The traditional DOS (denial-of-service) attack is a fairly simple concept to understand – bombarding a target server, perhaps that of a newspaper, bank or government agency, with a deluge of botnet traffic until it simply gives up the ghost. President Toomas Hendrik Ilves’s own nifty analogy (and my favourite) is that it is akin to hosting a birthday party for your seven-year-old daughter only for two thousand kids to show up in your back garden instead of the five you expected.
If we continue this analogy further, it wouldn’t take much time for you to realise what was going on – more kids (web traffic) than you expected are showing up and at a certain point, you’d put a stop to things by turning the excess kids away (a firewall blocking unwanted web traffic). Of course, blocking illegitimate web traffic is a lot harder than shouting “go home” to a crowd of seven year olds, but the principle still holds.
On a technical level, a normal denial-of-service attack normally works by flooding a web server with requests (SYN requests) for data to which it cannot respond as the return address has been forged, thereby keeping the connections open, stuck in a limbo of waiting for a response. Eventually a server will get stuck with so many half-open connections that there is nowhere for legitimate user requests to go, hence the denial of service. Add in a distributed network of zombie computers (a botnet) which is used to send these requests and you have a DDOS or 2DOS attack.
The new(er) kid on the block is the diverse distributed denial of service or 3DOS attack. Utilised by so called “hacktivists” – think Anonymous or LulzSec – this is where the deluge of traffic is not simple SYN requests as described above (for example), but is spread right across the board. Professor Alan Woodward of the University of Surrey, a leading cyber security expert, describes it as “where a variety of different types of data are sent simultaneously from one of these attacking networks”. He explains that “network data can be thought of in seven layers, from the simple 0s and 1s represented as voltages on the line through to IP addresses through to complex data, such as HTML webpages. Each layer builds upon the layer below in this seven layer model. In a DDOS attack you send data typically at say Level 3 (SYN packets for examples) but in a 3DOS attack you might send not just something like SYN packets but also HTML requests and so on.”
So how more difficult is it to deal with a 3DOS vs a 2DOS attack? “Rather than just monitoring data types at one level of the seven-layer model, you have to monitor and potentially block spurious traffic, from top to bottom of the ‘stack’,” he continues. “It is sometimes easier to defeat an attack than detect it. This is because data sent at some levels of the seven levels can look perfectly valid. For example, it can take some time to work out that requests for a web page are an attack, whereas multiple requests for something that should only occur infrequently are easier to spot. Hence by mounting an attack to mixes up all levels of data it can make the job of detection trickier.”
A 3DOS attack is very much the tool of hacktivists and state-sponsored rogues. Both LulzSec and Anonymous have used the technique to attack US and Israeli government websites, among others. It is the inherent diverse nature of these attacks that has made them more successful. Professor Woodward summarises that “3DOS [attacks] are more dangerous and have allowed certain hacktivist groups to be more successful than previously, simply because the defences are more difficult due to the multi-faceted nature of the data used in the attacks. I’m not sure I could quantify the additional risk but you can see that by adding additional dimensions you get a more sophisticated attack and hence a more difficult defence. I feel sure these will be mitigated as we progress but as ever it is an arms race.”
Of course, 3DOS and 2DOS attacks aren’t the only weapons in the hacktivists’ arsenal – information theft (think Stratfor), malicious re-directs and plain defacement are still very much the tools of the trade. But for those who operate at the low level of cybercrime, the availability of cheap botnets and ready-made denial-of-service software make them an attractive option. Not only are they the weapons of hacktivists but also of nation states – the Russian government, amongst others, often sub-contracts “cyber-mercenaries” to carry out this kind of attack precisely because it’s so cheap (and provides a handy way to limit knowledge of their complicity). Russian involvement in the 2007 cyber attack on Estonia is often hinted at, both inside and outside the country. While the mercenaries involved are sometimes brilliant IT technicians, they are often college drop-outs, trained to press the right buttons in the correct sequence and follow orders so as to get their pay.
So what of President Ilves’s initial analogy – if two thousand kids turning up in the back garden of a suburban semi is analogous to a DOS or DDOS attack, so what of 3DOS? I suggest to Professor Woodward that instead of just finding your back garden bombarded with children, you find every room in your house has been taken over. “Yes,” he says, “or perhaps that the party has been gate-crashed by a bunch of teenagers.” I prefer his analogy – in some cases, I’m sure the age group is probably about right.