Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on December 19, 2010

How DDoS attacks became the frontline tool of cyber-war


How DDoS attacks became the frontline tool of cyber-war

The concept of Distributed Denial of Service (DDoS) attacks finally entered the mainstream public consciousness this month after assaults on the websites of Visa, MasterCard and PayPal made front page news.

Whilst these particular incidents were extremely high profile, a host of other DDoS attacks dating back to 1999 have littered the path leading up to Operation Avenge Assange.

The beginnings of DDoS attacks

The first notable use of a DDoS attack downed a University of Minnesota computer for over two days, but only a year later in 2000, sights were set higher when Amazon, CNN, eBay and Yahoo were all hit within the space of 24 hours, either slowing the sites down significantly or taking them altogether offline. Estimated losses to Amazon and Yahoo added up to approximately $1.1m.

Between 2001 and 2005, use of DDoS attacks silently grew with a few prominent attacks, most notably on Register.com and once more on eBay, for which a single man was prosecuted for causing damage of “at least $5000” over a year. The early botnets stemmed from to Trin00 and Tribe Flood Network, two of the earliest DDoS programs.

The seedier elements of DDoS attacks showed around this time as the technique began to be used by organised criminals to blackmail and extort money from small businesses by threat of cyber-attack. The growing commonness of these crimes coincided with the formation of the UK’s National Hi-Tech Crime Unit. Though they were tasked with finding the hackers at the root, the situation was ultimately resolved by improved servers leaving cyber-criminals unable to overwhelm the strengthened servers.

Despite the gradually improving ability to handle denial-of-service attacks, DDoS incidents persisted with increasing scale in the second half of the decade.

As early as 2006, DDoS tools became a staple of a hacker’s arsenal, but assaults were still typically created and coordinated by individuals rather than en masse. One highlighted case in the UK involved a teenager sending a former employer five million emails to take their servers down. The hacker was acquitted in the trial that ensued, but the judgement revealed flaws in the 1990 Police and Justice Bill, consequently amended to ban any and all denial of service attack.

An instrument of war

Whilst the UK seemed to be gaining some stability regarding DDoS attacks, 2007 brought diplomatic consequences to online warfare in Estonia as national websites suffered from Russian attacks. Initial tensions broke out when the proposed movement of a Soviet war monument from the Estonian capital turned into riots from the ethnic Russian population. This then spilled over into cyberspace as the websites of several government offices and cities were taken down or defaced by Russian activists. The event led many European officials to evaluate the protocols in such attacks as there was no precedent in the magnitude exhibited.

Not soon after, Russia was once again linked to DDoS attacks in the build up to their five-day war with Georgia. Reports at the time indicated that several Georgian, Azerbaijani and Russian sites were driven offline with claims tying particular attacks to Russian intelligence and the Russian Business Network, a criminal gang alleged to have also been a part of the cyber attacks on Estonia. The intensity of attacks in 2008 dwarfed those against Estonia as DDoS use escalated for that point onwards.

The disputed Iranian election of July 2009 saw street protests reflected online when many pro-Ahmadinejad websites were brought down by mass DIY denial of service tools. Rather than using automated botnets, PHP scripts were utilised in crowd-sourced assaults on the government. The two DDoS incidents with Russia and the Iranian election revealed that hacking, particularly using denial of service tools, had shifted from personal gain or targetted abuse, to politically motivated statements and attacks.

This was taken to extremes last year when Twitter, Facebook, LiveJournal and YouTube all suffered downtime when a Georgian blogger under the name ‘Cyxymu’ was individually targetted. The blogger was a vocal critic of the 2008 South Ossetia War between Russia and Georgia, and claimed that the KGB perpetrated the attack to silence him. Though the political aspect of hacktivism played a prominent role in the events that unfolded, the increasingly worrying concern was the weakness of major sites under DDoS attacks.

Grassroots payback

Despite preventative measures existing since the turn of the millennium, many of the victim
websites were inadequately protected against DDoS attacks, something made glaringly obvious in the last half of this year as Anonymous began their crusade against copyright with Operation: Payback.

The group’s attacks were initially mounted as a response to the MPAA contracted firm, Aiplex
Software, who used DDoS attacks to take down The Pirate Bay in September. Retaliation by Anonymous was swift and organised as the first week brought down time to Aiplex, the MPAA, RIAA, British Phonographic Industry and ACS:Law, the law firm notorious for aggressively targeting file-sharers. The more significant outcome of the attacks on Aiplex and ACS was the leak of sensitive private data that has since spread through torrents.

The actions of Anonymous as activists (particularly against Scientology) are well documented, but the focus delivered in the proceeding months outweighed previous organised cyber and real world protests. October saw DDoS attacks occur almost daily on the likes of Hustler.com, Ministry of Sound, the UK Intellectual Property Office, the US Copyright Office and Gene Simmons’ websites, the latter a result of taking a copyright-aggressive stance in a statement.

The profile of targets hit by Operation: Payback began to drop approaching November and a failed high-publicity series of attacks on Guy Fawkes Night seemed to evaporate the momentum built over the previous two months. The quietus of the attacks apparently culminated with the US and UK Pirate Parties asking for a DDoS ceasefire in late November, less than two weeks before WikiLeaks would suffer their own attacks in an attempt supposedly by a US patriot to halt the leak of the US Embassy Cables.

WikiLeaks

The early murmurings of Operation Avenge Assange began as WikiLeaks went viral and the
Swedish Pirate Party’s website was hit by DDoS attacks. John Perry Barlow, author of ‘A Declaration of the Independence of Cyberspace’ and founding member of the Electronic Frontier Foundation (EFF), tweeted on the first day of attacks: “The first serious infowar is now engaged. The field of battle is WikiLeaks. You are the troops.”

Since then, attacks have been launched from both sides at sensationalist targets like MasterCard and PayPal, as well as some indirectly affiliated ones including Borgstrom and Bodström, the lawyers representing the women Assange allegedly assaulted, and PandaLabs, serial trackers of Anonymous’ attacks.

The key element shared by all the targets of DDoS attacks in the last week has been an inability to cope with a decade-old threat. However, this is not to do with a lack of preparation. The Anon Ops website was taken down suddenly despite having upgraded to what PandaLabs describe as a ‘bullet-proof server’ designed to resist botnet attacks.

The fact is that the sheer number of hacktivists on each side has overwhelmed servers, leaving the online war in a very open state. Although the EFF has condemned the attacks on both sides, the 1000s that have resorted to such tactics reveal it as an effective, if legally dubious, outlet for protest.

DDoS attacks may have started out as a way to shut down servers for fun, annoyance or gain, but key
events of the last decade have allowed the tool to transcend mere hacking, causing it to become simultaneously a form of protest and a weapon of war. The failure of Anonymous to take down Amazon (by either lack of support or strength of server) shows that the future of DDoS attacks lies only with the “hacktivists” themselves.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top