Many businesses may believe they have prepared their Internet defences adequately against Distributed Denial of Service (DDoS), but the attacks they are fending are about to become increasingly fierce. Prolexic Technologies has already seen the devastating capabilities of a server-based zombie assault which floods its targets with more than 15 million packets a second, and it warns that we are likely to see bigger and more complicated DDoS attacks in 2006.
DDoS has been an ongoing headache for organisations that rely heavily on the Internet for their business, many of whom have been held to ransom with threats to bring them down or actual malicious attacks. Prolexic’s customers include finance companies, online pharmaceuticals and retailers; indeed, any company that does business on the Internet is a potential target.
A DDoS attack occurs when a multitude of compromised systems (“zombies” or “bots” – an abbreviation of robots) send a flood of malicious data against a target. Cyber-criminals can gain complete control of un-patched and un-protected personal computers and use them as zombies to launch large and destructive DDoS onslaughts. These have predominantly taken two forms: overloading the target’s network with sheer volume of data, and simultaneously opening many web pages so that the site runs out of resources to handle legitimate requests.
At the beginning of February 2006, Stormpay, a leader in online payment processing, noticed extremely high volumes of traffic coming through to its site. The company had previously experienced intermittent, lower level application attacks – averaging around 1-2 Gbps and had been gradually adding more and more bandwidth to cope. As the attack grew to full size, Stormpay went offline. The company signed up to its carrier’s DDoS mitigation service, however the new level of attack was too sophisticated for the carrier to deal with.
Stormpay’s CTO, Jim Grago explains how it fought back: “We received a DDoS attack that took us completely offline. We used a major carrier´s DDoS service, but due to the intense and sustained nature of the attacks, that failed after a couple of hours as the carrier was unable to handle the large attack. We signed up to Prolexic´s service, and they showed a huge amount of tenacity in fending off the ever changing attack.”
Prolexic recognized that the attack was a DNS Amplification attack, a new generation of attack that has been labeled ´the Katrina of Internet Storms´. DNS Amplification attacks work by an attacker requesting large-sized DNS records from large numbers of recursive name servers that exist globally. The attacker spoofs the source IP address to be the IP address of the target, and the recursive name servers, via answering the requests, effectively launch a DDoS attack on the target.
The attack was hard and sustained, with up to 10Gbps of bandwidth flooding Stormpay. Prolexic’s ‘Clean Pipe’TM solution provides a blocking and filtering system that allows only legitimate traffic to get through. Prolexic routed the traffic through its partner data centres and then located the attacking source and blocked traffic from it. Over several days there was an escalating war – as Prolexic shut down one “Command and Control” server, used to provide instructions and targets to the bots, another would rear up within hours.
Matt Wilson, VP Operations at Prolexic describes the attack as a “war of attrition”:
“We used every data centre to spread the attack out and managed to fend off the attack,” he says. “Without adequate defences Stormpay could have disappeared from the Internet for months, with a substantial cost to get back up. It would have been a corporate death penalty.”
There are very few co-location centres in Europe that can handle these types of attacks and a company using a small hosting facility simply would not stand a chance in an attack of this nature. Prolexic has a unique partnership with TelecityRedbus, the leading provider of co-location and managed data centre services in Europe. Via Prolexic, TeleCityRedbus’ data centres offer a suite of border defence products and services which provide the ultimate protection against DDoS attacks and other forms of malicious traffic, including viruses and worms.
Stormpay’s Jim Grago elaborates: “At one point the attacker, in an attempt to destroy our business, successfully took both our hosting facilities offline. Prolexic didn´t waver, and working with us well into the night, surpassed the ingenuity of the attacker with their own creativity and determination. Stormpay is still here and stronger than ever, and for that I give a big thanks to Prolexic´s staff.”
So who was behind the attacks? The perpetrators of DDoS attacks are notoriously hard to locate as they control PCs and in this case, servers, from any number of continents and could be operating from anywhere in the world. Matt Wilson has some ideas about these cases:
“The persistence of the attacks in the case of Stormpay suggests corporate sabotage, with one talented hacker being paid for the amount of time he could keep the attack going or actually bring the site down. Location-wise some of the “Command and Control” servers were in Japan so he (or she) may be working out of Eastern Asia but it is not possible to say at this time.”
Prolexic has become a valued partner of law enforcement agencies worldwide, including the FBI and the National Hi-Tech Crime Unit in the UK (now part of SOCA), as its proprietary technology allows it to reverse-engineer and conduct data forensics directing law enforcement agencies to the source of these destructive and unlawful attacks. Prolexic has been working with the authorities to investigate incidents like the one that struck Stormpay.
Prolexic has the final word, but warns that the worst is yet to come: says Matt Wilson, “This attack was not a one off. We are expecting more of the same throughout the year and many UK companies are completely vulnerable.”