• United States



When DDoS Attacks Become Personal

Nov 20, 20075 mins
Data and Information Security

If you were a parent hit by the Hannah Montana scandal, in which scalpers, armed with programs that would buy large numbers of tickets at lightning fast speeds, stole tickets to be resold later, or if you were a baseball fan trying to get your tickets to the World Series games only to be disheartened when you read three horrible words “Internal Server Error” you understand the power of the DDoS.

The DDoS, or DoS (drop the Distributed) if it’s executed by just one person from one computer, is an increasing threat as we do more and more of our commerce online. Attackers also use the DDoS to find other vulnerabilities that only show themselves when servers are under high load.

DDoS attacks can come in two flavors, legitimate and illegitimate. Legitimate DDoS’s happen when many, many users try to access information or a resource on a server at the same time, for instance when tickets first go on sale for a concert. Illegitimate DDoS’s occur when attackers take over the machines of hundreds or thousands of unsuspecting users through the use of Viruses, Worms and spyware. Then when called upon these infected computers can focus their processing cycles, and more importantly, their bandwidth to take down their target.

We know that the scalpers attempting to get at the precious Hannah Montana tickets were using programs specially designed to grab tickets from the servers as quickly as possible, but it’s difficult to say whether or not the ticket servers for the World Series were under an external attack or not. Since this is one of the biggest events of the year, millions of potential buyers is a reasonable number to hit the live servers. What isn’t difficult to say, however, is that there are hackers out there waiting to use this opportunity to steal innocent baseball fans’ personal information.

In the heat of the moment of buying tickets that you know you may have only one chance to buy, people may forget to look for the SSL lock to ensure they’re talking to who they think they are. So this frenzy really opens the user up to some serious phishing and Man in the Middle attack vectors. If users can reasonably expect that they will have more than one chance at these tickets they can take their time on each page and take care to look for signs of phishing. SSL lock, proper URL, etc.

The DDoS is largely an arms race between the hackers that take control over machines through malware and the server administrators trying to keep their machines up and running under the spike in load. It’s is a good way for an attacker to get his foot in the door to find other security vulnerabilities. Much like a friend who has tried hard to get rid of an accent when he speaks, but it creeps back in when he’s tired or stressed, computer systems tend to show serious signs of weaknesses when under a similar type of load.

People are starting to really hold the administrators of these site’s feet to the fire in situations like this, and that’s great because largely the change has to come from their end. The better use of CAPTCHA images is great, but ultimately there needs to be a more sophisticated defense. Application security, while the server is under load, needs to be tested by third party assessors to verify the security of the system and to verify the system is ready for such load.

So what are the fixes for such an attack, malicious or otherwise? Here’s a quick list that can help you to secure your systems against the DDoS:

  • Use proper logging systems – Techniques such as log throttling, write only logs, and using log servers can strengthen the retroactive security of a system. After a possible DDoS attack has occurred the company will no doubt want to investigate the attack. An investigation is only possible if the correct level of logging has been used. Too much and the logs will quickly become filled, which could be the reason for the DoS in the first place. Too little and the logs will be worthless because they don’t contain enough information to catch the criminal.
  • Redundancy and Load Balancers – It is estimated that Google is able to serve 200 Million requests per day (that’s more than 2,300 requests per second), they do this through redundancy.  Having great load balancers, firewalls and enough redundant servers behind them to deal with the load will help withstand the amount of traffic we all hope to have.
  • Security from within – DoS attacks leverage problems with the software that can bring a server to its knees. This type of attack targets infinite loops, buffer overflows, and other crashing bugs in software to stop a server from responding with a single request. Building your software with security and reliability in mind will help to make sure this can’t happen to your software.
  • Good Security Audits – a good third party security audit will help make sure that your software can withstand the barrage of request at high load times, but also helps make sure that the server doesn’t show further signs of weakness when load is high, such as not being able to load necessary encryption or logging libraries.

— Joe Basirico

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.