Yesterday I talked briefly about the college course application process. This is managed by a government organization called the CAO. Students can find out about their coolege course offers via a website, or later via the post.
The website in question was a victim of a DDOS attack yesterday, the day the announcements were posted online.
A DDOS (distributed denial of service) attack is a ccordinated attack that makes use of comprimised PCs from around the world. These PCs are infected with trojan downloaders. A DDOS client is downloaded and installed. The DDOS client receives instructions from an IRC channel or a website on a regular basis. The entire architecture is referred to as a botnet. There are many such botnets in the world, some containing a few hundred machines, some a few thousand, some with hundreds of thousands of DDOS clients, and it’s rumoured that there are some with millions of machines under their control.
The owner of these botnets will sell their services or even access to parts of the botnet. The botnets can be easy to use; there are even online videos to train you in the use of a simple GUI command console.
Together, even a few hundred bots (or DDOS clients) can fire an amazing amount of traffic at a web server or online presence. These requests can be valid, or they can be simple TCP connect handshakes that aren’t completed by the client (SYN attack). The recipient server or intermediary network appliances can be overwhelmed. A TCP conenct table can be filled, a CPU can be driven to 100% utilization, or a network connection can be filled.
The motive for an attack can be varied. Sometimes it is a practice run: an attacker will go after a small target to verifiy the system works before hitting a bigger target. It can be a case of blackmail. An email will be received by the victim soon after the attack starts to demand payment to cease the attack. Sometimes it is a case of someone getting their jollies for bragging rights, e.g. “I took down XYZ!!!” on some blackhat forum. It can even be a case of corporate espionage (this does happen!). And it can be political: Al Jazeera was allegedly hit not long after the George W. Bush & Tony Blair Iraq war. There is talk of Georgia being hit during their troubles with Russia a few years ago.
A past customer of mine was once hit. They were a small business. It started on a Sunday with a SYN attack. The web servers couldn’t deal with it. We configured the network appliances to deal with it by reducing the TCP handshake timeout. All was well for a few hours. Then the attacker simply increased the size of the attack. The network appliances were overwhelmed and we had to implement filters to block all attempts to reach the web servers.
This attack went after the URL of the website in question. Changing the IP address of the server would make no difference (and it didn’t – the customer demanded it was done). Changing the location of the server would make no differnce. Distributing the website across servers in many locations might have worked for a while … until the DDOS attack grew in size once again. The customer thought about buying a dedicated DDOS prevention appliance. Nice idea but:
- They are not perfect. They have false positives (blocking legitamte connections and losing online customers) and they also allow a certain amount of attack traffic through.
- The appliance will start out by handling the attack. This requires network, memory, and CPU resources. The attacker can simply grow the attack with a few mouse clicks and the spend of a few Euros or Rubels. This will cause one of those resources to become a bottleneck and the website is offline once again.
These _very_ expensive appliances cannot grow to match the capabilities of a DDOS attack at the same pace or even the same price.
What hope is there? Only the most serious of attacks will last more than 3 days. I know, 3 days is an eternity in the online world. There are certain *ahem* professionals out there who can trace the botnet coordinator and DDOS it. That will terminate an attack. You can pay the ransom … but that means the attacker knows you are desperate enough to pay. Pay once and you might pay again and again. You can call the authorities but that might do little for you. If the botnet is rented or it’s a relatively small attack then it will prbably end after 3 days because that appears to be the normal period to rent a botnet. That’s what I was told by a security expert when my old customer was hit. Sure enough, the attack ended after 3 days.
The only real defence I can see is an IDS (intrusion detection system) that is hosted and maintained by your ISP. This has to be a massive system. The bad news is that gaining access to these systems is very expensive. The configuration is a pain for the admins. Some schemes will initiate the IDS for your IP addresses when you inform the ISP of an attack, taking a short while for the defence to kick in. Some are online all of the time but you risk false positives with legitimate traffic being filtered.
What about the CAO? A consultant that was quoted in the article said:
“This is something every website is vulnerable to. There is not really anything they can do short of spending huge sums of money on extra servers in differing places around Ireland,”
The computer says “no!”. Sorry, but if an attack is hitting a URL then it doesn’t matter where you move the site to or how you load balance it. Eventually the DNS record TTL will expire and the attack will commence on the new location. Load balancing just scales out your system and a DDOS will scale out much quicker and more economically than you can. The attackers aren’t idiots. Even if you do succesfully come up with alternative URLs, they can update their attack instructions in seconds.
He said hackers usually go after more high-profile sites such as Amazon or eBay.
The computer says “no!”. The Irish media reported that there were a spate of attacks on small Irish businesses earlier this year. They were ransom attacks, i.e. “we’ll stop the attack if you pay us”. The irish police and an associated research unit confirmed the story. We don’t hear about these attacks because companies are embarressed. They see them as a breach of security (they aren’t). We only hear about these attacks when they are visible, i.e. big attacks that might take down a Twitter, an Amazon, or the CAO.
Unfortunately, DDOS is a result of the fairly trusting nature of the basics of Internet technology. Firewalls, IDS appliances, and all that stuff can only do so much. You can do your bit to reduce the risk by ensuring that your computers are up to date with patches every month. This vastly reduces the risk of being infected with a trojan downloader.
And once again the cao site was targeted.
http://www.irishtimes.com/newspaper/breaking/2010/0825/breaking32.html
Wonder if someone isnt happy wih their results.