Suppose the attacker is concerned about building the C2 system needed to dwell in a breached network for a long while, or perhaps they are concerned the process of exfiltrating data can expose the attacker. What kinds of actions can an attacker take in this case? The most common attack in these cases is ransomware.
Ransomware encrypts the user’s data using a key and system the user does not know, so the user cannot access or use the system.
Once the attacker installs ransomware, the system displays a message stating the operator should send money to an anonymous account. Once the attacker receives the ransom, they will send a key and software to the user to unencrypt their data.
Denial of Service
Attackers launching a denial-of-service (DoS) or distributed denial-of-service (DDoS ) attack are (funny enough) trying to deny the use of some service by exhausting some fixed or finite resource. DoS attacks can be launched from a few devices and attempt to exhaust some system resources. DDoS attacks are launched from hundreds or thousands of devices distributed throughout the Internet and typically attempt to exhaust an external resource, like consuming an entire link’s or interface’s capacity.
Attackers might use DoS or DDoS attacks to
• Slow down a competing gamer’s server to cheat.
• Distract a security team from an intrusion attack occurring at the same time.
• Take down a company’s website during a critical period to damage the company’s reputation or business.
• Cause a server to fail, exposing vulnerabilities when the server reboots or recovers.
The reasons for launching a DoS attack are as varied as attackers.
DoS attacks differ from intrusion attacks because the attacker does not (necessarily) need to gain access to the network to launch a DoS attack. Servers (or IP addresses) can be directly attacked remotely. Not all DoS attacks are external, either. Once an attacker has breached a network, they can use devices they control to launch an internal DoS attack.
In many cases, intrusion attacks require some skill to execute.
DoS attacks, however, are available as a service—an instance of cloud computing “gone bad.”
The following sections explain several different kinds of DoS attacks.
Direct (or Burner) Attack
Figure 19-4 illustrates a direct, or burner, DDoS attack.
Figure 19-4 A Direct DDoS Attack
In a direct DDoS attack, the attacker begins by compromising hundreds or thousands or even millions of devices of all kinds.
These devices can be servers, IoT devices like printers and cameras, network devices like routers and switches, and hosts.
After compromising these devices, the attacker (or DDoS service) installs C2 software to generate packets on demand, creating a botnet.
A botnet is a collection of devices under the control of an attacker used to launch DDoS attacks.
Launching a DDoS attack uses the C2 system to instruct many hosts to send the largest packets they can, at the highest rate, toward the target’s IP address. The target in Figure 19-4 is server B.
A direct DDoS attack uses many hosts sending traffic directly to a victim to consume bandwidth-related resources.
If the attacker can send enough traffic:
• Router A’s link to the Internet will be overwhelmed.
• The router A to server B link will be overwhelmed.
• Server B’s interface will be overwhelmed.
In all three cases, the attacker exhausts some resources and blocks server B from accepting traffic through sheer traffic volume.
Direct DDoS attacks are sometimes called burner attacks because devices controlled by the botnet are exposed. Once these devices are exposed, operators can track down and fix or block them, burning the attacker’s ability to use them.
Because compromised devices use their actual IP addresses, direct DDoS attacks do not use source address spoofing. Source address spoofing occurs when a device or host transmits packets using some other address than the one its interfaces are configured to use.