Skip to content

That Happened in Luxembourg

By- Line Lauret

Introduction

In today’s digital age, Denial of Service (DoS)or Distributed Denial of Service (DDoS) attacks have become a significant threat to online security. These attacks can disrupt businesses, cause financial losses, and damage reputations. Understanding DDoS attacks is crucial for anyone involved in maintaining the security and availability of online services.

The purpose of this article is to educate readers about DDoS attacks, including how they work, strategies for defending against them. By gaining a comprehensive understanding of DDoS attacks, readers will be better equipped to protect their digital assets and ensure the continuity of their online operations.

As technology continues to evolve, so do the methods and scale of Distributed Denial of Service (DDoS) attacks. The future of DDoS attacks will undoubtedly bring new challenges, but with the right combination of technology, regulation, and collaboration, we can work towards a more secure digital landscape.

Several Luxembourg government websites were targeted in a cyberattack last january 10th afternoon, the State Information Technology Centre (CTIE) has confirmed. A number of websites including MyGuichet and LuxTrust were inaccessible for a period of around two hours from 13:00 due to the so-called Distributed Denial-of-Service (DDoS) attack – where perpetrators flood their target’s servers with automated requests to render them incapable of fulfilling legitimate requests from users. The online services are now once again accessible, a CTIE spokesperson said, adding that it does not yet have further details on the attack or who was responsible. It is the latest in a series of cyberattacks against Luxembourg government websites, most recently in October, with a sustained attack taking place last spring.”

Source : Luxtimes.lu

DENIAL OF SERVICE (DoS)

  • A denial of service is an attack that is affecting the availability of a system. It’s a an exhaustion attack where the resources of the target are being overwhelmed in the way that legitimate users are not able to have access to their service any longer. Most of the time, this kind of attack is transient and users are kept out for a limited time frame.
  • A denial of service, Dos for short uses a single connection, while the Distributed Denial of service (DDoS) uses many sources of traffic and in this sense is much more effective. If it’s relatively possible for a target services to fight off a single attack, it’s much harder to fight off hundreds, thousands or more of simultaneous attacks. DDoS is the most common variant of denial of service attack that we see today. It can be difficult to track down who is the perpetrator, as these attacks are distributed, they come from many different sources.

ATTACKERS & MOTIVATIONS

HACKTIVIST

UNETHICAL CONCURRENTS

ORGANIZED CRIMES

DIVERSION

NON-INTENTIONAL ACT

  • Attackers who have specific cause in mind usually motivated by ideology or some social political cause.
  • If they don’t like their target’s behaviour, they can feel like a moral duty to take its system down and by doing so, damage its reputation.
  • It’s not good for a site to be down for any reason. It’s an even worse look for the site to be down because hackers have been successful in their attack.
  • Some activists also like notoriety and act consequently.
  • Competitors who want to basically embarrass the business and frustrate the clients of their opponent. They hope gaining some kind of advantage, when its notoriety is affected.
  • DDoS attacks mounting for extortion.
  • Attackers are targeting a service and saying “if you don’t pay us money we’re going to keep your system offline”.
  • A kind of motivation behind a denial of service attack is to create a distraction.
  • When DDoS attacks occur and the resources are being tied up, the target can be so focused on this particular attack, that is not able to perform its normal duties and defend the other parts of its environment.
  • In the meantime, the attackers is coming trough a backdoor to mount other attacks against the defender which now have eyes diverted.
  • When major event happens and end up with a whole bunch of traffic coming to the website, the application or server just simply gets overwhelmed due to the huge audience and actually gets taken offline.
  • This case is equivalent to a distributed denial of service, because all this traffic coming from so many different locations.

ATTACK TECHNIQUES

  1. Botnets
  • To launch a large scale attack, the attacker typically uses a huge amount of infected computers, that are simultaneously making requests to the specific target until its exhaustion. This army of machines, previously compromised by a malicious code, are called botnets or zombies.
  • They are controlled by a command and control server owned by the attacker. In other words, botnets are lying in wait, doing their day to day tasks until they are activated by the attacker running the remote command and control server.
  • When all the zombies get their so-called signal, the “marching orders”, they activate and start their attack.
  • DDoS attacks have different ways of being mounted, but they can be sorted in two main categories : at the higher level, the application layer attacks (referencing the layer 7 OSI (Open Systems Interconnection) model), at the lower level are the network layer attacks.

