It took just one university student late last year to knock the world’s most prominent and modern technology companies offline and to drag large chunks of the internet to a crawl.
Yet most people will know the attacks by their malware name, Mirai, rather than the 20-year-old Rutgers University student alleged to have weaponised millions of internet-of-things devices to launch the world’s largest distributed denial of service attacks.
It is thanks to Mirai and the once raucous Anonymous hacktivists that denial of service attacks have become an essential threat metric in government risk assessments, often chalking-up top spots as the most damaging attacks against critical state systems dependent on maintaining online connectivity such as internet voting platforms.
Distributed denial of service (DDos) attacks are not new, but they’re not a static concept either. They are sometimes a direct attempt to bring down a site, or more often a diversion to mask other malicious behaviour.
And DDos attacks are certainly not easily conquered. Rather, DDos is a highly dynamic threat that epitomises the cat-and-mouse asymmetry of digital defence where attackers facing a wall will regroup, rethink, and re-route.
Risky business
The severity of a denial of service attack is judged often by size and technological novelty, but all are a serious risk to the reputation of businesses and government agencies.
Mirai, for example, made headlines for subverting some of the lowest-powered devices to clock record-shattering distributed denial of service attacks that exceeded 600 gigabits per second (Gbps), and tipped 1000 Gbps in so-called dual attacks against major hosting provider OVH. Prior to this attack a “mega” attack was considered to be anything above 100 Gbps.
Others have used vulnerable technologies to get more bang-for-buck, inflating what would otherwise be small attacks into significant threats. Here are NTP (network time protocol) amplification attacks, WordPress pingback attacks, and other lo-fi miscreancy which turn tiny traffic requests into prodigious floods that combine to overwhelm websites and online assets.
Denial of service attacks also come in different flavours and using a variety of different attack approaches (e.g. reflective amplification attacks, wordpress pingbacks, slowloris) all of which present unique technological threats that can easily overwhelm small distributed denial of service attack prevention platforms.
Each of these harbours a very real risk of an unacceptable business impact that can leave critical web properties offline for as long as criminals see fit. Ransom demands for the cessation of attacks are routinely aimed at some businesses, notably those in banking and gaming sectors.
Government agency sites the world over are knocked offline by activists who use denial of service attacks as anonymous digital protest, sometimes to great effect during critical periods such as national elections, international disputes and census.
Hackers without borders: farewell to the firewall of distance
Evidence of the dynamic nature of distributed denial of service attacks can be seen in a revision of network intelligence statistics over recent months.
Much of the traffic targeting Australian infrastructure has traditionally come from overseas, with less fewer than one percent originating on Antipodean soil, according to statistics from network security stalwart Akamai.
But things are changing, and changing fast. From just after the Mirai US attack there has been a major lift in locally based malware and traffic coming from local internet devices.
Since December Akamai has reported a near tripling of the number of Australian IP addresses that participated in web attacks.
These figures are backed up by government data. According to Australian Communications and Media Authority data these peaked at three times the usual average in January and continued through February. Local malware reports echoed this rise in local IP activity.
These localised attacks effectively render dead simple traditional and common geoblocking defences that block traffic from specific countries in a bid to stop malicious traffic.
“Based on our analysis of recent attacks against Prolexic customers we can see that there is a dramatic increase in attack traffic that is generated within Australia,” says Akamai senior security specialist,
“ This has major implications for Australian ISPs, government entities and the corporate sector who have previously assumed that all attack traffic is international.”
ISP’s provide the front line of much of Australia’s cyber defences. “The challenge is that ISP’s only have very limited attack mitigation capacity,” says Akamai senior security specialist, Nick Rieniets “Until now they have survived by blackholing customers. This is no longer an effective strategy.”
Wolf in sheepskin
Launching attacks against Australia from within Australia makes sense, and the tactic is becoming more common outside of denial of service.
Infected devices within Australia serve as a beachhead from where attacks against a host of services can be launched without tripping traditional defences that would otherwise notice abnormal traffic from foreign countries.
All traffic from Russia, for example, could be excluded from accessing a business’ web properties if most of their customers hail from Australia. Security defences could alternatively be tuned to treat Russian traffic with additional suspicion.
Attackers realise this and, wanting to more effectively target Australians, have infected local devices to help fly under these defences.
Over the summer, Akamai has also seen a huge spike in attacks from infected Australian-based devices used in attempts to fraudulently log into online accounts.
This new tactic is a significant risk to companies that use defences which (quite logically) assume that attacks are more likely to come from offshore.
Password. Passw0rd. Password1.
The localised attacks are, however, only a fraction of the threat posed by credential abuse. All told, Akamai experts have this year found a staggering 30 percent of all login attempts are malicious, with hostile devices launching some 20 login attempts a day against the average website.
Credential guessing is an efficient, intelligent, and well-oiled operation. Here, huge dictionary word lists compiled using common words, cliches, and phrases, are paired with millions of the world’s most popular passwords to sharpen the cut-through power of password-guessing attacks.
The most popular passwords are real, and obtained from breaches of millions of accounts from the likes of Yahoo! and LinkedIn. Using these massive wordlists means attackers can avoid iterating through impossibly long combinations of possible passwords. They work smarter, not harder.
Lists that include email addresses with passwords make guessing even easier if victims have reused logins for different websites, as they so often do.
Akamai reports a staggering 167,000 active attack campaigns with the average involving 5000 malicious devices targeting 100,000 email accounts. The largest saw 200,000 devices attack 25 million email accounts in credential login attempts.
The largest banks, technology companies, and US Government agencies are abreast of these attacks, with many using robust defensive infrastructure in place to help differentiate between legitimate human users and compromised or malicious attackers, including hacked internet-of-things devices.
Those organisations have realised that the huge asymmetry in information security attacks will only sharpen as the number of internet-of-things devices increases.
It means that as more internet-enabled light bulbs, fridges, televisions and toys are built to satisfy consumer demand for functionality and connectivity at a cheaper price, opportunities abound for the next audacious hacker.
Welcome to the Internet of Threats.
