Several banks and websites in the Netherlands – including the Dutch tax authority – have fallen victim to severe distributed denial of service (DDoS) attacks in recent months – and the suspected culprit is just 18 years old. He allegedly bought webstresser tools online to carry out the attacks.
In the wake of the attacks, security experts have suggested that more cooperation between organisations can help to tackle the problem. In an open letter, five experts said companies, banks, government institutions and the Dutch national cyber security centre should work together to identify malicious actors and websites.
Any strategy to prevent and fight DDoS attacks must start by identifying the threat. After the attacks in the Netherlands in late January, many were quick to point an accusing finger at Russia.
“Analysts, researchers and even police detectives rely on the confirmation bias,” said John Fokker, head of cyber investigations at McAfee, who previously worked for the digital branch of the Dutch police. “One it was seen that an IP address in the attack came from Russia, it was easy for investigators to conclude that the attack was Russian.
“But a Russian IP address can mean many things, like a proxy. You have to look at all the evidence – what can you really prove?”
McAfee experts in the Netherlands have reported a rise in the use of DDoS attacks by young gamers. Christiaan Beek, lead scientist at McAfee, said youngsters have been buying DDoS attack tools to thwart their opponents in online gaming, and sometimes use attacks to take rivals’ dedicated servers offline so other players are forced to play on the attacker’s server.
Central to the rise in DDoS attacks is these tools’ increasing availability on the internet. Like other forms of cyber crime, DDoS attacks are moving towards a software-as-a-service (SaaS) model, in which attackers can pay to use a server. The more they pay, the more data the attack can fire at a target and the longer the attack will remain active.
But unlike other malware-as-a-service models, DDoS attacks appear at least semi-legitimate. An attacker does not even need to browse the dark web for to find the tools they need – they can be found on the first page of a Google search.
“A lot of these tools pretend to be legitimate webstressers for testing companies’ internal capacities,” said Fokker. “What the websites don’t show is the underlying technology used to generate all this data.
“If such a tool was truly legitimate, they would tell you where they generate their traffic. The lack of that information is a good indication that something is wrong.”
In malicious cases, such tools use botnets to generate traffic, he added.
The Netherlands police digital branch recently took a website offline that was selling such “semi-legitimate” webstressers. The site, webstresser.org, was one of the world’s largest. For a short period of time, the service was hosted in the Netherlands, enabling the Dutch police to find many clues about it.
Although there are sometimes legitimate uses for webstressers, the Dutch police said it “doesn’t consider them legitimate pen-testing services”. Because the stressers often have anonymous payment methods, anonymous administrators and a lack of IP address checking, the police treat such websites as malicious.
But it is not just security experts who are recommending countermeasures. One of the banks that fell victim to the attacks was Bunq, which was founded by Ali Niknam, an entrepreneur in the Dutch tech industry.
Niknam said that to protect against DDoS attacks, cyber security should be an integral part of every employee’s mindset. “Everyone has to know the protocol,” he said. “What do you do when an attack hits? Who do you call, what equipment do you use? Where are the weak spots in your system?”
Niknam compared DDoS prevention to the use of smoke detectors. “They work great, but not when you put them up after the fire has already started,” he said.
He also pointed to the use of “scrubbing centres” to fight DDoS attacks. During an attack, a scrubbing centre can ‘wash away’ the malicious traffic by rerouting it to other servers, allowing only legitimate traffic from genuine customers to get through. “We use a scrubbing centre, which is expensive, but worth the money,” he said.
The experts who call for more cooperation between organisations also suggest a national scrubbing centre for the Netherlands that all banks and institutions can use.
In fact, most of the banks that fell victim to January’s attacks had extensive cyber defence mechanisms in place. The Dutch tax authority even has a security operations centre that “fights multiple attacks on a daily basis”, according to a spokesperson. The same goes for ING, the Netherlands’ biggest bank.
“But if someone really has it in for you, they can take you down,” said a spokesperson at ING. “It’s a cat-and-mouse game between companies and hackers. You take measures, hackers circumvent those. Rinse and repeat.”
Most worrying is the increasing size of DDoS attacks, which can reach one terabit per second.
Cooperation between organisations to fight DDoS attacks should be based on two principles: dividing the data load during an attack, and sharing information to prevent future attacks.
In the latter case, experts in the Netherlands recommend a platform to share knowledge and experiences about current and past attacks. They suggested making fingerprints of the IP addresses used in attacks, using crawlers that search for websites that sell stresser tools, and setting up honeypots to map infected internet of things (IoT) devices.
That last point is important for the fight against DDoS attacks. Many attacks are conducted using botnets comprising millions of IoT appliances with bad or default passwords.
In its coalition agreement last year, the Dutch government pledged to take action against the bad security of IoT devices. It wants to implement new standards, but is most likely to have to seek European cooperation to do so.