Attack of the Botnet Zombies

There have been plenty of zombie movies over the past few years. The plots are similar — the undead stalk the living — and the productions are generally not Oscar material. But somehow the threat hits a nerve with the general public. To illustrate a threat of a different kind, let’s come up with a story line of our own. Suppose unsuspecting customers of a restaurant chain are contaminated with a kind of zombie virus. And to make it more interesting, let’s say that the virus is able to communicate remotely with a kind of distant controller. Upon command on some later date, these humans suddenly are triggered to be zombies and they begin attacking a company building in New York. There are so many of them that the occupants are overwhelmed. Everything comes to a standstill. The zombie crowd is so large that the company can no longer continue. Which brings us to distributed denial of service (DDOS) attacks.

Waking the Zombies

One of the best ways to bring a computer system to a halt is to exhaust its resources. Tie up the CPU, memory, and processes in unnecessary busy work and it won’t have any resources left to do the work it was created to do. That’s the idea behind DDOS. These types of attacks can shut down a server or computer network as a mass of service requests flood the network. It’s all an exploitation of the TCP exchange mechanism.

One of the best ways to bring a computer system to a halt is to exhaust its resources.

And the zombie plot we sidetracked you within the introduction? It’s real. Only the zombies aren’t people in this case. They are computers, lying dormant until activated through a vast botnet. When the zombie computers from all across the globe are awakened by their evil overlord, they each send TCP request after TCP request to a target system. As they drop the call in the middle of the each TCP conversation, the target computer keeps pinging back, trying to find out what was bothering them, the zombie sends another. And another. Pretty soon it’s too much, and the target system is overwhelmed.

The zombies received commands from their master through the botnet. The sad thing is that these zombies are not evil themselves. They are simply compromised computers, innocent pawns in an awful campaign of cyber mischief, owned by unsuspecting citizens of the world. Botnet zombies are enlisted through email, websites, and social media. One of them might be yours.

Disrupting the Internet

Denial of service (DOS) attacks have been around for a while. In the old days it was a singular attack from a single source. These kinds of attacks are fairly easy to counter now. The threat was somewhat manageable before the advent of the zombie botnet.

But the bad guys are very enterprising, as we all know. Rather than dedicating their minds and talents to the good of mankind, DDOS attackers keep honing their skills, looking for new means to mess with people. And the threat has expanded exponentially.

A teardrop attack, as explained by Radware, is a denial-of-service attack using fragmented packets. “One of the fields in an IP header is the ‘fragment offset’ field,” they explain, “indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet.” The point of this type of attack is to confuse the target computer by toying with this field. Older computers were susceptible to this.

A Smurf attack works by spoofing the target machine’s IP address while broadcasting ICMP messages (pings). The recipients of the pings naturally ping back — to the target machine, overwhelming it. This attack has been fairly well neutralized in most networks.

The big daddy of the DOS attacks are called amplification DDOS attacks. The strategy is to use publicly available DNS servers to wreak havoc on vulnerable systems. A Wikipedia writer says that this involves a new mechanism called “the amplification effect”. Tom Scott of Computerphile explains this very well. He warns that it’s an attack that can take down pretty much any system, something that could disrupt the whole internet. And there’s not much you can do about it.

Attackers Have Their Reasons

The gratification of evil doers remains beyond our explanation here, but there are some specific goals that some attackers may have in mind. One thing that a relentless DDOS attack can do is distract. Combined with other exploits, an attacker may slip into another part of a computer infrastructure while IT personnel are busy battling the attack of the DDOS zombies. That’s one thing to look out for.

Another way that DDOS is used is to threaten a company until a ransom is paid. There is probably a lot of this kind of activity going on that we don’t know about. If a company pays ransom to an attacker, that may not be something that they would like to be publicly known.

Hacktivists may have other reasons for using DDOS. They could be political — for instance, targeting a candidate’s website or a political organization’s system — or there may be commercial motives. If a competitor’s website is bombarded and overwhelmed until it is taken out of service — well, that takes care of the competition, doesn’t it?

