Distributed denial of service (DDoS) is one of the biggest security threats facing the Internet. We can develop a false sense of security when we see the major takedowns of individuals such as Austin Thompson – aka DerpTrolling – and Mirai botnet operator Paras Jha. (Jha was recently sentenced, and Thompson just pleaded guilty.)
Despite these high-profile busts, DDoS goes on. An industry report that looked at Q2 2018 showed an increase in average attack size year-over-year of 543% and increase in the quantity of attacks by 29% – consistent with our internal data as a DDoS mitigation provider. Attacks are becoming more sophisticated but have traditionally fallen into three primary categories:
- Application layer attacks – These DDoS events, measured in requests per second (rps), involve an attacker trying to take the web server offline.
- Protocol attacks – In these DDoS incidents, which are gauged by the number of packets per second (PPS), the hacker attempts to eat up all the resources of the server.
- Volume-based attacks – When DDoS is targeting volume, measured in bits per second (BPS), the hacker attempts to overload a website’s bandwidth.
Two of the biggest names in Mirai have been DerpTrolling and Mirai. DerpTrolling was an individual who used DDoS tools to bring down major companies including Microsoft, Sony, and EA. Mirai is an IoT botnet that was created primarily from CCTV cameras and was used against the major DNS provider Dyn and various other targets. These two prominent DDoS “brands,” if you will, were first seen in the news as the attacks were occurring, as well as in their aftermath as alleged parties behind the attacks were arrested and ordered into court. This article looks Mirai and DerpTrolling, then explores what the landscape looks like moving forward.
The story of Mirai
A great business model from a profit perspective (though incredibly nefarious, of course) is to continually create a problem that you can continually resolve with your solution. That model was leveraged by Mirai botnet creator Paras Jha, who was a student at Rutgers University when the attacks occurred. Jha started experimenting by hitting Rutgers with DDoS at key times of year, such as midterm exams and class registration – simultaneously attempting to sell DDoS mitigation services to the school. Jha also was active in Minecraft and attacked rival servers.
On September 19, 2016, the first major assault from Mirai hit French web host OVH. Several days afterward, the code to Mirai was posted on a hacking forum by the user Anna-Senpai. Open-sourcing code in this manner is used to broaden attacks and conceal the original creator.
On October 12, another attack leveraging Mirai was launched – this one by another party. That attack, which assaulted DNS provider Dyn, is thought to have been an attack on Microsoft servers used for gaming. When Jha and his partners, Josiah White and Dalton Norman, pleaded guilty to Mirai incidents in December 2017, the code had already been delivered to the hands of other nefarious parties for use by anyone wanting a botnet to pummel their competition or other targets.
The story of DerpTrolling
DerpTrolling was a series of attacks on gaming servers. Thompson, the primary figure, hit various targets in 2013 and 2014. The scale of victims was broader than with Mirai: Thompson hit major companies such as Microsoft, Sony, and EA, along with small Twitch streamers.
DerpTrolling operated as @DerpTrolling on Twitter and would announce that he was going to hit a certain victim with his “Gaben Laser Beam.” Once the DDoS was underway, DerpTrolling would either post taunts or screenshots of the attack.
DDoS in court
On October 26, 2018, 22-year-old Jha received a sentence for the 2016 attacks he made using DDoS via Mirai. The punishment is $8.6 million and six months of home incarceration. The sentence was massively reduced by cooperation with the federal authorities and help bringing down other botnet operators.
Thompson pleaded guilty in federal court in San Diego to conducting the DerpTrolling attacks. Now 23 years old, Thompson is facing up to 10 years in prison, 3 years of supervised release, and $250,000 in fines. Sentencing will start on March 1, 2019.
The continuing threat
Mirai is problematic because the source code was released. Because of that release of Mirai into the wild, anyone can potentially come along, adapt it, and use it to attack the many IoT devices that remain unsecured and vulnerable.
Research published in August 2017 noted that 15,194 attacks had already been logged based on the open sourcing of the Mirai code. Three Dutch banks and a government agency were targeted with a Mirai variant in January, for instance. Rabobank, ING Bank, and ABN Amro were all hit with the wave – over a span of four days, these targets were each attacked twice. This incident underscores the different motives of cybercriminals: coming just a few days following news that the Dutch intelligence community had first alerted the US that Russian operatives had infiltrated the Democratic National Committee and taken emails, these attacks were likely political hacktivism (although potentially state-sponsored).
While Mirai was a massive problem that truly threatened core Internet infrastructure, DerpTrolling is more microcosmic but nonetheless critical in terms of perception. DerpTrolling, at least to some folks, made DDoS fun, silly, and off-handed. His run through the legal system sends a message to the individual gamer and anyone wanting to perform what they may see as mischief online could end up with an ankle-bracelet or even behind bars. Currently, one of the top searched questions related to DDos is, “Is it illegal to DDoS?” To anyone unsure on the issue, it is becoming abundantly clear that it is a criminal activity taken very seriously by the federal government in the United States and elsewhere.
Setting aside the specific cases of the Mirai and DerpTrolling attacks, DDoS is generally continuing to become a more significant threat to the Internet all the time. Another industry study, released in January, found that 1 in 10 companies said they had experienced a DDoS in 2017 that resulted in more than $100,000 in damages – representing a fivefold increase over prior years. Meanwhile, there was a 60% rise in events that led to downtime per-second losses of $501 to $1000. The research also showed a rise of 20% in multi-vector attacks – which is also consistent with our data.
These figures are compelling when you consider DDoS mitigation services from a strict cost perspective; plus, it is possible many organizations are underestimating the long-term impact in trust (leading to loss of customers) and brand value that stems from DDoS downtime. Furthermore, the issue of increasing complexity is interesting related to the expertise in quickly stopping events that are not as simple as these attacks have typically been in the past.
The multi-vector approach is just the tip of the iceberg, though, with the rise of artificially intelligent DDoS. Artificial intelligence is massively on the rise now. This technology’s strengths for business are often heralded, but it will also be used by the dark side. The issue with AI-strengthened DDoS is that it is adaptive. AI is always improving its approach, noted Matt Conran, “changing parameters and signatures automatically in response to the defense without any human interaction.”
Future-proofing yourself against DDoS
While the Mirai and DerpTrolling takedowns are major events in the fight against DDoS, industry analyses reveal the problem is still only growing. Preparing for the DDoS future is particularly challenging given the rise of multi-vector attacks and incorporation of AI. At Total Server Solutions, our mitigation & protection solutions help you stay ahead of attackers. We want to protect you.