DDoS attacks, also known as distributed denial of service attacks, are one of the oldest internet cyberweapons used today by everyone from hacktivists and governments to disgruntled video game players and thrill-seekers purely for personal enjoyment.
The attacks disrupt access to web sites and servers or take them offline completely by using co-opted online resources such as zombie PCs and servers or Internet of Things (IoT) bot networks that flood and overwhelm victims with online traffic.
“If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack,” says security researcher Bruce Schneier. “
These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense.
But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
Although individual and group motivations may differ, DDoS attacks have the same objective: take a target server or servers offline with internet traffic until the internet services are no longer operational.
DDoS targets range from individuals to government organizations and businesses such as e-commerce sites, banks, stock exchanges, credit bureaus, gaming sites or internet service providers.
The motivations and psychology behind DDoS attacks vary. They span financial or economic benefits, revenge, ideological beliefs, cyberwarfare or even solely personal enjoyment.
Large scale DDoS cyber attacks tend to be the result of group efforts, as opposed to individual actors, with a specific goal or agenda in mind.
The majority of DDoS cyber-attack psychological motivations fall into several categories:
DDoS attacks consist of three major phases and four different sub-components, according to researchers. The sub-components are an attacker, multiple control master or handler computers, multiple “slave” computers or botnets, agents, or zombies, and a victim or target machine.
In the first phase of a DDoS attack, hackers take control of network-attached computers called “masters or handlers” to control other machines that will ultimately execute the DDoS attack.
Creating a network of handlers and attack machines is an automated process where hackers scan the internet for computers or Internet of Things devices that can be compromised, usually with malware.
When the desired number of compromised machines is reached, hackers start the second attack phase. The aggregate number of machines, called a botnet, is loaded with the necessary instructions and commands to launch an attack by the network of compromised zombie computers.
In the final DDoS phase, hackers direct the botnet to execute the attack or attacks on victim machines. The distributed nature of the attack sends massive amounts of internet traffic to the victim’s system or online resources that in turn disrupts or slows down the intended target’s services.
Spoofed or fake IP addresses hide compromised device identities and discourage the victims to filter out malicious traffic to find the attack source.
The threat landscape of today is constantly opening up new opportunities for attackers to take advantage of the latest internet-connected devices and cloud technologies to launch even more massive DDoS attacks.
These new attacks have also gotten easier to execute with zombie botnets able to take down large corporations or government entities.
The latest attack vector is physical access control systems installed in places including corporate headquarters, factories, or industrial parks. “Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks,” according to firewall company SonicWall.
Hackers are now scanning the internet for exposed Nortek Security & Control (NSC) Linear eMerge E3 devices and exploiting one of the ten newly discovered vulnerabilities, according to SonicWall.
Their primary purpose is to control what doors and rooms employees and visitors can access based on their credentials (access codes) or smart cards and then block or disrupt access to physical buildings.
To mitigate the popularity and accessibility of DDoS attacks as a tool for non-technical attackers, security researchers and law enforcement agencies regularly track and take down malicious web services that are now offering for-profit DDoS-as-a-Services that have weaponized for the masses what was once only done by sophisticated hackers.
Called “booter” or “stresser” sites, cybercriminals are marketing and selling attack-for-hire services that can be easily purchased online. According to Cloudflare, “Booters are slickly packaged as SaaS (Software-as-a-Service), often with email support and YouTube tutorials.
Packages may offer one-time service, multiple attacks within a defined period, or even “lifetime” access. A basic, one-month package can cost as little as $19.99. Payment options may include credit cards, Skrill, PayPal or Bitcoin (though PayPal will cancel accounts if malicious intent can be proved).”
And security journalist Brian Krebs says “Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.”
DDoS-as-a-Service provides yet another attack vector for non-technical users to use for cybercrime, revenge, hacktivism, enjoyment or even cyberwar.
Finally, the motivation or psychology behind DDoS attacks can also be viewed as merely a tool meant for distraction. Hosting company LiquidWeb claims that “while your security team is distracted mitigating the denial of service attack, the party responsible is free to go after what they actually want – whether it is financial information, intellectual property, or client data.”
If, as LiquidWeb states, DDoS attacks are the “equivalent of driving a bus through the front door of a bank while an associate tunnels into the bank vault from below,” then organizations must be vigilant about their IT security and take an approach that makes securing the network edge against all attacks a top priority.