Monday, July 1, 2019

Denied: Impacts of the FBI’s DDoS Site Shutdown

Distributed Denial of Service (DDoS) attacks have become a serious threat to organizations and individuals alike. In these attacks, the attacker uses a collection of computers to attempt to overwhelm one or more targets. As long as the attacker has some asymmetry in their favor (more machines, amplifiers, protocol flaws, etc.), they can generate more traffic than the target(s) can cope with, rendering the targets unusable.

DDoS attacks have become increasingly common and cheap for several different reasons. The availability of cheap cloud computing and poorly-secured Internet of Things (IoT) devices makes it easy for attackers to control large botnets of attacking machines. Hackers have also developed and sold kits for easily creating botnets for DDoS attacks. As a result, the size of DDoS attacks is increasing, and the cost to rent a DDoS attack is relatively modest. 


DDOSPhoto Source: Kerbsonsecurity

Many organizations rely on their web presence as the main public face of their company, so the need for DDoS mitigation solutions is significant. This helps protects an individual company (and is essential for many organizations), but the United States Federal Bureau of Investigation (FBI) has also been doing its part to address the threat.

DoS for DDoSers 

In general, cybercrime is one of the most poorly regulated types of crime in existence. While law enforcement has had some notable successes, in general, cybercriminals are fairly “safe” due to the limited number and international recognition of anti-hacking laws.

DDoS for hire sites operate in a gray area of the law by billing themselves as “stresser” services. The only difference between performing a DDoS attack and using a stresser is the target. It’s perfectly legal to stress test your own sites but illegal to attack other people’s sites. Since both of these activities involve using the exact same tools, DDoS for hire service providers can and do operate in the open.

However, in December 2018, the FBI took action against DDoS attackers by taking down fifteen different DDoS for hire websites. The FBI tested 20 different sites to determine if they actually provided DDoS services, selected 15 to target and disabled them in time for the holiday season. The timing was intended to coincide with a “high season” where people commonly hire DDoS services in order to impact other gamers taking advantage of the holidays to play.

The potential impacts of this DDoS site takedown are significant. While the affected sites are not the only venues for hiring DDoS as a service, they are several of the most popular and well-known. Also, the FBI has charged three individuals for their roles in operating these sites, making it clear that the US government intends to take a stand against this type of attack.

Impacts to Date

Fast forwarding just a few months, it’s obvious that the FBI crackdown on DDoS for hire sites has had at least some impact on the DDoS for hire landscape. The threat level of DDoS attacks can be measured based upon two metrics – attack size and number – and the FBI crackdown had a positive impact on both.

The intensity of a DDoS attack is measured based upon the volume of attack traffic that the attacker is able to send toward the target. As a result of the crackdown, the average size of a DDoS attack dropped 85% compared to the same time the previous year. The maximum size of an attack also suffered a severe decrease, coming in 24% lower than previously. This likely indicates that these sites were the source of many high-volume attacks (causing the 85% drop when they were disabled), but other relatively high-powered sources were also available (since maximum size dropped only 24%).

The other main metric for evaluating DDoS attacks (number of observed attacks) also experienced a severe decrease as a result of the FBI crackdown. Compared to the previous year, the number of attacks was 11% lower. This likely indicates the market share that the disabled sites controlled. Many more sites likely exist and some DDoS botnets are privately controlled, making DDoS attacks still a significant threat.

The Future of DDoS

The FBI made a solid effort in the fight against DDoS attacks, and that effort has paid off. Even three months after the crackdown on sites offering DDoS for hire, the number and intensity of DDoS attacks had decreased when compared to the previous year.

However, DDoS attacks certainly haven’t gone away. Even at the time of that comparison, the drop in the number of attacks was only 11%. While this is an appreciable decrease (and the size of the average and largest attacks dropped even more), it still means that many DDoS attacks are still occurring. Easy access to cloud computing and vulnerable IoT devices by hackers means that the creation of a botnet capable of performing DDoS attacks that can threaten an enterprise becomes easier by the day. For those without the technical expertise to build their own botnet, new services will pop up to replace those taken down by the FBI.

As a result, DDoS attacks are probably here to stay, and organizations need to take the appropriate steps to protect themselves. Deploying DDoS mitigation solutions is an important part of any organization’s cybersecurity strategy, and DDoS attacks are so easy to perform that anyone can be a target. The FBI is trying their best but is playing a cat-and-mouse game with hackers, so everyone needs to also do their part to protect themselves.

No comments:

Post a Comment