On New Year’s Eve 2015, the BBC became the victim of a record breaking 602Gbps DDoS attack. Many of the BBC’s websites and online broadcasts were brought down, including its iPlayer streaming TV service. The pro-human rights group “New World Hackers” (NWH) claimed responsibility and have now publicly discussed their methods and motive for the attack.
The first and most obvious thing to comment on about this attack was the shear size of it, 602Gbps. This is massive and equivalent to 100,000 home ADSL (max) users downloading streaming media from a website at full capacity. It’s also completely unprecedented in size and blows away the previous DDoS record of 334Gbps detected by Arbor Networks in 2015. Many people are pretty sceptical on this attack being anything close to 602Gbps, but crucially it’s not the NWH that have come up with this number, it’s the BBC. Their own systems reported it (using dstat).
The big question everyone is asking is “why BBC?” considering the BBC is an independent news organisation and helps report on human rights abuse and Daesh activities. Theories were that this attack was purely for the fun, was for promoting chargeable DDoS-for-hire services or was just to promote the NWH name. According to NWH themselves, the motive was nothing that deliberate – they were simply looking for a website with reputedly large internet pipes to test their new DDoS attack capability. Apparently they were not expecting the attack to generate such a massive throughput or for it to disrupt the BBC as much as it did. The attack itself lasted less than 20 minutes but the BBC had unavailable services for the next 24 hours.
It’s worth noting that the NWH also tested their tools against Donald Trump’s website, but used a layer 7 attack method. This flooded his servers with up to 120,000 requests per second of web traffic scripted to bypass his DDoS website’s protection measures (Cloudflare).
There are many ways to launch a DDoS attack and in this case the NWH used thousands of vulnerable systems to act as one (a botnet) to create a huge amount of raw traffic. They then combined this with zero-day DDoS techniques and amplification to boost the attack traffic up to the recorded peak of 602Gbps. In turn there’s no reason why NWH or the like can’t grow this capability and launch even larger attacks. And there a very few organisations globally that could stand up to this.
So are the NWH bad guys? If anyone is going to think so then you’d think it would be the BBC’s techies, but even they have been in fairly good spirits about the attack (so NWH claim) and are keen to learn from the incident and improve systems going forward. (Note, this isn’t necessarily an easy thing to do when you rely on clean pipe ISP services and have a constrained budget for anything else.) Aside from the BBC and Trump DDoS tests/attacks, the NWH have focused activities on taking down websites of Daesh, KKK and other organisations they would deem as promoting harm to others. In a recent interview NWH said they wouldn’t be attacking websites for fun and would be solely focused on disrupting hateful propaganda. The NWH’s affiliation with Anonymous groups may swing your own opinion of them one way or another, but personally I’m just hopeful that they stay on their current path of trying to be a force for good.
For any organisation concerned about DDoS attacks it ultimately comes down to how much you value your website’s availability versus the cost of robust defences. The average DDoS-for-hire (aka “booter” or “stresser”) can easily get you a 50Gbps attack for tens of dollars, but the cost of protection for this level will be in the thousands. Scale up to 600+Gbps protection and you’re looking at a seriously expensive shopping list. You need to pick a level of protection that makes sense for your business and the risk profile you face.
Technically a robust defence needs to handle both volumetric (lots of data) attacks and layer-7 (application) attacks. NWH proved that simple proxy based volumetric defences such as Cloudflare can be easily bypassed with the right scripts. Defence in depth is the answer here. Defences need to use distributed cloud systems to soak up the large volumes of data, basic captchas and application inspection to scrub out bad traffic (or only allow known good), firewall blocking of layer-7 attack proxies and real-time analysis to respond to threats at the time of an attack.
We often think of DDoS as a “front-door” problem, hitting you directly on your main website and taking the service down. But often the same result can be achieved by hitting you from a different direction. One of the simplest ways to take down many websites all at once (NWH does this regularly) is to attack the DNS servers of the victim websites, but most organisations leave their DNS infrastructure unprotected. Another route to DDoS an organisation is to attack their office’s mail server, VPN and/or internet connection. Take down a company headquarters’ internet connection and the staff lose web/email access to the outside world and any remote users can’t get to their work. This level of disruption could far outweigh the cost to the victim of just hitting their public website.
If you want to have a chat about DDoS protection or have any comments, catch me on Twitter: https://twitter.com/CarlGottlieb
And also check out New World Hackers on Twitter: https://twitter.com/NewWorldHacking
For the full audio interview with the New World Hackers on the BBC attack, listen to episode 1 of the Command and Control Information Security Podcast, available via the website, iTunes or any podcast player.