Within the last few months, more and more DDoS attacks have taken place, with the aim being to knock powerful websites out of action. The attacks have grown in size, with an overall increase of around 800% in the amount of junk traffic being used as part of the assaults.
How bad can the attacks be?
One recent battle demonstrated exactly how devastating these attacks can be. A trading platform’s website was pummelled by ‘headless’ browsers for over 150 consecutive hours in an attempt to cease its operations. The figures involved were staggering, with over 180,000 IP addresses being used as part of the bombardment. What’s even more shocking is that this multi-layered attack was believed to have been carried out by those seeking to compete with the client.
Incapsula, the website security company responsible for warding off the assault, stated that the attack was a “sophisticated and thought-out process” and that “the order of magnitude was significant”. The attack was believed to have made use of the Phantom JS Headless browser toolkit, which is nominally used for testing and simulating user browsing of an individual application. This headless browser software mimics legitimate human behaviour so effectively that it can be hard to separate from normal traffic. Incapsula themselves noted that the malicious use of it represented “a challenge for mitigation services to deal with”.
How does a botnet work?
A botnet assault is an unusual method in that it enlists the assistance of other computers in order to carry out the assault. (On occasion, it’s been referred to as a “zombie army”.) A group of internet-connected computers, each of them taken over using malware, are remotely controlled by an external source in order to carry out a DDoS attack. As a general rule, the legitimate owners of each “zombie” computer will have no idea that their machine has been hijacked.
A DDoS (Distributed Denial of Service) attack is a malicious attempt to render a server or network resource unusable to potential visitors. Typically, it works by either temporarily interrupting or suspending the services of a host. Unlike a normal Denial of Service attack (a DoS), a DDoS works by using a number of different computers and many different internet connections.)
There are three main types of attack: Application layer attacks will take the guise of seemingly legitimate requests in order to crash the web server by targeting weaknesses in Apache, Windows or OpenBSD. Protocol DDoS attacks consumes resources either in servers or intermediate communication equipment (such as firewalls and load balancers). Finally, volume-based attacks are focused on saturating the bandwidth of the targeted site.
What are the dangers of headless browsers in a botnet attack?
What makes headless browsers so dangerous is that they mimic a normal human user, so on their own they are extremely tough to spot. Indeed, in the case of the above attack, Incapsula were notified only by a slight spike in traffic and the vigilance of an innocent user whose computer had been commandeered as part of the assault.
In addition to the Phantom JS toolkit, various other headless browsers are also used by attackers in order to carry out their assaults. Indeed, in the above bombardment, some 861 different variations of the headless browser were used to generate around 700 million hits per day on the website. What makes botnets compelling for attackers is that they require less initial resources to carry out, simply because they can rely on the power and bandwidth of innocent parties.
It’s important that anyone seriously invested in their servers and web presence works to build a strong mitigation system in order to combat the growing power of modern DDoS attacks. It’s important that the defences match the attacks in evolving and developing to deal with new situations.