Checkmate Cyber-crims!

The NCA (National Crime Agency) in association with the PSNI (Police Service of Northern Ireland) and the US FBI (Federal Bureau of Investigations) have announced this week the successful takedown of the worlds biggest Denial of Service for hire platform – digitalstress.su

Digitalstress was a Distributed Denial of Service platform (A.K.A. booter service) with many hundreds of customers who used its services to cause disruption to national infrastructure, communications platforms, commercial operations, and gaming services all across the world.

Operation PowerOFF

On the 2nd July, as part of Operation PowerOFF, law enforcement operatives from the PSNI conducted a raid where a suspected administrator of digitalstress was arrested. Subsequent investigations allowed law enforcement agents the ability to seize the website used by the admins of digital stress and create a mirrored site which customers were secretly re-directed to.

This mirrored site has enabled the teams to gather evidence of those customers with the view of following up their activity with arrests of those found to have used digitalstress in cyber attacks.

The NCA also covertly and overtly accessed communication platforms being used to discuss launching DDoS attacks. Data gathered from these conversations, tied with data from the mirror site will allow law enforcement teams to identify individuals and their activities.

Anyone using these services while our mirror site was in place has now made themselves known to law enforcement agencies around the world.

Deputy Director Paul Foster – head of the NCA’s National Cyber Crime Unit

What is a DDoS?

A Denial of Service (DoS) attack is one where a threat actor overwhelms a target system in such a way that it cannot service access requests from legitimate customers – they deny the service to those customers.

This type of attack is very old, and in most cases will be able to be suppressed by modern network security systems.

A Distributed Denial of Service (DDoS) attack is a variant of the DDoS whereby threat actors use multiple sources to launch their attacks – this allows them to send much more data to a victim service, but also to regularly change the type of attack traffic in an attempt to circumvent any security systems that would otherwise stop the attack.

In some ransomware attacks, the criminal gangs ransom their victim, and then apply pressure by launching DDoS attacks against the victim in an attempt to force them to pay the ransom in a quicker time than they might do under normal circumstances.

In many cases, the ability to launch a DDoS attack necessitates the threat actors to have access to a large number of compromised machines – a botnet – These botnets are often the devices of unsuspecting other victims.

One of the worlds biggest DDoS botnets was Mirai – This was a collection of millions of compromised IoT devices such as routers, webcams, CCTV systems, and smart TVs, etc. Mirai has been responsible for some of the worlds biggest DDoS attacks (by volume of data) the Internet has ever seen – Read my post about Mirai here.

In other cases, threat actors leverage the rapid deployment of virtual machines offered by cloud providers. They can very quickly provision a large number of virtual instances – send off an amount of attack traffic, and then delete these machines and re-provision others. This makes it incredibly difficult for security systems to detect any patterns to the attack traffic and defend against them.

Types of DDoS attack

There are various different ways a DDoS can be performed:

Volume Based Attacks – As the name suggests – Volume-based attacks simply send huge volumes of data to a victim system. These attacks utilise the communications protocols used in normal IT communication events, so these types of attacks commonly include UDP floods, ICMP floods, and other spoofed-packet floods.

The attack’s goal is to saturate the bandwidth of the attacked site, and the magnitude is measured in bits per second (Bps).

A volumetric DDoS attack is what most people associate with the term DDoS because it is the most common type of attack used.

Protocol Attacks – These attacks involve altering the way common communication protocols send data and will often utilise SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, DNS amplification attacks, and others. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).

Application Layer Attacks – These types of attacks are often low-and-slow. HTTP GET/POST floods which target Apache, Windows, or OpenBSD vulnerabilities. Comprised of seemingly legitimate and innocent requests, these attacks aim to crash the web server. The magnitude is measured in Requests per second (Rps).

Related Articles

Huge leak of PII claims to expose all UK, Canada & US citizens
General blogs

Huge leak of PII claims to expose all UK, Canada & US citizens

Mark
Cyber attack affects London hospitals
General blogs

Cyber attack affects London hospitals

Mark
Cyber Security Frameworks – what are they?
General blogs

Cyber Security Frameworks – what are they?

Mark
SMB – A love / hate story – Pt 1 – Love
General blogs

SMB – A love / hate story – Pt 1 – Love

Mark
The British Library – A lesson in Incident Response
General blogs

The British Library – A lesson in Incident Response

Mark