#dammitJANET – Distributed Denial of Service (DDoS) explained

Simon Barron (@SimonXIX) explains what DDoS is, how it is used and debunks some myths about it.

On 7 December 2015, the academic network provider, Janet, suffered a DDoS attack which partially brought the service down (Martin, 2015). Workers in Higher Education institutions across the UK (and organisations that have their internet access provided by server farms in HEIs) suddenly found their internet connections weren’t working probably while Jisc engineers scrambled to fend off the attack and restore service.

A DDoS (Distributed Denial of Service) attack is a means of bringing down a server (or a cluster of servers) by flooding it with requests. In normal communication on the web, a local computer (i.e. a Windows desktop PC) sends a request to a server (i.e. by pointing Firefox to e.g. http://theinformed.org.uk/) to serve up a webpage; the server then responds by sending the data (i.e. HTML and CSS files) that makes up the webpage. A DDoS attack sends thousands of requests to a server continually from multiple IP addresses such that the server cannot respond: either from using up all the server’s CPU processing power at once or by filling up the short-term RAM memory of the server causing it to crash.

DDoS (sans the word ‘attack’) can be a valid method of testing the integrity of a server. A developer setting up a web service can perform load testing by incrementally increasing the number of requests sent to a page until it falls down: this gives you the total number of users that should use the service at any one time. A tool like Bees with Machine Guns (https://github.com/newsapps/beeswithmachineguns) uses the power of the Amazon Web Service to perform stress testing.

However DDoS is more effectively lodged in the public consciousness as a weapon of hackers. DDoSing without the express consent of the owner of the server is illegal. DDoSers in the USA have been prosecuted under the Computer Fraud and Abuse Act (CFAA) (Coleman, 2014). This weaponised version of DDoS is usually done through botnets. “A botnet is essentially just a collection of computers connected to the Internet, allowing a single entity extra processing power or network connections toward the performance of various tasks including (but not limited to) DDoSing and spam bombing… Participants whose computers are tapped for membership in a botnet usually have no idea that their computer is being used for these purposes. Have you ever wondered why your computer worked so slowly, or strangely? Well, you might have unwittingly participated in a DDoS.” (Coleman, 2014) A computer can become part of a botnet by being infected with a piece of malware.

Another method is a more voluntary form of DDoS using the program Low Orbit Ion Cannon (LOIC), an open-source load testing tool (http://sourceforge.net/projects/loic/). Like its science-fiction namesake, LOIC is simply pointed at a target and then fired: the user enters the IP address of a server and then clicks the large button labelled “IMMA CHARGIN MAH LAZER”. When co-ordinated, a mass group use of LOIC can send thousands of requests at once. However the use of LOIC is not secure: assurances – from the Anonymous #command channel and journalists from sites like Gizmodo – that IP addresses of LOIC-attack participants can not be logged on a targeted server are wrong: “The DDoS’ed site can still monitor its traffic, culling and keeping IP addresses, which can be subsequently used to identify participants.” (Coleman, 2014)

A DDoS attack is fairly simple hacking: it does nothing more than disrupt a service in a way easy to recover from and temporarily take down a public face of a company.

(Monroe, 2011: image licensed as CC BY-NC 2.5)

The real issue is what hacking can be done under the cover of a DDoS attack. While server defences are weakened by devoting processing power to dealing with requests and while sysadmins are distracted fending off the attack, a hacker can covertly perform more malicious hacks like accessing data in a server’s database or changing passwords or planting code or simply ‘rm -rf /’-ing the whole server.

The impetus for this kind of malicious DDoS attack can be political or simply, in the words of hackers, “for the lulz” (Coleman, 2014). DDoS as a tactic for political activism has become associated with the trickster hacker collective, Anonymous, who have used it to take down the websites and servers of various companies or groups. Since DDoS can be used to crash a server, it has been used to take down websites from the Church of Scientology’s site to Sony’s Playstation Network to PayPal (Coleman, 2014).

The use of DDoS as a tool for political activism is hotly debated among hackers. Groups like the Pirate Party and AnonOps (operational planners of Anonymous) disagree about the ethics and efficacy of using DDoS (Coleman, 2014). On one hand are those who argue that DDoSing is nothing more than another “large-scale, rowdy, disruptive [tactic] to draw attention and demand change.” (Coleman, 2014): no different fundamentally from a sit-in protest, a direct action blockade, or an occupation of a physical space. The only differences are squatting on digital space rather than physical space and the increased numbers of participants that can be involved in a protest via DDoS. Anonymous also argue that the visibility of the action and its ability to get the mainstream media’s attention justifies its use to highlight political and social justice issues. In 2013, Anonymous posted a petition on whitehouse.gov asking that DDoS be recognised as a legal form of protesting, the same in kind as the Occupy protests (whitehouse.gov, 2013).

