Closed for Business - the Impact of Denial of Service Attacks in the IoT
A Denial of Service (DoS) attack happens when a service that would usually work becomes unavailable. There can be many reasons for unavailability, but it usually refers to infrastructure that cannot cope due to capacity overload.
Distributed Denial-of-Service attack tools DDoS attacks can be launched by using tools that are built to generate DDoS attacks. There are many DDoS attack tools. Some well-known tools are listed below: Trinoo — is an attack tool that installs agent. SC-5 (3)(a) Employs Assignment: organization-defined monitoring tools to detect indicators of denial of service attacks against the information system; and: SC-5 (3)(b) Monitors Assignment: organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks. Distributed Denial-of-Service attack tools DDoS attacks can be launched by using tools that are built to generate DDoS attacks. There are many DDoS attack tools. Some well-known tools are listed below: Trinoo — is an attack tool that installs agent.
The Denial of Service attacks that we will be discussing today are called Distributed Denial of Service (DDoS), which result from a large number of systems maliciously attacking one target. This is often done through a botnet, where many devices are programmed (often unbeknownst to the owner) to request a service at exactly the same time.
In comparison to hacking attacks like phishing or brute-force attacks, DoS doesn’t usually try to steal information or lead to a security breach, but the loss of reputation for the affected company can still cost a large amount of time and money. Often customers also decide to switch to an alternative provider, as they fear future security issues, or simply can’t afford to have an unavailable service. A DoS attack lends itself to activists and blackmailers – not really the best situation for companies to find themselves in.
How can Denial of Service attacks have such a big impact in the IoT?
The Internet of Things offers a wide variety of smart devices – all of which face the difficulty of securing overall privacy. As the devices are all so different their heterogenic nature is often used as an excuse by manufactures and owners alike to skip sufficient security controls.
A DDoS attack means that it is administered with the same target from different sources – and here the Internet of Things must feel for hackers a bit like a toyshop would to children: millions of devices, all too often unprotected and unmonitored for long periods of time. The scale in which these attacks are now possible is rising tremendously with the advancement of the Internet of Things.
Hence it doesn’t come as a big surprise that Akamai researchers say that nearly 21% of DDoS attacks now result from Internet of Things devices. We predict this will only keep increasing over the next few years.
In the past DDoS attacks were limited to computers and internet connected machines, usually with a reasonable level of protection. The Internet of Things opens up a large variety of devices to potential attacks – from printers, to cameras, fridges, thermostats, sensors and routers to name a few. Not only is there a sheer amount of these devices, but they are often protected with very limited security, if any at all. It is all too easy to exploit those weaknesses and launch large-scale attacks without the knowledge of the owner.
However, not only can connected devices be used for attacks, they can also become the target of said attacks. While a connected fridge that stops working for a while might be very unfortunate for the owner, think about the devices that have a huge impact on many people’s lives, for example: control valves at power plants, sensors used in weather observations, door locks in prisons or traffic signals in so called smart-cities.
Scarily, GCN reports that the search engine Shodan specialises in finding those internet connected devices – hence making it very easy for hackers to find potential targets.
The most well-known and spectacular DoS attacks in the last few years
In 2013: 39 attacks above 100 Gbps (Gigabits per second), which have steadily increased over time.
March 2013: the Spamhaus DDoS attack saw 120 Gbps of traffic hitting their networks – one of the largest attacks up to March 2013
August 2013: Part of the Chinese internet went down in one of the largest DDoS attacks. Despite one of the most sophisticated security systems in the world and the government having some of the highest abilities to carry out cyberattacks themselves, China wasn’t capable of defending itself from the attack.
Summer 2014: A massive 300 Gbps DDoS attack exploited flaws of 100,000 unpatched servers, joined together as a botnet. An unidentified data centre was faced with the extremely huge scale of a DDoS attack.
December 2014: An unnamed internet service provider experienced an NTP (Network Time Protocol) DDoS attack that reached a new level of strength with 400Gbps – the largest Denial of Service event in history so far.
Spring 2015: UK-based phone carrier Carphone Warehouse gets targeted by a DDos attack – while hackers steal millions of customers’ data
July 2015: The New York Magazine gets hit by a DDoS attack just after publishing interviews of 35 women accusing Bill Cosby of sexual assault.
December 2015:Threats of a DDos attack on Microsoft’s Xbox Live service claim to take down both the XBox Live and PlayStation network over the Christmas period for up to a week. The attackers are trying to highlight the continued weak security of Microsoft’s services.
January 2016: The latest target of a sophisticated DDos attack saw some of the HSBC customers losing access to their online banking accounts two days before the tax payment deadline in the United Kingdom.
