Distributed denial of service (DDoS) attacks are used to interrupt a computer network’s ability to function by flooding it with information, thus denying service to legitimate users.
The attacks are relatively simple to orchestrate, and extremely difficult to defend against, making them one of the most favored tools for an attacker, be they a nation-state like China or a hacktivist group like Anonymous.
When conducting a DDoS attack, Anonymous typically employs a series of established botnets and a downloadable tool called the Low Orbit Ion Cannon (LOIC).
Botnets are an illicit network of computers and web servers that are established by infecting targeted hardware with malicious code which can then be controlled remotely.
It has been largely thought that the success of an attack by Anonymous depended on the operation organizer's ability to publicize and gain crowd-sourced participation for the assault "hive", and that operations that fail to attract enough participants fail to take the targeted website off-line.
While the use of established botnets certainly reduce the need for crowd-sourcing, it is generally thought that Anonymous does not control a large enough array of zombie systems to carry off effective attacks with the botnets alone - hence the heavy advertising they conduct when launching an attack.
An article written by Alex Holden, Cyopsis Director of Enterprise Security, now challenges many of these assumptions. The attack method Holden describes is called a Reflected Denial of Services (RDoS).
Holden claims to have studied the code used by Anonymous for their DDoS attacks, and he concludes that they are able to do more with less, according to his analysis.
"The code itself is straightforward, generating the desired effect at will without the need to control a large number of systems," Holden writes.
"Many think of DDoS as a computer network such as a bot network of rogue or infected machines which carry out the orders of whoever controls them. In the case of this specific code, Anonymous only needed to control a single system to begin the attack. The rest is carried out by unwitting accomplices performing their standard functions in a slightly modified fashion."
Holden states that the method employs a Layer 3 protocol used to fake the source of a directive and the is then set as the target, then the attackers choose a Layer 4 protocol to to make a small request and ultimately generate n enormous response.
"Using the Simple Network Management Protocol (SNMP) it is easy to generate a request for information and get a large amount of data back. All you need to know is a read-only community string," Holden writes.
"How many devices are out the on the Internet that listen on the default community strings? Since read-only SNMP string is not considered to be dangerous to the device and many devices (printers, routers, etc.) rely on SNMP public community string as a discovery or management protocol, there are literary thousands upon thousands of devices that are open."
Holden says an Internet scan can provide all the information on locating the open devices needed to carry out this DDoS methodology.
"A basic internet scan can reveal tons of systems accessible via SNMP on the Internet. Many will have the default read-only community string enabled. All Anonymous needed to do was to create a UDP packet with an SNMP request on oid=18.104.22.168 (return all the data) and send it to the list of the systems. The source IP of SNMP packet is switched to the target for the attack and voila! In this type of SNMP Reflected Denial of Services attack, a single packet with such a request can generate many megabytes of data in response," Holden concluded.
And just how effective is this amplification technique? According to Holden's analysis, it surprisingly powerful.
"This amplification effect can be -- and was -- devastating even to targets with an incredible amount of Internet bandwidth. "
Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!