18

With the consolidation of cloud computing and virtualization, a really simple doubt comes to my mind: why isn't DDoS being largely offered as a service? Why don't we see cloud-based DDoS attacks?

vDOS, LizardStresser and others offered a way in which you could pay to attack a target but they used their own infrastructure. It seems safer and simpler to just charge a client, use part of that money to rent servers on an IaaS provider and build a cloud-based botnet. That way one could start an attack from inside the provider to a specific target without even using their own structure. This could even be used for spoofing of attacks in general. Is there any particular reason why this doesn't happen?

I have no idea how difficult it is to build a botnet in either context (standard or cloud-based), if getting caught in the cloud would be easier or if this could just be a matter of profit.

Thanks in advance.

Gabriel Rebello
  • 291
  • 2
  • 4
  • 2
    Interesting idea. I think to organize to buy for thousands of vpses anonymously, and also paying for them is too costly, compared to there are relative few dirty bastards who would pay for to take others sites down. – peterh Apr 25 '17 at 04:20
  • 1
    When you can't buy / launch enough cloud machines, you need to use few powerful ones. And there are DDoS protections for powerful strikes from these. Simply multiple layers of security in cloud providers don't make it easy. – Aria Apr 25 '17 at 04:53
  • Interesting question, but perhaps you could rephrase your terminology, since "The Cloud" is just another term for the internet. In that sense, *all* DDoS attacks are "Cloud-based". I think what you're asking though is why aren't more DDoS attacks launched from well-known Cloud-infrastructure-providers such as Amazon's AWS and Microsoft Azure. – Simon East Apr 26 '17 at 01:41

5 Answers5

39

... but they used their own infrastructure

It's not really their own infrastructure what they use. They use instead botnets consisting of hijacked systems. These are systems which they p0wn but definitely not own. And thus it is very cheap for them.

Apart from that any VPS provider who would rent their VPS for DDoS attacks would quickly lose reputation and thus proper customers. And if a VPS provider then specializes on providing VPS for DDoS attacks to make up for the loss of normal customers it would be more easy to block such DDoS because they all origin from the same networks, i.e. simply cut off this provider from having access to major networks.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
9

Cloud based DoS attacks are possible, and they do happen from time to time. But it's not a very popular option for a couple of reasons:

  • Initial setup - Deploying hundreds of VMs is not an easy feat, and paying for them isn't simple either. However if you're using someone else's VM, then this makes things a lot easier.

  • Detection - Many providers including Azure monitor their services to check for any malicious activity. In fact, launching attacks from their systems violates their ToS, and will have you shut down very quickly.

However, the ability to have thousands of machines spread over the world, each generating some traffic can be very powerful. If you want to take it a step further, tunnel your traffic through the Tor network, to make it nearly impossible for a defender to stop.

It's been done before though:

In 2012 group of cyber-criminals exploite the CVE-2014-3120 Elasticsearch 1.1.x vulnerability, followed by the use of Linux DDoS Trojan Mayday and with that, they compromised several Amazon EC2 Virtual Machines. Although this vulnerability was not unique to cloud-based systems and could have been used against any server, including non-cloud based systems, it did open up some interesting opportunities to the attackers. They were able to launch a UDP based DDoS attack from the compromised cloud instances. They utilized the outbound bandwidth of the Cloud Service Provider, Amazon in this case.  Source: Infosec Institute

Getting caught - this is more difficult. Creating and deploying VMs these days is as easy as signing up for an anonymous email ID, registering and deploying machines. However, providers will notice large amounts of traffic from a system. Since you're​ violating their ToS, they will nearly always shut you down immediately. However since you're not ever revealing your actual identity (assuming you're accessing their services through an anonymizer and using stolen credit cards (no morals ;] )), they mostly will not be able to discover your real identity. But this does mean that you're flushing your money down the drain - which is why it's just simpler to set up your own infrastructure and offer it as a service.