Digitaltrends reports that over the last quarter, DDoS attacks grew by 7%, and 132% compared to 2014. With more and more technical abilities and devices to use for these attacks, DDoS attacks are likely to be here to stay. We also expect more and more mega attacks, that are reaching unknown levels of traffic, targeting relevant and vulnerable industries like gaming and telecoms.
We offer more information about the rising Internet of Things and ways to secure mobile and IoT devices on our website. In addition our webinar 'PKI for the Internet of things' shows how proven technology can be leveraged to identify devices, encrypt communication and ensure data integrity.
A Denial of Service (DoS) attack is designed to cause service outages. These attacks can easily cost an organization a significant amount in damages and wasted resources, even if the attacker does not demand a ransom to stop the attack. A number of different free DDoS tools exist, making it cheap and easy for even unsophisticated attackers to use this attack technique.
What is a denial-of-service attack?
A DoS attack is any attack that is designed to take a system offline or make it unavailable to legitimate users. The goal of the attack could be to hurt the target organization, extort a ransom to allow services to be restored or cover up another attack.
DoS attacks can take advantage of a number of different vulnerabilities within a computer system. Buffer overflow vulnerabilities and other programming flaws can be exploited to cause a segmentation fault or other error that causes a program to crash.
However, the most common method of performing a DoS attack is to take advantage of bottlenecks within a computing system. Every component of a system has a maximum amount of traffic, data, connections and so on that it is capable of processing, and the entire system is limited by the component with the lowest threshold. Most DoS attacks are designed to exceed this maximum capacity, making it impossible for the system to process legitimate user requests.
DoS attacks can be performed in multiple different ways. Examples of common attack techniques include:
- Volumetric attacks: Network connections and network interface cards (NICs) have set bandwidth limitations. Volumetric attacks attempt to overwhelm these systems by sending more data than they can handle. These attacks may be composed of a massive number of small packets or a smaller number of very large ones.
- Protocol-level attacks: Computers have a set number of TCP and UDP port numbers allocated and cannot handle a new connection if no port is available. Protocol-level attacks attempt to consume all of a computer’s available connections, making it incapable of accepting new connections.
- Application-layer attacks: Applications communicating over the network need to be capable of processing the requests that they receive. In many cases, an application’s thresholds are much lower than the infrastructure that it runs on. By sending many legitimate requests to an application, an attacker can consume all of its available resources and make it unavailable to legitimate users.
DDoS or distributed denial-of-service attack
DoS attacks are designed to overwhelm a service with more traffic than it can handle. However, this assumes that the attacker has the resources necessary to achieve this.
Distributed DoS (DDoS) attacks are designed to ensure that the target is overwhelmed by taking a many-to-one approach to the attack. Instead of using a single machine to perform an attack, the attacker uses a botnet.
This botnet is composed of many attacker-controlled machines, including compromised computers, leased cloud infrastructure and more. Each of these machines is instructed to send some traffic to the target service. By taking advantage of its greater numbers, a DDoS botnet can take down any unprotected service, even if the target has more network bandwidth and better computers than the attacker.
Free DoS attacking tools
It’s possible for an attacker to write custom software to perform a DoS attack or malware to perform a DDoS attack, and many DDoS websites offer DDoS-as-a-Service. For penetration testers wishing to perform their attacks independently but don’t want to write their own tools, a number of free DoS attack tools exist.
1. LOIC (Low Orbit Ion Cannon)
LOIC is one of the most popular DoS attacking tools freely available on the internet. The famous hacking group Anonymous has not only used the tool, but also requested internet users to join their DDoS attacks via IRC.
LOIC can be used by a single user to perform a DoS attack on small servers. This tool is really easy to use, even for a beginner. This tool performs a DoS attack by sending UDP, TCP or HTTP requests to the victim server. You only need to know the URL or IP address of the server, and the tool will do the rest.
Image 1: Low Orbit Ion Cannon
You can see a snapshot of the tool above. Enter the URL or IP address, and then select the attack parameters. If you are not sure about what settings to use, you can leave the defaults. When you are done with everything, click on the big button saying “IMMA CHARGIN MAH LAZER”, and it will start attacking the target server.
This tool also has a HIVEMIND mode. It lets attackers control remote LOIC systems to perform a DDoS attack. This feature is used to control all other computers in your zombie network. This tool can be used for both DoS attacks and DDoS attacks against any website or server.
The most important thing you should know is that LOIC does nothing to hide your IP address. If you are planning to use LOIC to perform a DoS attack, think again. Using a proxy will not help you because it will hit the proxy server not the target server. This tool should only be used for testing the resiliency of your own systems against DoS and DDoS attacks.
2. XOIC
XOIC is another nice DoS attacking tool. It performs a DoS attack against any server if the user can provide an IP address, a target port, and a protocol to use in the attack. Developers of XOIC claim that XOIC is more powerful than LOIC in many ways. Like LOIC, it comes with an easy-to-use GUI, so a beginner can easily use this tool to perform attacks.
