Home Features Understanding Weaponized DDoS Attacks

Understanding Weaponized DDoS Attacks

DDoS Attacks

Contributed by Rod Arthur

Modern cyber-attacks have become more sophisticated. Standard modern attacks are multi-stage attacks rather than infection by a single malware executable. DDoS (Distributed Denial of Service) attacks have evolved into weaponized instruments used to disseminate ransomware, as well as launch disruptive attacks against their targets. Attack vectors targeted for weaponization include mobile devices, documents, browsers, with the current favorite being IoT (Internet of Things) devices. Weaponization is the second stage of the intrusion kill chain, which is the sequence followed by an intruder to successfully attack a target. Weaponization involves developing malicious code and combining it with deliverable payloads (i.e. word docs, pdfs, etc.). The process can be simple or complex, such as developing a malicious payload, which can be a trojan, or an executable which performs an action on the target device.

App-DDoS Attack

The intent of DDoS attacks is to saturate the target with useless traffic to inhibit the availability of services provided by the target. The success of these attacks is due to the design of the internet. The internet is a mass of intertwined networks, services, content distribution networks, and DNS operated by government entities and private corporations. These organizations can unknowingly be involved in large-scale DDoS attacks. The March 2015 Great Cannon attack is an example of millions of web browsers becoming weaponized by injecting malicious JavaScript code into transiting TCP flows. The malicious code silently programmed the browsers to create a massive DDoS attack. The Great Cannon attack was an example of an Application Layer Distributed Denial of Service (or App-DDoS) attack, which are stealthy, sophisticated DDoS attacks using the “low and slow” approach making it difficult to detect as it does not generate high volumes of traffic. Application layer attacks can be effectively launched from a single attacking source. However, launched in a distributed manner, the effect is amplified. Attacks disguised as legitimate HTTP requests further makes detection challenging since the requests look proper from the protocol and traffic. A target server is saturated with legitimate looking GET and POST requests, consuming the server resources and denying legitimate users from accessing resources. HTTP is a favorite target of hackers as it is a dominant part of the internet. App-DDoS attack can blend with flash crowd traffic, further making it difficult for defense systems (such as traditional firewalls) to discriminate DDoS attack traffic from legitimate user traffic.

Weaponizing Documents for Potential DDoS Attack

Hackers usually consider the human element when targeting an organization. The “kill chain” concept is usually associated with network intrusions but not with the asymmetric DDoS threat. Using the Intrusion Kill Chain as a model, adversaries commonly perform reconnaissance (first phase of the Kill Chain) by collecting information about a target profile on the internet and exploring technologies the target uses. If the adversary gains the email address of the victim, the email becomes the gateway to the victims’ network or system. The attacker can weaponize (second phase of the Kill Chain) file types PDF, PPT, DOC, JPG, etc., typically using an automated tool to develop malicious code and sends the malicious payload (third phase of the Kill Chain) as an email attachment to the victim. Once the victim downloads the attachment by clicking on it, their system is exploited (fourth phase of the Kill Chain) and the malicious payload can be automatically executed. Once the Trojan is installed (fifth phase of the Kill Chain), the attacker can maintain persistence inside the environment). A command and control channel (sixth phase of the Kill Chain) is then established for the purpose of giving the attacker a “hands on keyboard” access to the compromised host. The compromised host is then used as a “hop point” (seventh phase of the Kill Chain) to compromise other systems.

In May, 2016 researchers from Sophos discovered a weaponized document serving the dual purpose of delivering ransomware to the system, as well as exploiting it for potential DDoS attack (https://www.invincea.com/2016/05/two-attacks-for-the-price-of-one-weaponized-document-delivers-ransomware-and-potential-ddos-attack/). While access to the system was denied to the owner, it was simultaneously denying service to another victim. The weaponized document was sent as a spear fishing email which upon opening launched Microsoft Word and initiated embedded macros, which enabled elevated privileges for the malicious document to execute an encoded VBscript. The script created a malicious binary which was a ransomware of the Cerber family. The binary made changes to the screensaver via registry and also appeared to be carrying out a DDoS attack by flooding the subnet with network traffic using UDP packets on port 6892. The spoofed source address could direct response traffic from the subnet to interrupt host operations. The multipurpose malware distributed ransomware and simultaneously carried out a Distributed Denial of Service attack. Weaponized deliverables are typically disguised as client application files and can be delivered to unsuspecting recipients, creating backdoors in the infected system to incorporate it into a botnet.

Mobiles as Cyber Attack Surface

Increase in smartphone usage as well as proliferation of mobile applications has enlarged the attack surface of cyberspace. Smartphones function much like computers and connect to the internet from anywhere as well as download files and applications, some of which can be malicious. As the usage of mobile devices increases, so does the effectiveness of using them to launch distributed attacks such as a mobile botnet attack. In September of 2015, researchers from CloudFlare reported a DDoS attack using up to 650,000 smartphones, peaking at over 275,000 http requests and resulted in 4.5 billion hits toward a designated website. Smartphones make an enticing target for hackers as a larger number of users own smart devices then PC’s. Once a smartphone is compromised by malware, it will send traffic toward a specific host (victim) once it receives a DDoS attack command. The proliferation of mobile technologies have led to a new type of DDoS attack, known as Low-rate DDoS. Low-rate DDoS sends attack traffic to the target on a random basis, making it harder to detect among normal traffic.

Weaponization of IoT

The proliferation of IoT devices has increased the attack surface and a malicious actor can weaponize an IoT botnet from their basement. Using the Mirai botnet attack of 2016 as an example, IoT botnets are capable of high volume impacts. The combination of IoT and DDoS results in devastating cyber-attacks using armies of compromised IoT devices. These DDoS attacks are made possible by the proliferation of exploitable devices coming on line, such as cameras, smart meters, baby monitors, internet cameras and more. The 2016 Mirai botnet attack which overwhelmed DNS provider Dyn was an example of the destructive power of IoT enabled attacks. The attack was the largest to date on record, generating a throughput of 1.2 terabytes per second, with the sheer volume of the attack making cloud provider DDoS mitigation economically unfeasible.

The problem is many of these IoT devices contain default usernames and password combinations which are rarely changed by the consumer and are easy to exploit. Further, IoT devices are developed with security as an afterthought. Secure IoT device development as well as customer education (i.e. changing default passwords) may help to increase resiliency against IoT device attacks.