An analysis of DDoS attack methodologies

DDoS is a popular attack methodology for a variety of reasons. Firstly, it is not difficult – or at least the difficult part has usually been done by someone else. It is not ‘hacking’ per se – it doesn’t require high technical skills. It is usually undertaken via a botnet. This could be a criminal botnet hired for the attack; or it could be a collective of like-minded people (as used by Anonymous) operating as a willing botnet. In all cases the intent is to consume the target’s resources, whether that’s bandwidth to reach the target or the CPU resources of the target. Once those resources have been consumed, the target becomes unavailable to legitimate users and denial of service is achieved.

Imperva’s Denial of Service Attacks:  A Comprehensive Guide to Trends, Techniques and Technologies provides a detailed analysis of the different techniques and tools available and used, and illustrates them with a variety of recent case studies. In particular, it analyzes three primary and freely available DDoS tools: Mobile LOIC, SlowHTTP (which includes Slowloris), and railgun.

The report then goes on to discuss ways of recognizing DDoS traffic so that it can be mitigated. “DDoS can gridlock enterprise resources to a halt, just like traffic on the highway, but organizations can mitigate these effects by learning how to identify and protect against malicious traffic,” explains Tal Be’ery, one of Imperva’s senior web researchers.

However, one of the most interesting parts of the story is in the section ‘The Economy of DDoS’. “Taking down a site can be monetized by malicious attackers in several ways,” says the report, “such as by extortion (‘pay me or I’ll take down your site’). In the same vein,” it continues, “DoS attacks have also become industrialized, and can be purchased as a service from professionals.” It is even advertised, both openly and covertly on the internet – one particular advert can be found on YouTube.

Most people associate DDoS with hacktivism and Anonymous – and indeed the case studies discussed by Imperva are all in this category. In general, the public knows about these attacks because publicity is a prime motivator, and Anonymous always claims ownership. What isn’t clear from the analysis is the extent of ‘commercial’ DDoS attacks, whether undertaken by criminals for extortion or companies for competitive advantage over competitors. In both of these cases, the avoidance of publicity is important. What it means, however, is DDoS is not merely politically motivated, nor limited to large corporations.

This in turn means that the section on DDoS attack detection becomes an important element for all companies, large or small.

What’s Hot on Infosecurity Magazine?