Image 2: XOIC
In general, the tool comes with three attacking modes. The first one, known as test mode, is very basic. The second is normal DoS attack mode. The last one is a DoS attack mode that comes with a TCP/HTTP/UDP/ICMP Message.
Download XOIC here.
3. HULK (HTTP Unbearable Load King)
HULK is another nice DoS attacking tool that generates a unique request for each and every request to the web server, making it more difficult for the server to detect patterns within the attack. This is only one of the ways in which HULK eliminates patterns within its attacks.
It has a list of known user agents to use randomly with requests. It also uses referrer forgery and can bypass caching engines; thus, it directly hits the server’s resource pool.
Download HULK here.
4. DDoSIM — Layer 7 DDoS Simulator
DDoSIM is another popular DoS attacking tool. As the name suggests, it is used to perform DDoS attacks by simulating several zombie hosts. All zombie hosts create full TCP connections to the target server.
This tool is written in C++ and runs on Linux systems.
These are main features of DDoSIM
- Simulates several zombies in attack
- Random IP addresses
- TCP-connection-based attacks
- Application-layer DDoS attacks
- HTTP DDoS with valid requests
- HTTP DDoS with invalid requests (similar to a DC++ attack)
- SMTP DDoS
- TCP connection flood on random port
Download DDoSIM here.
Read more about this tool here.
5. R-U-Dead-Yet
R-U-Dead-Yet is a HTTP POST DoS attack tool. For short, it is also known as RUDY. It performs a DoS attack with a long form field submission via the POST method. This tool comes with an interactive console menu. It detects forms on a given URL and lets users select which forms and fields should be used for a POST-based DoS attack.
Download RUDY here.
Denial Of Service Tool Download
6. Tor’s Hammer
Tor’s Hammer is a nice DoS testing tool written in Python. It performs slow-rate attacks using HTTP POST requests.
This tool has an extra advantage: It can be run through a TOR network to be anonymous while performing the attack. It is an effective tool that can kill Apache or IIS servers in a few seconds.
Download TOR’s Hammer here.
7. PyLoris
PyLoris is said to be a testing tool for servers. It can be used to perform DoS attacks on a service. This tool can utilize SOCKS proxies and SSL connections to perform a DoS attack on a server. It can target various protocols, including HTTP, FTP, SMTP, IMAP and Telnet.
The latest version of the tool comes with a simple and easy-to-use GUI. Unlike other traditional DoS attacking tools, this tool directly hits the service.
Download PyLoris here.
8. OWASP Switchblade (formerly DoS HTTP POST)
OWASP Switchblade is another nice tool to perform DoS attacks. You can use this tool to check whether or not your web server is able to defend against DoS attacks. Not only for defense, it can also be used to perform DoS attacks against a website during a Red Team exercise.
Download Switchblade here.
9. DAVOSET
DAVOSET is yet another nice tool for performing DDoS attacks. The latest version of the tool has added support for cookies along with many other features. You can download DAVOSET for free from Packetstormsecurity.
Goodbye 3 5.2 Denial Of Service Tool Download
Download DavoSET here.
10. GoldenEye HTTP Denial of Service Tool
GoldenEye is another simple but effective DoS attacking tool. It was developed in Python for testing DoS attacks.
Download GoldenEye here.
Detection and prevention of denial-of-service attack
A successful DoS attack can cause significant damage to an organization’s operations. For this reason, it is important to have strategies and solutions in place to protect against them.
The first step in protecting against DoS attacks is minimizing the attack surface. One way to accomplish this is to deploy a network firewall with a restrictive allow/block list. This limits inbound traffic to protocols legitimately used by applications within the organization’s network and blocks any other traffic at the network border.
Anti-DoS tools are specialized solutions designed to identify and filter out attack traffic before it reaches the target service. This is accomplished by identifying features of the malicious traffic that differ from legitimate traffic. However, the increasing sophistication of DoS attacks makes this more difficult to perform.
The DDoS threat can also be decreased by denying attackers’ access to devices for use in their attacks. Botnets are commonly composed of computers, Internet of Things (IoT), and mobile devices that are compromised due to poor password security, lack of patching, or malware infections. Using strong passwords, installing security updates and using a trusted antivirus on all systems can help to limit the size of the botnets used in DDoS attacks.
Conclusion
Denial-of-service attacks can knock an organization’s systems offline and waste valuable resources on malicious traffic. This incurs significant costs for the target, even if the attacker doesn’t demand a ransom to stop their attacks.
The wide variety of free tools make it cheap and easy for cybercriminals to perform DoS and DDoS attacks, so every organization should have systems in place to protect against them. This is especially true as the growth of the Internet of Things and cloud computing make enterprise-scale attacks cheaper for attackers to perform.