I wasn’t the only one celebrating a birthday last week. It's been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect. Since then, 330 major health information breaches affecting 11.8 million individuals have been reported to the Department of Health and Human Services' Office for Civil Rights (OCR).
In the wake of MasterCard shutting down Wikileaks.org’s merchant account, an anonymous group of “Hackers”, who collectively call themselves “Anonymous” have taken upon themselves to exact some vigilante justice against the evil free-speech suppressing corporation. Of course MasterCard, PayPal, and PostFinance.ch, Visa.com and Amazon.com — the other targets named in “Project Payback” — have been instructed by the State Department to cease business with Wikileaks.org as it is engaging in illegal activities, but this has not stopped the anonymous hacker group from organizing attacks and successfully taking down many of these websites as well as the business website of the lawyer representing the two women pressing charges against Wikileaks’ founder Julian Assange.
The most interesting feature of the attacks so far on Mastercard.com and Visa.com is that they display a notable lack of technical sophistication. No “hacking” in the sense of breaking in, penetrating services, or exploiting vulnerabilities is involved. Instead these attacks employs a more rugged, brute-strength approach. Technically, a Distributed Denial of Service attack (or DDoS) involves saturating a server with legitimate looking traffic until it becomes overloaded and stops functioning. Any single residential connection cannot generate enough traffic to cause a significant disruption so the attack is distributed among many connections, causing a spike in traffic that shuts down the website.
As you can see in the above graphic, Project Payback, instructs attack participants to “set your LOIC HIVE server to, loic.anonops.net channel #loic”. LOIC stands for “Low Orbit Ion Cannon” and is a juvenile “hacking” tool which simply issues hundreds of requests to the target server simulating hundreds of users visiting the website at once. The “HIVE” server coordinates attack participants computers to attack specific targets. Combining a few hundred participants, using the easy to use readily downloadable software (Google it), results in hundreds of thousands of requests overloading Mastercard.com and Visa.com servers.
Unfortunately These days, taking down one of the websites of a Fortune 500 company is as easy as getting a few people to download and run a simple executable with a GUI. No command lines or “linux-fu” required”. A quick look at the LOIC command and control (IRC) Channel, at the time of MasterCard’s first downtime today there were 940 computers participating in the attack. At the time of this articles writing the number of computers currently participating in the voluntary “botnet” is over 1700.
Five years ago this type of attack with so few participants would have been implausible. Datacenters, where such corporate websites are hosted, had the ability to handle many orders of magnitude more traffic than what a thousand home users could generate. However, with an abundance of faster and faster home internet connections using new cable and fiber-optic technologies, now the Datacenter bandwidth is no longer the bastion of server protection it once was. With an average upstream bandwidth capability of 2-5 megabits (assuming low to medium level technical residences with broadband) 2000 attackers could easily saturate a 10Gigabit server connection, which is substantially more bandwidth than what is used by the majority of non-media Fortune 100 companies.
So how can your company prevent this type of attack? Unfortunately, your company can be 100% PCI-DSS compliant, completely free from software vulnerabilities, be able to handle hundreds of thousands of legitimate visitors (much like Mastercard.com, Visa.com) and still fall prey to these technically unsophisticated brute-strength style DDoS attacks. The easiest way for you to be safe from these type of attacks is to use a DDoS mitigation service utilizing a “Traffic cleaning center” which operate at peering points on the internet backbones to only redirect valid “clean” traffic to your servers (“DDoS Mitigation via Regional Cleaning Centers”, Agarwal 2004). This technique was first published as a joint paper by Sprint and UC Berkeley in 2004. Since, several companies–such as Verisign–have commercialized the technique.
Aside from these professional services, a penetration test identifies common software flaws which result in simple denials of service which can be exploited by one attacker rather than thousands. Other solutions for in-house IT are to utilize a low DNS TTL (so that if one-IP address is the target of the attack, your companies website can redirect to another server quickly) combined with carefully monitoring traffic and crafting firewall rules to block attackers which make requests in a predictable pattern. However this method has diminished in utility with the most modern DDoS attacks randomizing requests/impersonating or spoofing source IP addresses.
With social media allowing conceivably anyone to convince a few thousand people to take down a website and with home-user’s internet connectivity making this a serious issue, servers today exist in a game of raw strength and numbers. Is your network safe from these availability issues?