thel3l
  • 3,384
  • 11
  • 24
  • 4
    If you are using stolen credit cards to pay for the VMs, aren't you flushing *someone else's* money down the drain? – user Apr 25 '17 at 12:42
  • 2
    I suspect Tor would not be very useful for DDoS attacks. Your traffic would first have to traverse a number of machines inside the Tor network, and then emerge at exit points. Effectively, you would be using Tor as a command-and-control system, and the exit nodes as the source of your DDoS traffic. This would probably be less effective than using a "traditional" malware-based botnet. You could probably craft an attack to DoS Tor itself, though. – IMSoP Apr 25 '17 at 15:12
  • 5
    @MichaelKjörling It still becomes someone else's someone else's money though, instead of remaining _your_ someone else's money. – AJMansfield Apr 25 '17 at 17:26
  • With a properly done attack, Tor could be rather productive. You just need a magnification/reflection attack. Take an old-school ICMP magnification: you send a few bytes over Tor to a vulnerable host claiming to be from the final target, they send a few hundred kB to the target. You can use Tor to shotgun out to your amplifiers, which basically hides you behind 2 layers of obscurity from the target (vulnerable amplifiers, Tor, then you). That also obscures Tor as being part of the attacker's vector (victim only sees packets from amplifiers who aren't greatly affected so don't report) – Ruscal Apr 26 '17 at 13:03
  • I might add, that is why good routers and firewalls are so picky about well formed ICMP packets, and why this isn't nearly as common an attack vector as it once was (also why I don't mind explaining it). The first D in DDoS is for distributed, and while you got that from the attacker's perspective (multiple cloud instances to lay in the attack) you forgot that it isn't cost effective for an attacker to own the DDoS hosts, only the instigators. So they can distribute the instigators in the cloud with Tor help, but the actual attackers are still gonna be vulnerable internet connected systems. – Ruscal Apr 26 '17 at 13:06
  • *Deploying hundreds of VMs is not an easy feat, and paying for them isn't simple either.* Actually no, it's not difficult at all. Most cloud providers have very powerful APIs which allow you to automatize ordering and setting up VMs. Example: [Bees with machine guns](https://github.com/newsapps/beeswithmachineguns). A simple Python program which rents a bunch of VMs on AWS and uses them to "stress-test" a website of your choice. – Philipp Jul 11 '17 at 16:16
2

The funny thing is that what you describe is available right now. It's called Mirai, it's more or less open source, and chances are you've already been affected by it

Mirai is a type of malware that automatically finds Internet of Things devices to infect and conscripts them into a botnet—a group of computing devices that can be centrally controlled. From there this IoT army can be used to mount distributed denial of service (DDoS) attacks in which a firehose of junk traffic floods a target’s servers with malicious traffic. In just the past few weeks, Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover.

These attacks have been enabled both by the massive army of modems and webcams under Mirai’s control, and the fact that a hacker known as “Anna-senpai” elected to open-source its code in September. While there’s nothing particularly novel about Mirai’s software, it has proven itself to be remarkably flexible and adaptable. As a result, hackers can develop different strains of Mirai that can take over new vulnerable IoT devices and increase the population (and compute power) Mirai botnets can draw on.

There's lots and lots of IoT devices flooding the market. Everyone wants "smart" technology. But, as is usually the case, security is an afterthought. So we put that device out there and it's on the Internet for anyone to contact and use as they see fit. And most users (and indeed ISPs) probably won't notice

Fast forward another 45 minutes. The router was reset, and the network was set up again. By the time I was done messing around, Peakhour had my traffic clocked at 470GB. But I'd gotten rid of the problem (or so I thought). The next morning, before I left for the weekend, I checked: the total traffic was at around 500GB. Maybe I'd defeated the hackers.

That night, I heard from Donna. She'd been monitoring traffic, which was now over 3TB. And, just to make sure we had no doubt, devices were dropped off the network again.