Oh, but regular people wouldn’t do that, would they? Well, some arenas (politics, big business) are pretty rough. And keep in mind that unsavory characters can acquire software or even hire out the work. Yes, people will attack networks for money — as if it’s a legitimate business. What a world we live in.

Then you have others who do it for fun. Curious teens might want to see how good they are. And going up against big organizations from your mother’s basement might seem like just the challenge for a boring weekend.

Detection and Mitigation

It won’t do to shrug your shoulders and give up on defending against distributed denial-of-service attacks. Tom Scott is pretty smart, and he says that they need do something about the “relays” that propagate this traffic across the internet. But you can’t just remain a sitting duck out there waiting to be attacked.

The first step is to keep your eye out for the attack. There are tools and systems out there for detecting DDOS attacks in real time. One of those is called Wireshark. One giveaway is a spike in TCP SYN statistics. To explain further, let’s get a breakdown of this TCP transaction that DDOS attacks exploit.

TCP, which stands for transmission control protocol, is a layer-four protocol in the TCP/IP stack — the internet. Just about all internet is dependent on TCP messages. A protocol is a conversation between two network devices. Let’s compare two conversations, one human and the other between two computers.

Human
John: “Hello! I’m John.”
Susie: “Hi! I’m Susie.”
John: “Nice to meet you, Susie!”
(Now John and Susie shake hands.)

Computer
Host A: SYN (synchronize)
Host B: SYN-ACK (synchronize-acknowledge)
Host A: ACK (acknowledge)
(Now we have a TCP three-way handshake.)

So what if Host A (the DDOS attacker) never acknowledges? Suppose it just keeps sending more SYN requests. And so do all its botnet fellow zombies. Then you have a lot of unacknowledged SYN stats that should be evident on Wireshark or other tools.

Detection is not enough, though. You need a strategy for mitigation. Linda Musthaler of NetworkWorld has put one together for us in an article called “Best practices to mitigate DDoS attacks“, so we’ll just summarize it here. I’m sure she won’t mind if we borrow her major points:

• Don’t count on a firewall to prevent or stop a DDoS attack
• Bake DDoS into your business continuity and disaster recovery plan
• Know the signs of an active attack
• Know who to call to stop an attack
• Know your customers and lock out unexpected transactions
• Measure the financial impact of being offline for a period of time
• If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity

“Organizations that operate networks connected to the Internet may be serving as unwitting participants in Denial of Service (DoS)”

The SANS Institute website offers a step-by-step approach to combating DDOS attacks that is a bit more technical in nature. They talk about egress filtering to stop spoofed IP packets from leaving your network, and preventing your site from become a source for DDOS amplification, Their warning is pretty clear: “Organizations that operate networks connected to the Internet may be serving as unwitting participants in Denial of Service (DoS)”

Your network professionals probably have a few tricks up their sleeves for dealing with DDOS attacks. They can use access control lists and rate limits to deal with unwanted network traffic. If you’re getting a lot of nasty problems from somewhere in Asia where you have no customers, for instance, you might want to filter out traffic from that area. Or it may be a matter of jiggering network configs or hiding behind NAT or switching to another server — or maybe just shutting everything down for a while, if it won’t hurt business.

Conclusion

It’s a dangerous world we live in — as your parents must have told you. Threats are lurking in the dark corners of the world. And while some may secretly fear the coming zombie apocalypse, the real threats to your business may be the digital zombies that may have been swept into some horrible botnet, waiting… waiting for the signal to attack.

We leave you with this excerpt from a report from The Hacker News from September 27, 2016:

World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices

Do you know — Your Smart Devices may have inadvertently participated in a record-breaking largest cyber attack that Internet has just witnessed.

If you own a smart device like Internet-connected televisions, cars, refrigerators or thermostats, you might already be part of a botnet of millions of infected devices that was used to launch the biggest DDoS attack known to date, with peaks of over 1 Tbps of traffic.rom 152,000 hacked Smart Devices.

The zombies are coming. You have been warned.