network background popup

The evolution of DDoS

Jul 10th 2010

Over the years DDoS has evolved from individual packet-throwing scripts to sophisticated operations with botnets continually reaching above the million-machine mark. As attack strength, methods and targets change so too does the command and control structure that feeds it. What were once basic single-machine scripts can no longer support the level of fine-grained control needed to orchestrate modern attacks and as more bot masters face prosecution they are increasingly looking towards protecting their anonymity.

The earliest denial of service attack tools, utilizing techniques such as ICMP flooding or SYN spoofing attacks (which are still used today) had no control structure at all, instead the user manually ran each tool usually through a remote session or backdoor. Early versions became almost trivially easy for administrators to spot unless very cleverly hidden. Slowly basic subterfuge evolved, such as port knocking and connecting back to an address instead of listening on a designated port, but the basic concept remained the same.

As more and more malware started packing DoS functionality into its payload, manually administrating thousands of boxes no longer became feasible. However, they couldn't simply spawn a shell on a listening port or risk connecting back to their home address, so instead they used a commonly used protocol as a proxy, IRC. Server settings and channel names would be hard-coded into the bot along with a series of commands so the attacker could simply log in and issue a command to thousands of bots. However, this new method posed a serious vulnerability, a savvy individual extracting the credentials out of a single bot could potentially take control of the entire network. In parallel to IRC, other malware writers started writing their own custom protocols to handle control traffic and used layers of compromised boxes that handed off commands to the next layer in order to obfuscate the attacker and also compartmentalize the network against reverse-engineering. This method had its own flaws, most obviously that the attack traffic and ports were obviously illegitimate and easier to sniff.

As the age of ‘Web 2.0’ ushered in completely cross-platform web applications for the world, it also brought forth the inception of the so-called ‘connection-less botnet’. Using basic IRC bots, started becoming less and less popular as researchers started reverse engineering and dismantling many large attack networks, and bot-filters started becoming commonplace in IRCDs. This also coincided with the rise of web-hacking, un-skilled attackers could basically grab public exploits, use Google to instantly find thousands of vulnerable hosts, upload pre-written scripts and have an assembled botnet without any technical knowledge at all. This changed the dynamic of DDoS completely, what was once mostly home computers running vulnerable software increasingly started to see the zombification of servers and data centers. Running as non-priviledged processes they did not need to use complex packet manipulation or exploit networking flaws, instead the large pipes that the compromised websites were hosted on would simply out-muscle the victim. This also afforded a layer of security as well, because both outgoing and incoming HTTP traffic was a lot more common and harder to sniff due to volume than IRC or custom protocols.

Social networking has opened up a goldmine of new traffic channels for botnets, which have already become increasingly reliant on corrupting legitimate data streams. As these types of websites are entirely geared towards disseminating information across computers they became a natural target. While the use of web-based remote-file-inclusion exploits dies down so too will the trend of the server botnets and attackers will start using the explosively expanding field of browser-based exploits to strengthen their home-user base. Social networking will also play a large role in this as a delivery platform to both acquire zombies and control them. They provide an enormous collection of non-computer savvy individuals whose computers can be easily infected, coupled with large amounts of personal information and the ability to selectively target victims. Steganography will become commonplace, commands can be hidden inside legitimate images, videos or even correct English sentences that will be posted on seemingly innocuous accounts. There are Twitter and Facebook botnets being routinely spotted in the lab and the wild, which have already done portions of these things. Besides the basic control mechanics, user-interfaces have become more complex and profiteering criminals are openly selling code to audiences who crack, modify and undersell the author, forcing them to adopt a business plan which makes them pay for technical support and upgrades. Along the way they are often back-door'd by opportunists wanting to steal from their competitors. DoS is no longer a hobby but an entire industry with botnets (and their software) being bought, rented and sold on a continual basis. Control structures have become very convoluted and finding the original traffic source on extremely compartmentalized multi-national networks is now virtually impossible.

Justin Chan

DOSarrest Security Analyst

Added By : Justin Chan

DDoS Article Categories