DDoS:The Sharpest Tool in the Hacktivist's and a Nation State's Armory

Introduction

In an era with an always-on connectivity, protesters can make a strong statement against an organisation by bringing down its information infrastructure. It is something that can make front page news stories, and becomes the equivalent of protesting from a-far, with very little chance of being traced. 

Today users to the BBC site were greeted with an HTTP 500 response (see below), and where all their related sites went off-line for over three hours. While it was back by 10:30am, many assumed that it was a similar technical problem that brought the site down in 2014. In this case it seems it was another DDoS (Distributed Denial of Service) attack. At present there is no details of the source of the attack, but hacktivism could be one source of the attack.

A recent DNS attack and an attack on the Janet network has highlights an increasing trend for controlled DDoS attacks against critical infrastructure [here], and many experts feel that we are heading towards an era of Cyber warfare [here].

Recently, too, as a protest against St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, and which brought down the attack for several days. Overall it made a strong statement, and which the authorities could do little about it. Along with this, the group responsible, who declared links to Anonymous, outlined that they had hacked into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.

It can be Nation States too ...

As we have seen in Russia’s suspected cyber attack on Web sites in Estonia, and in the Arab Spring uprising, the Internet is playing an increasing part within conflicts around the World. Thus as we move into an Information Age, the battle field of the future is likely to be in Cyber Space, along with this it will also be the place where nation states will struggle to control news outlets.

Recently  the Syrian Electronic Army (SEA), a pro-Assad group of “hacktivists”, which despite limited resources managed to compromise one of the leading news agencies in the world. It wasn’t even the first time – it has already attacked the agency several times before, not to mention its other attacks on the Financial Times, Washington Post, New York Times and Associated Press.

A recent example, revolves around the usage of encrypted messaging applications. While WhatsApp has been getting much of the press in the UK, it is Telegram which is currently the focus of attention in East Asia. Overall Telegram integrates into mobile phone applications using API calls, and converts messages in a binary stream. It then uses cryptography to encrypt the communications before sending it over the network using a range of methods (Figure 1), including for Web communications (HTTP or HTTPS) or network communications (TCP and UDP).

Figure 1:

Telegram has seen a large number of adoptions for its service since Park Geun-Hye (the South Korean President) announced that users could be prosecuted for insulting or generally rumour-mongering messages, including through private message systems. In the past two weeks alone, Telegram's service has seen a three-fold increase in sign-ups. 

Since Friday, the Asia Pacific server cluster for Telegram has been under a massive DDoS attack  and which has caused a slow-down for users in South East Asia, Oceania, Australia and India. Speeds up to 200Gbps have been measured, and uses the Tsunami SYN flood. This attack is difficult to stop as it uses infected servers as the host of the attack, and which are distributed in many different Cloud infrastructures, including with the Amazon EC2 Cloud (Figure 2). It is thought that 95% of users can still maintain their access to the service, and that the 5% of users are concentrated in East Asia.

Two possible sources are either government agents or through competitors trying to bring down Telegram's network. At present, Telegram is blocked in China, but some traffic is still being generated from the county. It is also seen as "anti-Government" by the authorities, and where human rights lawyers, who used the service, were arrested on Friday. The state media in China has since defined that the lawyers and activists were part of a major criminal gang. The lawyers arrested include Wang Yu and Zhou Shifeng.

Figure 2:

Sony's problems

The gaming networks such as for Steam, the Sony PlayStation Network and Microsoft Xbox Live are under continual attack from adversaries, as their systems are sensitive to disruption and are more exposed than most systems. They are thus a target for user account breaches and for DDoS (Distributed Denial of Service).

In November 2011, Sony was involved in a possible breaching of the credit card details of over 35 million users after intruders gained access to the user database. The database included details of usernames, salted passwords, email addresses, game purchases and encrypted credit card details. It is not thought that the intruders were able to compromise the credit card details, as they were encrypted.

Before this, Sony had a major hack which brought down their Playstation Network, which was caused by Sony going after George Hotz, who released the encryption keys for Sony's network, where a massive DDoS attack brought down the network in April 2011, and then later in the month had over 77 million records breach. Sony then announced that the network was safe, but a few days after this, they had a further 24.6 million records breached.

In August 2014, Sony's PlayStation Network,  Microsoft's XBox Live, Blizzard's Battle.net, and Grinding Gear Games were severely disrupted by a DDoS attack, and which coincided with a bomb scare on an American Airlines flight with John Smedley on-board, who was the president of Sony Online Entertainment. Before the flight, he had just been tweeting about Sony's plans for combating large-scale DDoS, and that he was about to board the plane.

And then on 25 Dec 2014 Lizard Squad was pinpointed as the possible source of a major DDoS attack on the PlayStation Network and Xbox Live. Sony has since been involved in a major data breach, with the CEO being a key target. 

Why is DDoS so successful?

