screenshot of downtimeLast week suffered a prolonged and debilitating DDoS attack. Distributed denial of service attacks involve a massive collection of client computers constantly requesting information from a particular target site. They do this so frequently and on such a large scale that it disables the site by overloading it with too many requests.

A Little History

DDoS isn’t a new phenomenon by any means: it was first recorded in 2000, when 15 year old Canadian hacker “mafiaboy” disabled several high profile sites by overwhelming them with requests from numerous locations. In the past year however, there have been a handful of recorded attacks that are of a distinctively different caliber—and they’re increasing in frequency.

Last year’s attack against anti-spam organization Spamhaus topped a collosal 300 Gbps (that’s 30-fold a conventional attack), ushering in a new era in DDoS. Since then, there have been a few other similar attacks, including the recent one on which took it offline for about four days.

How Have These Attacks Become More Sophisticated?

But how do these new attacks work exactly? What’s different that makes them so powerful?

The first half of the answer lies in a technique called reflection, which allows the attacker to “spoof” or fake a session between random hosts and the target site. Here’s how it works:

  1. An attacker connects to a machine (A), which responds with a request asking for verification
  2. The attacker sends the verification challenge to the target resource (B), which responds accordingly
  3. The attacker sends (B)’s response to (A) and, in some cases, a session is authenticated
  4. The attacker may now use this session to make repeatedly requests to (B)

ddos reflection diagram
Amplification is the other part of the reason that this new breed of attacks is possible. It involves:

  1. An attacker calls sends a query to a machine (A), but tells (A) that it was actually the target (B) that sent the query.
  2. (A) generates a huge response due to the nature of the query and sends it to (B), which must receive it.
  3. An amplified response can be hundreds of times bigger than the original query, so it can be used to deplete the target’s (B) resources hundreds of times faster than a conventional DDoS.

ddos amplification diagram

By using these techniques across many [sometimes thousands of] distributed devices, the 300 Gbps & 400 Gbps attacks that have been reported in recent months are possible.

First-hand Experience of The Effects of Such Attacks

I co-organize I Love Marketing Toronto: a driven marketing event, and of our 250 members, we usually expect 30-40 atendees. However, on Thursday February 27th, the day of our meetup, we were unable to access the site and send out our usual announcment as a reminder of the event. The result was a small gathering of six people. Thankfully, we don’t run a for-profit meetup, however I’m sure many were debilitated by Meetup’s downtime.

One would typically expect such an attack to last a few hours, but this attack lasted days, finally ceasing four days later, the following Monday. The motive behind the attack might surprise you: the attacker contacted Meetup claiming that he was hired by a competitor, asking a $300 ransom to cease the attack. Meetup refused to pay the ransom and partnered with Cloudflare, an organization very experienced in mitigating DDoS attacks. It’s likely that this measly amount was only demanded as a first small step to coax Meetup into paying a larger ransom later on.

The Future of DDoS

The attack on Meetup may be over, but we’ll certainly see many more attacks involving amplification and reflection in the future. Fighting them will likely require new regulatory standards to be put in place on as many affected devices as possible, which would counteract the specific exploits currently being used to reflect and amplify queries. To quote Cloudflare co-founder Matthew Prince, “someone’s got a big new cannon. [This is] the start of ugly things to come”.

Diagrams created by SEOcial, licensed under creative commons with attribution required.