey Lyon
How the popular form of cyber-attack has grown since its infancy
Few would have thought that the actions of a young aspiring computer enthusiast (15 years old, to be exact) working predominately alone from Canada would forever change the face of cyber security as we know it. And although that may sound hyperbolic, it’s absolutely true – a young hacker named name Michael Calce (better known by his online alias of Mafiaboy) single-handedly took down some of the largest websites in the world using Distributed Denial of Service (DDoS) attacks. His exploits put DDoS attacks on the international stage and gave the term meaning to the public at large.
But that’s not to say that Mafiaboy’s attacks were the beginning of DDoS –they were simply relegated to the extremely computer savvy circles and unknown to most people on the planet. Let’s take a look back at the history of Denial of Service type attacks and how they have evolved from their earliest stages into the behemoths they have become today.
One of the first and most simple DoS attacks leveraged the Internet Control Message Protocol (ICMP) ping flooding. ICMP is one of the basic principles of the Internet Protocol Suite, which is essentially the rules and guidelines that dictates how the Internet works. It uses small bits of data, known as packets, to send messages across the network about basic operations (such as a new computer joining a network). As far back as 1989, nefarious computer experts soon realized that if they could access a site’s network (which was much easier back then), they could take advantage of the ICMP and send numerous packets to the host using the flood option of pinging packets, which sends packet after packet without waiting for a response from the target. The inbound packets would take up precious bandwidth, and it was made worse of the host responded with outgoing packets, which would take up even more bandwidth.
One of the first DoS attacks to have the “Distributed” put in front of it came in September of 1996, when New York City Internet Service Provider (ISP) Panix.com was attacked. The hackers used the SYN flood method to completely overwhelm Panix’s web, mail, and news servers. SYN stands for SYNCHRONIZE and is an important part of how users connect to websites – the user sends a SYNCHRONIZE request, which is then responded to with a SYN-ACK, or SYNCHRONIZE-ACKNOWLEDGE request from the host. The user then will reply with an ACKNOWLEDGE message and the connection is established. During a SYN flood attack, malicious users overwhelm the server with SYN requests, but never respond with the SYN-ACK message. The server will wait for some time for the SYN-ACK message, during which time legitimate users are also requesting connections. Before too long, the connections become maxed out and service to real users is denied. During the Panix.com attack, hackers were sending approximately 150 SYN requests per second and were using spoofed Internet Protocol (IP) addresses, making them appear as they were coming from everywhere and therefore, impossible to block.
Although DoS attacks started to shift into DDoS, they were still mostly relegated to the most educated among computer hackers. That changed in 1997 when Trinoo (or Trin00) was released – the first downloadable program designed specifically to implement DDoS attacks. Trinoo allowed a single hacker to infect numerous computers which could later be used at his or her disposal. Once access to a network was gained, Trinoo automatically compiled a list of vulnerable machines on the network. The hacker then had to make a few clicks and all infected computers would flood a single host (or website) with User Datagram Protocol (UDP) packets, which is a similar method to the ICMP attack listed above, but is less straightforward and requires the host to send a response packet, which takes up even more bandwidth.
Following in Trinoo’s footsteps, the Low Orbit Ion Cannon (LOIC) is a program/tool designed specifically for coordinated DDoS attacks. The LOIC has been used in some of the most high-profile DDoS attacks on record, including: taking down the Church of Scientology site and affiliate sites (known as Operation Chanology, named after popular message board 4chan); taking down the Recording Industry Association of America (RIAA); taking down the sites of any high-profile entities that opposed WikiLeaks and Julian Assange’s beliefs (known as Operation Payback); and taking down several government sites (US Department of Justice, US Copyright Office, the FBI) after shutting down popular file sharing site MegaUpload (known as Operation Megaupload).
While the methods of DDoS have changed slightly, they are all based on basic rules of the Internet Protocol Suite that can be exploited – all types of DoS and DDoS attacks are essentially maxing out the capacity of a given site or network, which knocks it offline and denies service to everyone. What has continued to change, even on a seemingly weekly basis, are the size and scope of these DDoS attacks. For example, let’s take a look at the Panix.com attack, which knocked out the largest NYC-based ISP for days. Those SYN packets (which at the attack’s peak, were being sent about 150 times per second) are only 60 bytes in size. That means the Panix.com attack was sending data at a rate of 9,000 bytes (or 9 kilobytes) per second, per attacker. That quickly was dwarfed in size by multiple megabyte per second attacks, and by 2000, the world saw its first ever gigabyte per second DDoS attack.
That exponential growth in DDoS attack size should be alarming…especially considering that in early 2014, DDoS attacks were regularly breaking the 200 Gbps size, peaking at a whopping 400 Gbps in several attacks. So while the methodology might not be being radically altered, the magnitude of the attacks most certainly is. Businesses and networks are constantly adding bandwidth to not only facilitate legitimate users, but also to make their sites harder to knock offline via DDoS attacks. But with attacks exceeding 400 Gbps, bandwidth is going to give out at some point – dedicated DDoS protection is the only way to truly safeguard against these new, massive attacks.