This year (2015) has actually seen more DDoS attacks than ever before, with a doubling of the high-end attacks over the year, and with over 100 attacks peaking at more than 100Gbps. The current highest attack was against a Spanish site, where the NTP (Network Time Protocol) was used to bombard the Web infrastructure. With this the intruder makes requests from compromised hosts to a NTP server for the current time, but uses the destination target as the return address for the request. Overall the protocols used on the Internet are not designed with security in mind, thus it is possible to use a different destination address to the one that actually made the request. This specific attack peaked at 154.69Gbps, which is more than enough to bring any network down. The key target is to exhaust networked resources, such as the interconnected devices, the bandwidth for the connections to the Internet, and the CPU of the servers.

The reason that DDoS is often successful is three-fold:

• Difficult to differentiate between good and bad traffic. Overall the Internet has been created by some extremely simple protocols, which were not designed with security in mind. Thus it is extremely difficult to differentiate good traffic from bad traffic. Normally organisations throttle back when they are under attack, by not accepting new connections, and waiting to the existing connections have been broken.
• Tracks are obfuscated. With reflect attack, the target becomes an intermediate device, where it is difficult to trace the actual source of the attack. With networks such as Tor, the intruder can further hide their tracks.
• Zombie nodes used in the attack. There are many compromised hosts on the Internet, including those compromised with the Zeus botnet. Each of these can be controlled, and used to attack the target.

A cause or a fight?

Organisations need to understand that there are new risks within the Information Age and there are new ways to distribute messages, especially from those who are skillful enough to be able to disrupt traditional forms for dissemination. Thus Hacktivism can become a threat to any nation state and organisation (Figure 3).

Figure 3: Security is not just technical, it is also Political, Economic, and Social

The important thing to note about Hacktivism is that the viewpoint on the Hacktivist will often be reflected on the political landscape of the current time, and that time itself can change this viewpoint. While Adolf Hitler and Benito Mussolini are still rightly seen as terror agents, Martin Luther King and Mahatma Gandhi are now seen as freedom fighters. Thus viewpoints often change and for some the Hacktivist can have the image of a freedom fighter.

Figure 4: Hacktivism

Big v Little

The Internet supports a voice for all, and there are many cases of organisations and national states upsetting groups around the World, and where they have successful rebelled against them. In 2012, Tunisian Government web sites were attacked because of WikiLeaks censorship, and in 2011, the Sony PlayStation Network was hacked after Sony said they would name and shame the person responsible for jail breaking their consoles (Figure 5). It can be seen that just because you are small on the Internet, doesn’t mean you cannot have a massive impact. Sony ended up losing billions on their share price, and lost a great deal of customer confidence.

Figure 5: Hacktivism examples

HBGary Federal

The HBGary Federal example is the best one in terms of how organisations need to understand their threat landscape. For this Aaron Barr, the CEO of HBGary, announced that they would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the NSA and Interpol. Anonymous bounced a message back saying that they shouldn’t do this, as they would go after them. As HBGary were a leading security organisation, they thought they could cope with this and went ahead with their threat.

Anonymous then searched around on the HBGary CMS system, and found that a simple PHP request of:

https://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

give them access to the complete database of usernames and hashed passwords for their site. As the passwords were not salted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and Ted Vera (COO), each of which used weak passwords of six characters and two numbers, which are easily broken.

Now they had their login details, Anonymous moved onto other targets. Surely they wouldn’t have used the same password for their other accounts? But when they tried, the can get access to a whole range of their accounts using the same password (including Twitter and Gmail). This allowed Anonymous access to GBs of R&D information. Then the noticed that the System Administrator for their Gmail Email account as Aaron, and managed to gain access to their complete email system, and which included the email system for the Dutch Police.

Figure 4: Access to email and a whole lot more.

Finally they went after their top security expert: Greg Hoglund, who owned HBGary. For this they send him an email, from within the Gmail account, from a system administrator, and asking for confirmation on a key system password, of which Greg replied back with it. Anonymous then went onto compromise his accounts, and which is a lesson for many organisations. While HBGary Federal has since been closed down, due to the adverse publicity around the hack, the partner company (HBGary) has went from strength-to-strength, with Greg making visionary presentations on computer security around the World.

Figure 5: Greg’s compromise.

Conclusions

A key factor is in these types of attacks, is that, when not prepared, the complete infastructure can fall like a house of cards. In Ferguson, the email system also went off-line for a while, and to protect themselves from data leakage, they took down all personal information their site.

The protection of IT infrastructures against DDoS is extremely difficult, and organisations need to understand how they will cope with these types of attacks. Along with this, many organisations are even more proactive, and actively listen to the “buzz” around hacking events on the Internet, in order to put in-place mitigation methods. Often it’s a matter of coping with the attack, and enabling new network routes and virtualised devices to cope with the attack while it happens.

Overall it is a difficult debate, and one person’s cause is another fight, but the technological challenge remains, and it is one of the most difficult faced by IT architectures, and is often costly to deal with.