The main objective of security is to safeguard the IT and
data of a network from various types of threats. Many organisations nowadays
face the test in obtaining this involves using technology to its fullest
capacities means that corporate networks have to provide access to their
infrastructure(network) and resources, and these networks can hold users that
are both inside and outside the organisation. This entails the organisation
needing to limit the access to the different kind of levels access that are
given to the different users and their access to the various resources they
However there some external attacks that are not due to
human error and which is where this report will be looking into particular to
do with attacks to do with DDoS’s. The purpose of this report is to look at a cyber-attack
of the above kind that has happened to the company recently in the past 2 years
and inform on: What did the company do to mitigate, what other types of attacks
exist within the same category? What ways can you prevent this from happening
as well what examples of services are provided already out in the market.
The Attack, What Happened?
In 31st October 2015 New Year’s Eve, a BBC faced a
major cyber-attack. The attack itself took down a lot of key digital services
which were integral to BBC such as: BBC iPlayer, BBC News, BBC iPlayer Radio it
also took down various other digital services. The method in the which the
hackers used to take the these mentioned services was a DDoS which is short for
Distributed Denial of Service.
The way BBC mitigated and got out of this haphazard
situation was by migrating the site onto Akamai CDN. This meant that Akamai was
handling the requests for BBC worldwide and through the migration restored the
services. When the migration was made there were no apparent outages following
The migration of bbc.co.uk to Akamai CDN gave some serious
performance gains. This is in relation to access to the BBC website in areas
based outside of the UK. For
example, before the attack, majority of the requests from Netcraft’s New York
Performance collector took around 0.4-0.6 seconds however when the site was
moved to Akamai the times were falling below 0.1 seconds. These performance
benefits were due to the use of a distributed CDN. This is because content that
is cached can be delivered to client’s own country through an edge server
located in the same country, instead of a remote server which is only reachable
through transatlantic cables. These performance benefits are a norm when
using a global distributed Content Delivery Network (CDN).
The group that were responsible for this attack were New
World Hacking a group of anti-ISIS hackers. They were apparently testing out
the power of the DDoS systems and chose the BBC as target on which to test it
on. According to the report the attack was never meant to down the whole system
on BBC’s, go the way it did.
What is a DDoS attack?
“DDoS is short
for Distributed Denial of Service. DDoS is a type
of DOS attack where multiple compromised systems, which are often
infected with a Trojan, are used to target a single system causing a
Denial of Service (DoS) attack. Victims of a DDoS attack consist of both
the end targeted system and all systems maliciously used and controlled by the
hacker in the distributed attack.” (Beal, n.d.)
give own analogy
What is a Botnet and so they work?
The main element in which how a DDoS attacks is through the
use of a botnet. The purpose of a botnet is to infect network full of computers
to spread malicious content. When computer been infected is can be controlled
remotely by the attacker. A botnet malware will try to look for vulnerabilities
across and can infect computers through use of websites, social media and
emails. Due to the nature in which botnets operate it can be very hard to spot.
Meaning all of above can happen without the users even knowing it.
Botnets can create huge amounts of traffic for the purpose
of overrun a mark. The floods of traffic coming from botnets can be generated
in various ways. For example, sending way more connections requests then a
server is capable of processing, or by sending massive amounts of random data
which is sent from the infected computers to the mark to consume the bandwidth,
like the in the BBC example where the attackers where consuming bandwidth of
Marketplace for DDoS Attacks and Botnets
There exist these underground marketplaces where individuals
are able to buy or sell botnets or individual DDoS attacks. These particular
marketplaces offer services where any individual or group of individuals for a
small nominal fee can target and takedown websites or disrupt online operations
of any particular organisation or organisations they disagree with. The cost of
running a DDoS attack for a week, that is on the scale of taking down small
company, can cost very little to run.
The client server model. This model mimics a workflow that
is more traditional. This approach means you have to set up a C&C server
(Command-and-Control server) and each of these individual machines connects to
a centralised server (C&C server) or a small amount of centralised server.
The way these infected botnet clients send out automated commands and
communicate is through IRC (internet relay chat) and each bot will connect to
the CnC server, in order for each bot to receive instructions. And because the
repository is centralised when the attack needs to send out new commands. You
only need to modify the material on the C&C server the infected devices are
connected in order to relay the new modified information.
Another model approach is through the use of peer-to-peer
network design. This more recent design is a more decentralised and incorporates
components from peer-to-peer file sharing. This P2P approach is used so hackers
can avoid detection from government agencies and security vendors. This is
because these cybersecurity entities often use C&C communication as a means
of detection to find and disrupt botnet operations. The model also eliminates
the single point of failure which within the client/server model with
centralised server layout. This due to the fact that the control structure is
inside each infected machine and each bot has the capability to both be command
centre and client at the same time. This makes it more difficult to mitigate
Within each P2P bot there is a list of trusted devices
(computers), from which they can communicate with obtain and send information
regarding malware updates. As this list limits the number of devices the bots
connect to this only exposes them neighbouring devices. However even though
these characteristics in this model make it more difficult to mitigate the
damage to network, there are still some drawbacks. Due to the fact their lack
of a centralised entity. This creates a vulnerability where the botnets are
prone to someone else steal control away from the original botnet creator. To
prevent this from happening the botnets are encrypted to limit access to them
and prevent against loss of control.
