Distributed Denial of Service (DDoS) attacks represent one of the most public threats to your organization. When DDoS attacks strike, they obliterate your connection to the outside world, plunging your page and services into temporary darkness. Even worse, malicious actors continue to break new ground with easy-to-use tools that enable powerful attacks. Let’s break down the most recent threat actor, and address how to mitigate DDoS attacks.
What is Raven Storm
A new attack vector – nicknamed Raven Storm – has been linked to several recent DDoS attacks by the hacking group named “Mysterious Team”. Raven Storm is a modular piece of malware, offering a number of programs which help strengthen its attacks against even high-capacity servers. For instance, the server module allows attackers to launch DDoS attacks against specific servers, requiring only a user-set password, and the client’s IP address. Once Raven Storm has determined precisely which server to target, the program sends a single GET packet.
GET describes the method by which HTTP requests are made: the relevant server is asked to search for and return a specific item to the browser. This kicks off the core mechanism of the DDoS attack. Handling this request demands the server ‘spend’ a small portion of its processing capacity. Once the server has identified precisely which resource the user wants, and fed that page back to the browser, its job is done. One request may draw only a minute amount of a server’s processing capacity, and it’s within this scalability that DDoS attacks are in a league of their own.
Raven Storm does far more than send a single GET request. It acts much like a user, opening up a number of attack avenues, ripe for exploitation. But first they want to check their tool is only operating on up-and-running servers. After all, running an attack on defunct servers doesn’t allow for further exploitation and ransoming of organizations. When a legitimate user pops onto your site, the server will recognize what requests are theirs thanks to the user’s session values. Raven Storm uses an incredibly simple piece of code to make sure they’re attacking a popular enough site: the initial request demands a session code of 200. If the server cannot provide this session code, an error message is sent back.
If the correct session code is returned, however, the attackers know they’ve caught a live one. Once confirmed to be responsive, Raven Storm begins its attack, sending out bursts of 500 GET requests at a time.
500? Is that all? It may be tempting to think – after all, servers today can handle millions of genuine users. However, to illustrate the difference between users and requests, let’s delve into the wonders of Raven Storm’s second ace card: multithreading.
Multithreading for Maximum Carnage
Multithreading forms the foundation of most of today’s tech stacks. Essentially, multithreading allows for multiple users to interact with a program, without requiring multiple copies of said program. This is achieved in a delightfully simple matter: by chopping every request up. The incredible power – and speed – of modern microprocessors allow for the almost-simultaneous serving of multiple users at once. Though the processor executes only one instruction at a time, different threads are executed so rapidly that it appears multiple programs are co-executing. Every request is tracked in a chain, allowing for every user to maintain their own separate thread.
It’s this multithreading tactic that facilitates the explosion of Raven Storm’s requests: genuine users might only request one page at a time; Raven Storm crams 500 requests down the pipeline at any given second. It’s this focus on high volume requests – alongside the program’s other modules – that lead researchers to think it also uses a large botnet to multiply its attack capacity.
Raven Storm was built to be easy-to-use; its role in a few recent DDoS attacks was only discovered after Mysterious Team made a post announcing their successful use of the tool. The tool requires only a URL to be provided to the attacking group: this is then used to connect to the tool’s third-party botnet. Others are prevented from interfering thanks to the tool’s implementation of a temporary password for the attackers. After this light piece of admin, an attacking group is now free to launch sizable DDoS attacks against even the largest of servers.
Withstanding the Storm
Thanks to the fact that Raven Storm’s malicious requests look almost identical to genuine users, the only protection against its fierce attacks is bona-fide DDoS mitigation. A high-quality mitigation provider will focus on four main areas: detection, diversion, filtering, and finally analysis. Detection is the first – and arguably most important – aspect of DDoS mitigation. This focuses on the identification of abnormal traffic flows; this can signal an oncoming DDoS assault, as requests begin to pile up.
Once the wave of abnormal traffic is identified, the next phase of diversion kicks in. With your security provider acting as a safe intermediary, all of your site traffic is rerouted via DNS or Border Gateway Protocol (BGP) routing. DNS is always active, allowing for fast responses to a building attack, whereas BGP can be toggled on or off contextually. Once diversion is complete, it’s time for filtering. Patterns within malicious traffic are established, allowing for cutting-edge identification of malicious visitors. Identification means that these malicious visitors can be denied, and their requests are nullified. Legitimate site users, on the other hand, are provided a near-bulletproof site experience.
Once the direct DDoS attack has largely assuaged, it’s time for the final piece of the mitigation puzzle: analysis. System logs and analytics are vital to this process, lending swathes of information about the attack. This can not only help identify offenders, but actively strengthens your organization’s resilience and maintains a future-proof ethos. Advanced security analytics further offer granular visibility, meaning a victim can gather more information about the attacking traffic, and benefit from instant understanding of attack details.
DDoS mitigation completely nullifies the easiest and most hostile form of cyberattack, making it an essential piece of modern organization’s defenses.