2. Application Layer Attack

  • In this type of attack, the army of botnets are simultaneously making an HTTP request to a specific website. The site is not going to be able respond to all of them because behind the scene, the web server tries to respond to the coming requests over and over until its resources are getting saturated.
  • By doing so, the malicious requests are going to stop the legitimate traffic from getting trough.
  • This type of attack is an issue of scale and it is measured In requests per second.

3. Concept of Amplification

  • Attackers are always trying to increase the effectiveness of their DDoS attacks and one way they use is to amplify them.
  • HTTP flood attacks can also be amplified, for example with long running requests where the database takes quite a while to process the requests, so the attack may actually be quickly successful because the underlying database resources are saturated.
  • Another kind of amplification could be targeting very specific features of the application. For instance with an attack focuses on an HTTP post requests to the login page, which had a slow hashing function.
  • As a security best practice, with slow hashing functions it’s harder to crack passwords if they’re disclosed. But that virtue come at a disadvantage when it actually makes the page slow and amplifies the effect of an HTTP flood attack.

4. Network Layer Attack

  • Within the TCP protocol, there’s an initial 3 ways handshake between two machines, Syn/Syn Ack/Ac.
  • A TCP connection can be subject to a Syn flood attack. The process starts the same way as usual: the machine 1 is sending the Syn and machine 2, the target, is sending the Syn Ack. And then .. nothing. The target just waits and nothing actually happens, it never gets a response. As the machine 2 doesn’t know if it’s just network latency, it just take a while for that response to come back.
  • The problem is that the connection on that target machine is left open, until it decides that there’s never going to be a response and moves on. But at that time machine 1 may be sending multiple other Syn requests to that target, so the whole thing perpetuates and the volume actually makes the situation even worse. A huge amount of bandwidth is consumed but that’s not all, the CPU and memory are also saturated and the legitimate users are going to have trouble getting through.
  • In an DDoS attack, it’s not only one machine 1 that sends the Syn requests, but hundreds or thousands or more.
  • The same kind of attack principle is applicable to other protocols, like the UDP protocol or the ICMP-Ping(Internet Control Message Protocol) protocol.
  • The protocol attacks are measured in packets per second.

COUNTERMEASURES

  1. Common Recommendations
  • Be prepared as much as possible. Think about potential exploit in advance is the perfect time, before the attack hits.
  • Implement various layers of defense or have multiple defense type, because depending on what style of attack is coming through, the defense need to be adapted.
  • Filtering ingress traffic to let only legitimate traffic coming through. Things (like ports, protocols, etc.) that are unused have to be turned off. Also, using hardware appliance sitting in front of the firewall help to reduce the risk of taking the entire system down.
  • Reduce the attack surface area with the use of private subnets, to expose a minimum of resources that the attacker could target.

2. Identify the usual traffic pattern

  • First questions to be asked are “what the normal traffic looks like and, who is the audience and what does it usually do on the website?”. When the traffic don’t adhere to that normal pattern, it would immediately be treated as suspicious.

3. Absorbing the attack

  • Denial of service attacks can often be a diversion technique. So paying attention to other security imperatives while DDoS attack is on-going, helps to keep the exploit away from other critical components of the infrastructure.
  • The goal of a denial of service attack is to flood resources with malicious requests so that they can not serve legitimate requests. Ensuring that the capacity of the service is greater than the attack size to be able to absorb the attack, means that not only all the legitimate requests, but also the malicious ones can be served.
  • In other words, there is no disruption for legitimate users and then the on going attack turns to a failure. It’s particularly feasible in the era of cloud, where it’s easy to turn up the capacity, to get more buffer available.
  • Cloud resources are great in terms of their ability to spin them up quickly and the “Pay for what you use” principle as well. Conversely, running on premise is another story, having enough capacity to weather a DDoS storm is extra expensive, because most of the time that capacities are not being used at all as it just sits there in preparation for an attack.
  • The defenses should always be adjusted to the resources that have to be protected.

4. Anycast for DDoS Mitigation

  • Anycast, helps to spread the traffic over multiple nodes. A single IP address stands up, then depending on where the traffic originates from it is routed it to the nearest possible node. When a DDoS attacks occur it’s only going to overwhelm one anycast node, the other are still operating.