What different types of DDoS attacks exist?
There exist many different forms of DDoS attacks however
they can be categorised in the three below types:
Based Attacks – The goal of this attack is to consume the bandwidth of the
targeted site that is being attacked, and magnitude of the damage being done is
measure in Bps (bits per second). Examples of this attack are UDP floods and
attacks – This type of attack works where it targets, the resources of a
server, and consumes them. Or tries to target equipment such as load balancers
and firewalls, this measure in Pps (Packets per second). Examples of this
attack are SYN-flooding, Ping of Death, and Smurf DDoS.
Layer Attacks – The goal if this attack is to target and crack the web
server of there mark. The magnitude of damage done in this type of attack is
done in Rps (requests per second). Examples of this attack are Open BSD
vulnerabilities, GET/POST floods, Apache targeted attacks, Windows
Common types of DDoS Attacks
Below are some of the most common DDoS attacks types used:
SYN-flooding also known as TCP SYN flooding, is a type of
DDoS that is known for exploiting weaknesses in implementation of TCP. This
exploits by targeting the TCP’s three-way handshake. This is done so it
consumes resources of the server that is being targeted and essentially renders
the server unresponsive.
The way this works is a SYN packet is sent to a server, to
start the initial first phase of the three-way handshake of TCP protocol. This makes a resource allocation made on the
target server. If the handshake is not completed they’re not freed until the
timeout. Then from this all the attacker has to do is continually send multiple
SYN-packets to the targeted server.
This results in resource exhaustion because TCP requests are
being made faster then they can be processed by the machine. This technique of attack is usually coupled
with IP spoofing this makes the handshake never to able to finish. This is
because the spoofed source will discard out-of-state packet from the target
UDP-flooding is a bandwidth attack that overwhelms random
ports of the target host using IP packets that contain UDP datagrams.
The hosts that is receiving checks for affiliated with UDP
datagram, however the host finds nothing so the host sends ICMP “destination
unreachable” packets back. This process follows in the same nature as the SYN
flood in the transferring of packets, where the packets are received and
answered but are being sent in continual fashion, but are sent in intervals
that cause the system to be overwhelmed and become unresponsive.
ICMP-flooding (Ping Flood)
Works in a similar nature to UDP-flooding. ICMP is DoS
attack where the attacker downs the targets computer via overwhelming them with
continuous ICMP echo requests (pings).
The attack exploits the nature of network where flooding a
targets network where the network will respond with the equal number of reply
packets. An additional method can be added on this type of attack by using
custom applications or, code for example hping and scapy. This attack when used
can drain and ingoing and outgoing bandwidth.
Ping of Death
PoD or better known as Ping of Death is an attack where the
attacker tries to crash, freeze or diminish, the victims machine or service
through use simple ping commands and sending oversized or irregular packets.
Even though PoD exploits legacy weaknesses in a system, and these exploits may
have been patched already. In unpatched conditions these attacks are still
relevant and lethal. Recent it has been made known a newly created PoD attack has
been created and is on the rise, this attack is called Ping-flood, the victim
is continually bombarded with ICMP packets through pings and without waiting
for the replies.
Slowloris is DoS software developed by hacker named Robert
“Rsnake” Hansen. This tool allows the attack to take down a web server via slow
HTTP requests. This attack itself requirements almost zilch bandwidth to
instrument. By opening multiple connections to the server, the attacker is
targeting, and by sending out HTTP headers in small amounts and as slow as
possible. And because of the nature in which these multiple HTTP requests are
sent (before the targeted webserver is able to process the requests). This
forces the server continually wait for the header to arrive. From this if
enough connections are opened to the targeted server it renders it unable
handle legitimate requests.
HTTP flooding is DDoS attack for targeting and taking down
the victims web servers and applications. The attacker exploits HTTP GET or
POST requests that been sent to attack the victims web server. These seemingly-legitimate
attacks are made specifically for the purpose of consuming huge amounts of server
resources. This can therefore result in DoS, this kind of attack however does
not require a high amount of traffic flow. This attack is usually linked
together with botnets, making this attack deadlier.
How do you prevent DDoS attacks from happening?
There are many different types of solutions that are
available to the public to that mitigates the effects of DDoS attacks. However even
these solutions are available there is no complete solution to prevent and protect
all universally developed attacks. This is because there are continual developments
of new kind of attacks, that are being developed to bypass current countermeasures.
However, this section will cover some industry tools that can be used mitigate
some common attacks used within industry.
To stops systems being infected with DDoS applications, IT
administrators employ the use of Antivirus software’s. This allows IT admins to
check if any unwanted malware applications have infected the system. This
antivirus that are installed on every endpoint make the IT admin aware of root kits
or trojan based software program that could potentially be set up on their
Firewall Egress Filtering