Many of you know that multiple cryptocurrency exchanges, and projects, will be attacked from time to time. Many times the exchange will be threatened to be attacked if the exchange does not pay a ransom amount. This recently occurred with graviex.net over the weekend, and from our understanding is currently on-going with other exchanges. Graviex announced on Discord and Twitter that their upstream equipment provider took the hit and what caused the outage.
With many companies that start up, they always try and place security protects as these issues have been going on for many years against business infrastructure. But as technology advances, we are seeing larger amounts of data being used. Additionally, we are seeing many new sophisticated attacks being launched in conjunction with the normal tool kits. As systems are attacked, companies must adjust the security policies and infrastructures to deal with the attackers and keep user data safe and online. However, this can cause downtime in itself as it takes time to deploy. In a later post on Graviex's Twitter account, they claimed to be able to deal with a large volume of data and stay in operations with its user base.
Attackers will quickly move between one target and another if they can keep using the same vulnerability or tool. Once the network has put proper support against DDoS, or remove the vulnerable issue, the attackers switch target. Shortly after Graviex reported issues, Stex.com also reported issues with a DDoS attack via their Twitter account. With the targets coming so close together, we suspect it is a problem from the same group or groups that are hitting both exchanges.
We originally released a version of this guide on https://www.digitalizedwarfare.com and have decided to update it and put it here due to the topic and the current threat landscape. In this guide, I will attempt to explain the subject of DDoS and a few of the tools that are used to do it. In addition, we hope that this article inspires you to seek out DDOS protection for your project or exchange.
This is a very old attack style that has been around since the internet has existed, and will always be a valid attack vector. This attack targets a flaw that exits at the very core structure of the internet-connectivity. If you cannot connect, you cannot get to your resource, as well as your resource cannot get to you.
There are applications that exist in both Windows and Linux that will do this task for you, but offer little understanding to what the software is actually doing or why it works. The effect of this is that you get literally no understanding of how to stop it. In addition, this attack is not considered a stealth attack. In fact, this is a very loud attack that will catch anyone's attention
**Disclaimer : This document should be used as educational material and should not be used on hardware or systems that you do not own or are not authorized in writing to do so on. I take no responsibility for this document or if a monkey beats you in the head with your keyboard while reading it. This has nothing to do with me, us, we, or monkeys. By continuing on, you agree that this material will never be used to do anything to anyone at any time in any place ever in any point of history.
Why are we seeing an increase in DDos attacks in the cryptocurrency space?
Cryptocurrency exchanges have become a hotbed of extortion, ransom, and sabotage. In cryptocurrency, theft of user's funds has become almost a daily occurrence. With a cryptocurrency exchange, every hour it is offline is an hour that the trading is disrupted and investor's worry grows. Criminals know this, and so do exchanges, and that is what makes them a valuable target for ransom. Exchanges that pay the fee are under no real assurance they will not be attacked, while exchanges that say no, are attacked. Until proper DDoS defenses are put into play, this is a continuing cycle.
What are the most common types of DDoS attacks?
The most common type of Denial of Service attacks involve flooding the targets with large amounts of external communication requests. These requests, which are specially crafted, overload the systems targeted, and stops it from responding to legitimate traffic, or slows its response so much that it is considered effectively off-line.
What kinds of devices can be targets? computers? exchanges?
Not all DDoS attacks are against hardware. Some DoS attacks can also target available system resources, such as bandwidth, disk space, CPU time, configuration information. Moreover, a DoS attack can be designed to: max out the processor, preventing usage; trigger errors in machine microcode or sequencing of instructions, forcing the computer into an unstable state and crashing the operating system altogether. With the addition of the "IoT" market, this means pretty much everything is fair game.
What are the differences between a DoS and a DDoS attack?
In most cases, its the number of computers and the complexity of the attack. In a DoS attack, it is most commonly found there is one computer and one server or resource. In a DDoS attack, there can be thousands of computers, sometimes called a bot-net, and a few servers, ports, or other systems.
What are the most common types used today?
We try to define the different attacking into three main categories.
Size or Volume Based Attacks
Protocol Based Attacks
Application Layer Based Attacks
While SIZE or Volume based attacks may include:
UDP floods : Sending data to ports on the machine. When the machine get the request it has to look through its list of programs listening on ports and try to match the request. If it cannot it sends back a ICMP Unreachable Packet..
ICMP floods or Ping Floods : Sends massive amounts of ping requests to overload server or resource. Can be one user or a bot-net.
Spoofed-packet floods : Here we fake the origin of the UDP Packet to keep the attacker machines from receiving the request.
Here, the attackers main goal is to exhaust the bandwidth of the server or site. We measure the attack size in bps. (bits per second) and by its duration. In recent years, we have seen an increased amount of data but for lower duration's of time. As to before, lower amounts of data but the attack lasted for days.
There are a few notable types of protocol attacks. They include SYN floods, fragmented packet attacks, Ping of Death,and my favorite…. The Smurf Attack. When we look at these attacks, they use many of the server resources, and other hardware, such as firewalls and load balancers. These attacks are measured in PPS. ( Packets per second )
The Smurf Attack : Oh smurf me!!