On the other hand, other hackers invoke principles of free speech and freedom of information to decry the use of DDoS. With an absolutist view of free speech, taking a website offline is depriving the company or group that owns the website from expressing their views (via the medium of webpages) and also depriving the public of information. Oxblood Ruffin of the Cult of the Dead Cow hacker collective reasons that “Anonymous is fighting for free speech on the Internet, but it’s hard to support that when you’re DoS-ing and not allowing people to talk. How is that consistent?” (Mills, 2012) When using a botnet, there are also ethical concerns in harnessing someone’s computer without their consent to participate in illegal activity.

On the other other hand, a “more dynamic view of free speech could take power relations into account. By enabling the underdog—the protester or infringed group—to speak as loudly as its more resourceful opponents (in this case, powerful corporations), we might understand a tactic like DDoS as a leveler: a free speech win.” (Coleman, 2014)

In a sample of a chat log from anIRC chatroom, #antiactaplanning (quoted in Coleman, 2014), Anonymous members debated the use of DDoS on a US Government website:

<golum>: Whatever, listen. I’ve heard all the arguments for NOT ddosing. But the truth is we need to wake them up.

[…]

<golum>: I understand that ddosing could potentially harm our cause.

<golum>: But I think the risk is worth it.

<fatalbert>: well i as for myself disagree therefore im not helping with ddos

<golum>: We need attention

<+void>: OMG ITS THE ANONYMOUS, THE ONLY THING THEY DO IS DDOS, OMGOMGOMOGMOMG LETS MAKE ACTA PASS ON POSITIVE

<golum>: No.

<golum>: matty—how did contacting the politicians go?

<BamBam>: Yeah I’ve always kinda hated ddos

<golum>: Look. i’ve heard the arguments I just wanted to say, we should do this.

It’s unclear why Janet, the network enabling internet access for UK HEIs, came under attack this week. At the same time, the Jisc website received a direct DDoS attack as well (Jisc, 2015). It’s worth noting that although internet access through Janet in the UK was disrupted, users were still able to access the wider web by routing their traffic outside of the UK network either through a VPN like Bitmask (https://bitmask.net/) or through the Tor Project’s Tor Browser (https://www.torproject.org/). Such tools are often mistakenly perceived as being used exclusively by hackers, those accessing the ‘Dark Web’, criminals, or terrorists. Following the November 2015 Paris attacks by Daesh, the French Government have openly discussed banning the use of Tor Browser in the same way as Iran or China (Griffin, 2015). In reality, online privacy tools have legitimate and valid uses for defense in computer security: whether against DDoSers or governments and corporations conducting mass digital surveillance.

Whether morally legitimate or not, DDoSing is an effective tactic for hackers and other political activist groups. The core strength of DDoS is that it exploits a weakness in the fundamental principle of the internet: computers using telecommunications networks to request data from one another.

 

References:

Coleman, G., 2014. Hacker, hoaxer, whistleblower, spy: the many faces of Anonymous. London: Verso.

Griffin, A., 2015. ‘France could ban public Wi-Fi and Tor anonymous browsing following Paris attacks’ in The Independent, 2015-12-07 http://www.independent.co.uk/news/world/europe/france-could-ban-public-wi-fi-and-tor-anonymous-browsing-after-paris-attacks-a6763001.html

Jisc, 2015. ‘DDoS attack disrupting Janet network’ on Jisc website, 2015-12-08 https://www.jisc.ac.uk/news/ddos-attack-disrupting-janet-network-08-dec-2015

Martin, A. J., 2015. ‘UK research network Janet under ongoing and persistent DDoS attack’ on The Register, 2015-12-07 http://www.theregister.co.uk/2015/12/07/janet_under_persistent_ddos_attack/

Mills, E., 2012. ‘Old-time hacktivists: Anonymous, you’ve crossed the line’ on CNET, 2012-03-30 http://www.cnet.com/news/old-time-hacktivists-anonymous-youve-crossed-the-line/

Monroe, R., 2011. ‘CIA’ on xkcd, 2011-08-01 https://xkcd.com/932/

whitehouse.gov, 2013. ‘Make, distributed denial-of-service (DDoS), a legal form of protesting.’ on petitions.whitehouse.gov, 2013-01-07 https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting

Leave a Reply

Your email address will not be published. Required fields are marked *