- Unveiling of the People behind Mirai
- Army of Thermostats and Routers Attacks
- How Do You Know if You Are Getting Hit by a DDoS?
- 5 Steps to Defend Yourself from DDoS
- Now More than Ever
Many people know Dyn as the domain name system (DNS) infrastructure provider that was taken off the Internet by a record-breaking distributed denial of service (DDoS) attack. Interestingly enough, there is a prominent piece on surviving DDoS attacks that was written by Dyn director of operations and client services David Grange back in 2014. The attack on Dyn was successful, but it was the largest DDoS of all time; so Grange’s comments are valid and are broad enough that they are still highly relevant.
In exploring the thoughts provided by Grange, we will be answering the questions, “How do you know if you are getting hit by a DDoS?” and “How do you defend yourself from DDoS?” But first, let’s look at the pivotal malware that made DDoS such a particularly important aspect of cybercrime in 2017: Mirai.
Unveiling of the People behind Mirai
The problem with attacking an investigative security journalist with your malware is obvious: you just might get their attention. That’s definitely what happened when a DDoS malware developer went after former Washington Post IT security reporter Brian Krebs.
Krebs got hit by a DDoS attack in September – a massive one. In November 2016, a huge section of the Internet went down because of an attack using the same botnet. Krebs used his training as a reporter and investigated; and he has confidently fingered the culprit. Krebs cited various sources to make a reasonably solid case that the individual behind Mirai is Rutgers student Paras Jha – also, somewhat incredibly, the owner of Protraf Solutions, a DDoS prevention service.
Approximately a week following the DDoS attack of Krebs’ site, a malware author (Jha, in Krebs’ opinion) released the source code for their incredibly powerful zombie botnet of IoT devices, Mirai.
The open sourcing led to additional attacks, explained David Lumb of Engadget on January 19. “But it also gave Krebs the first clue in their long road to uncover Anna Senpai’s real-life identity – an investigation so exhaustive… Krebs made a glossary of cross-referenced names and terms along with an incomplete relational map.”
Army of Thermostats and Routers Attacks
The unveiling of the guy who is supposedly behind this operation is somewhat of a distraction from the general trend of DDoS, which continues to rise. What’s particularly notable about this attack from a threat perspective is its vast scope. The attack started on the evening of September 20, at about 8 p.m. ET. It measured 620 Gigabits per second. What was actually troubling about the attack wasn’t just that incredible scale but that it appeared to come from a massive army of hacked devices.
To understand this attack on Krebs and Mirai itself, it helps to look back at a previous major DDoS attack against a European media company that hit 363 Gbps. That attack was believed to have been produced by a botnet, but using various methods to amplify a small attack into having greater scale. The DDoS tactic of amplification is a type of reflection – in which the perpetrator is trying to create a flood of responses to a spoofed IP address (which is that of the target). In the case of the Krebs DDoS, it wasn’t amplification or reflection.
On the contrary, “many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods,” explained Brian Krebs. There was one that did not fit that bill, though: traffic that was imitating generic routing encapsulation (GRE) packets – a protocol that is used to communicate directly between two network nodes (to allow sharing of data between peers without use of a public network).
An attacker can easily spoof DNS traffic, but that is not the case with GRE traffic, or with the garbage methods described by Krebs. Basically, the high amount of traffic of these types seen in early analysis of the DDoS pointed to the fact that a large number of hacked systems were used – hundreds of thousands of them. It’s now recognized that the collection of systems that was used was actually the Mirai botnet.
Following the attack on Krebs and the open-sourcing of Mirai’s code, another major assault occurred – this one of a DNS provider, Dyn. The Dyn DDoS, which occurred in October, was – similarly to the Krebs attack – the work of more than 100,000 devices. These are Internet of Things devices such as webcams, thermostats, and routers, but they can pack a punch in numbers, as is clear in the 1.2 terabits per second (Tbps) of power they delivered to Dyn.
How Do You Know if You Are Getting Hit by a DDoS?
What does this story have to do with you? DDoS is becoming increasingly commonplace, so – unfortunately – many companies are having to ask themselves the question, “Am I getting hit by a DDoS?” or “What would I do if I were hit by a DDoS?”
The confusing thing about identifying a DDoS is that it isn’t easy to tell if the spike in traffic is legitimate users or an actual distributed denial of service effort, noted Dyn’s Grange. “The key to telling the difference lies in the length of time the service is down – if slow or denied service continues for days rather than a spike during a campaign it is time to start to look into what’s going on.”
Another way to tell something malicious is occurring is when you see that a source continues to query a certain set of data long after the time to live (TTL) has elapsed. (TTL, also called hop limit, is any means by which the amount of time data stays on a network or computer is controlled – discarding data after the determined timespan has passed.)
5 Steps to Defend Yourself from DDoS
What are some proactive steps you can take to protect yourself from Mirai and other DDoS attacks? Here is Grange’s advice:
#1 – Focus on awareness. Track your network’s normal activity carefully so that you recognize when anything is amiss and a DDoS might be occurring.
#2 – Improve your capacity. Be certain your capacity is high enough to carry the load, and optimize for performance during spikes. Architect with mitigation in mind.
#3 – Run drills. Go through drills with your staff so everyone is ready if you do experience a DDoS.
#4 – Use an outside provider. Many companies reasonably decide that they do not want to deal with the DDoS challenge internally, so they partner with third parties.
#5 – Err on the side of preparation. “[F]igure out the impact it would have on your company financially if it were to happen,” said Grange. “[T]he cost associated with being attacked is usually much higher than the cost to take safeguards.”
Now More than Ever
Clearly, following the rise of Mirai and these high-profile mega-attacks, it is more important than ever to make sure you have defenses in place so that DDoS can’t sideline your operations. At KnownHost, we offer free DDoS protection with all of our VPS hosting packages. Compare plans.