The tipoff that something was amiss? His phone used all of it's 4G allotment despite his being at home. His ISP never batted an eyelash at 3TB of bandwidth consumed

Ultimately, you can count on people who are technically illiterate and companies that don't care to provide all the botnet devices you'll ever need.

Community
  • 1
Machavity
  • 3,766
  • 1
  • 14
  • 29
  • It's worth noting that Mirai isn't the first botnet used for "DoS-as-a-Service". Criminals use this monetization model for their botnets for years. The only new thing about Mirai is that it focuses on infecting IoT devices. – Philipp Jul 11 '17 at 16:12
2

Cloud providers generally require their customer's identity. If an enterprising young hacker wished to rent Amazon Web Services or the like, they would have to provide a credit card number (or more) to the service, which can be traced back to the owner. Cloud services don't want to engage in DDOS because their networks would be blocked, and it would cost them money in bandwidth.

There are services where you can rent a VPS anonymously in Bitcoin, but they are generally smaller and they also don't want to be blocked by their uplink or peers.

So that is why it isn't common. DDOS generally considered anti-social behavior, and sociopaths only make up 4% of the population.

Chloe
  • 1,668
  • 3
  • 15
  • 30
  • 1
    Unfortunately there is also a flourishing black market for stolen credit cards and compromised online banking accounts which criminals can use to pay for cloud services anonymously. – Philipp Jul 11 '17 at 16:14
0

The key to your question is in the first 'D'.

What makes a DDoS attack so effective is the distributed nature of that attack. With an old style DoS attack, the victim would usually experience a large number of requests or connections to a specific server or resource originating from a single or small number of sources. To mitigate the attack, you could simply block the traffic from the attacking systems. Often, this could be done by the local firewall or similar.

Under the DDoS attack, the victim is flooded with requests from a large number of different sources. The number is too high to block individually and the volume of attackers will typically overload all local infrastructure such as firewalls and network switches. In this scenario, you typically need to work with your ISP to have traffic to the target system sent to a 'black hole', which will reduce the volume and allow local infrastructure to recover, but typically does mean that the DDoS on the specific system is successful (because traffic to that system is being sent to the black hole). The key point is that because the attack is distributed, it is very difficult to block the attacking systems.

So, with respect to your question regarding cloud based DDoS services - this to some extent depends on your definition of cloud. One definition would be any service that is not on your own infrastructure and is delivered from 'the cloud'. In this sense, DDoS attacks are already cloud based. They don't use the attackers own infrastructure, but instead, use hosts the attacker has either compromised or hosts the attacker has identified which have either poorly configured services or lack sufficient controls to prevent them from being used as part of a DDoS attack. For example, one of the reasons there is so much concern surrounding IoT is that many of these IoT devices include services which can be exploited as part of a DDoS attack and lack sufficient controls to prevent this exploitation by unknown remote uses.

If you define cloud to be just IaaS, PaaS and SaaS providers, the situation is slightly different. You are unlikely to see these services being used to perform the actual attack simply because the DDoS attack relies on high numbers of attackers and being able to use that number of cloud providers is prohibitive - remember that the cloud providers are not going to welcome this sort of use of their infrastructure, so you will have to do it in a 'stealthy' manner, which is becoming increasingly difficult as cloud providers lock down what is considered appropriate use of their infrastructure (remember, they have a reputation to maintain - if they become known as a host for 'bad actors', ISPs and others will just block traffic from their IPs).

This doesn't mean attackers don't use cloud services. What you will often find is that DDoS service providers will use cloud services as the command and control centre for their DDoS agents/bots. They still need to do this in a stealthy manner as most reputable cloud services will deactivate any users they detect doing such things, but this is much harder to detect and they only need a few cloud providers. The agents/bots they use to actually perform the attacks are usually compromised desktops and servers, often in home systems which have poorer security controls and increasingly IoT devices, many of which are also in home or small office environments which lack enterprise security measures or skilled system administrators etc.

Tim X
  • 3,242
  • 13
  • 13