Outsmart me if you can, or bypass in the capable hands of DDoS hacktivists

DDoS attacks organized by hacktivists are unusually numerous in the cyber environment today, and anyone can get “handed out” – both large businesses and small media. Hacktivists have been incredibly active for the last six months, and the reason is obvious: society is very excited because of the socio-political events taking place all over the world.

Attacks by cybercriminals on the websites of US airports, the White House, Anonymous attacks on Russian media sites, DDoS attacks on the MIR payment system – all this is only a small fraction of what is happening on the Internet today.

Why are they doing this?

At first glance, it may seem that hacktivist attacks are solely an expression of social protest by stopping the work of major corporations, suppressing various information resources. However, the underlying goal is, of course, financial motivation, and under the guise of organizing such attacks, hacktivists are engaged in direct deception. In our world, everything revolves around money, and it would be wrong to assume that hacktivists are engaged in pure black altruism. Organizing any DDoS attack costs a lot of money – even to rent a botnet, you need to pay a tidy sum.

One of such demonstrative attacks was an attack on the infrastructure of the national health service and the “e-health” system of Latvia. In part, it was similar to the actions of hacktivists, but then the guys who keep a large botnet came in, and at this stage the Latvian healthcare system could not stand it and went out of order for several hours.

How monetization works

Hacktivists use two main ways of making money. Firstly, these are donations. Attacks are announced in various channels on social networks, and fundraising is announced to support cyberactivists.

Secondly, the organization of attacks is used as a way of self-promotion. When everyone knows that you are the “first ddoser in the area”, they begin to come to you with commercial orders for organizing attacks. For example, for a long time hackers had a favorite benchmark – the much-loved Dom-2 project. For DDoSers, it was a kind of challenge: I put the House-2 – posted screenshots – orders for further attacks were showered. Lizard Squad adheres to the same strategy. Previously, they, like the Grinch, spoiled Christmas for everyone by carrying out hacktivist attacks and simultaneously earned money by organizing commercial DDoS attacks to order.

What is the damage?

No matter how loud all the attacks that are taking place sound, in reality, hacktivists are capable of little in terms of harming business. As a rule, all the attacks they organize are reduced to DDoS of the basic level, which everyone has learned to fight for a long time, especially over the past six months.

However, the effect of a well-staged DDoS attack is difficult to overestimate. If you launch attacks on the largest domain name registrars, electronic signature verification centers, tax authorities, payment, medical systems, telemetry solutions, doing it in the “shock and awe” format, there will be the effect of an exploding bomb. It will be especially noticeable in geographically large countries, such as Russia, China, India, if a DDoS attack breaks their national connectivity. Theoretically, such scenarios are quite possible, but practically at the moment the current level of DDoS is more like attacks by schoolchildren who are trying to demonstrate more than they really know how.

Bypass in action

I repeat, over the past six months, almost everyone has learned how to fight hacktivist attacks, realized that you need to protect your DNS, mail services, etc. Nevertheless, in early November of this year, a DDoS attack using bypass technology occurred, which had an effect on the availability of the SecurityLab resource.

The attackers set their task to find out the real IP address behind which the portal is located, and to bypass our protection against DDoS attacks to “pour” malicious traffic there.

It is worth admitting that they managed to outwit the system. Most likely, they used a ready-made service like Censys, with which they scanned the Internet in search of a TLS certificate belonging to SecurityLab and not closed by us. Having found this gap, the hacktivists sent a bunch of garbage to the found IP address. As a result, the resource is unavailable for an hour.

However, as soon as the client closed bypass, the site’s performance was restored: the attackers could no longer find a vulnerability in the Application level of our protection.

A little more about…

Another way that attackers successfully use to organize bypass is DNS fuzzing. People tend to name their services and domain zones in a predictable way, and using this, attackers search for DNS servers with the same name as the attacked resource in an attempt to detect “live” services located in the victim’s infrastructure.

That is why when adding and publishing a new service, you need to be careful — the DNS record should point directly to the IP address of the protection provider, or when setting up for protection, the server IP should be changed, excluding the use of the highlighted one, which will be found in the DNS cache and history. Periodic audit of the domain zone for where the records are “looking” will also help to avoid such troubles.

Another example is any services where there is a call back – a callback from the infrastructure of the protected client. These can be two–way protocols or downloadable images – the attacker sends the object in which the picture is included, and the infrastructure calls for downloading it. Thus, the victim’s IP address is revealed.

Who is to blame and what to do?

Ultimately, bypass is an attempt to find ways to bypass the protection provider and break through the resource directly. As described above, this is solved in different ways, but if the business has defended itself well and “cleaned up” all the ends, then there is nothing to be afraid of.

And if the bare ends stick out or the business needs to be extra confident in the continuous operation of its service, in this case it is possible to organize a dedicated protection channel from the edge of the supplier to the client infrastructure – what we do at Qrator Labs. And even if the main channel was “punched” to the client, which for one reason or another was not completely closed to them, communication goes on a dedicated one, and the business remains online 24/7.

Bypass prevention is a task that the security provider always solves together with the client, with his inaction it is possible to help only partially. In addition, this is a regular task with constantly changing introductory. Any new microservice in the client’s infrastructure that is published to the Network, any issued encryption certificate, a record in the domain zone, a file uploaded for download – have the potential to reveal to an attacker an entry point that is not covered by protection for attacks.

Summing up, we can say that in general, bypass is not as scary as it is painted. For the protection provider, this is an additional challenge, and the more attacks the AntiDDoS system neutralizes it, the more opportunities it gets to learn from them, and the less likely it is to bypass the protected client.