The Smurf Attack is a very old-school ( around 1998 * Patched Now ) attack that we do not see often. It's like the Perfect Smurfing Storm. By taking advantage of ICMP, and sending a ECHO request to the server, the server would respond with a response. The response was called a ICMP ECHO RESPONSE. By pinging the IP broadcast address, the device would forward a copy to any other on the network. Since it's a BROADCAST request, they will respond to the request. The attacker has forged the IP address to his victim IP address and all responses will go there. Each machine participates in the DDoS attack by their response.
Fraggle : Similar to Smurf. Uses broadcast to create amplification.
The application layer presents the most dynamic attack vector. Some application layer attacks are Slowloris, Zero-day, DDoS attacks, that target Apache,Linux, BSD, and Windows. Where each request is a real request, the goal of these attacks is to crash the web server. We measure these attacks in RPS. (requests per second)
What tools are available on the net?
There are a few key tools that will be covering in the following topics. These tools are freely available and we will try to give advice or insight when we can. Please read the documentation on the tool. If you don’t, your just cheating yourself out of some unique attack possibilities. My machine is stock Kali Linux in all of the following. If we are including video demo the we are using Virtual Box and all attacked were on our own network.
Some of the tools are installed through wget or git. Make sure you have Java installed. Some tools may have been updated since I wrote this, but I hope it covers the basics.
HPING : When you just need that TCP packet army!
HPing is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but HPing isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Normal hping DoS attack:
hping3 -S -i u100 riaa.org
Spoofed random source address attack:
hping3 -S -i u100 riaa.org --rand-source
Reflected attack(it looks like mpaa.org is DoS'ing riaa.org)
hping3 -S -i u100 riaa.org -a mpaa.org
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
hping can also be useful to students that are learning TCP/IP.
HPING Website : https://tools.kali.org/information-gathering/hping3
Low Orbiting Ion Cannon : Amass the army...
LOIC is an application developed by 4Chan-affiliated hackers designed to launch and carry out Distributed Denial of Service (DDoS) attacks on websites or Servers. The idea behind LOIC is that it can allow you to participate in attacks, even if you’ve no clue how to hack. Just download a copy of LOIC punch in the target information like a URL or an IP address and your now ready to try and knock something down.
HIVEMIND mode will connect your client to an IRC server so it can be controlled remotely. Think of this as a voluntary botnet. Please be aware that your client can potentially be made to do naughty things. Note: It does NOT allow remote administration of your machine; it just providees control of LOIC itself.
GitHub Link : https://github.com/NewEraCracker/LOIC/
Follow the step below into install Low Orbiting Ion Cannon into your opt folder. You will need to have Java in order to run it.
My Java Version Info :Java version “1.6.0_34”
Create folder in /opt called loic : mkdir -p /opt/loic
Download Java version into /opt/loic
Set file Executable : chmod +x /opt/loic/JavaLOIC.jar
Run LOIC : java -jar /opt/loic/JavaLOIC.jar
Ive had different results by lowering the timeout value and increasing the threads. As well as un-checking : Wait For Reply and also HTTP or UDP
By running a ping on the host you can see the response time increasing. Running multiple connections from multiple machine will knock the server off-line.
High Orbiting Ion Cannon : Attack from the Cloud
The HOIC is actually an upgrade to an older program, the Low Orbit Ion Cannon, which had been a favored tool of Anonymous and other hacker groups. But the HOIC, which has been around for a little while and is gaining popularity among hackers this year, is much more powerful.
Follow the steps below to install High Orbit Ion Cannon into your /opt folder. You need to have wine installed to run it.
My Wine Version info : wine-1.4.1
Create Folder in /opt called Hoic : mkdir -p /opt/Hoic
Download Rar File into /opt/Hoic
Unrar file : unrar e Hoic.rar
Start Hoic : wine /opt/Hoic/wine hoic2.1.exe
Usage here is pretty simple. Set the number of threads and hit the Fire Button!! SMH!!!
Slowloris : Leave those doors open
Slowloris is a piece of software written by Robert “RSnake” Hansen, which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.**
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.**
This type of attack works best against low-traffic sites on Apache and a variety of other web servers by eating up available network ports on the server. It’s ideal for attacks on servers in places where there’s a concern about there being enough bandwidth for a brute-force DDoS to succeed, or where there’s concern about the collateral damage to other users on the same network. That’s why Slowloris was used against Iranian servers during the protests around the Iranian elections in 2009.
While Slowloris works on linux systems, there is a way to run it on Windows, but it is limited to around 130 to 140 socket connects. We really need a lot more connections to be created to ensure that our target is down. A security research names Christopher Gilbert has developed a python version called PyLoris that he says can use up to or more than 6,000 connections. With this speed improvement, it will become a important tool in the attackers arsenal.
PyLoris includes a nice feature called the TOR Switcher. With this feature we can now have attacks that can be carried out over the Tor Network and switch between Tor identities, and it allows the attackers location to appear to be changing as the Tor Circuit is rebuilt. as curt wilson said "If you use volumetric floods on top of specific application attacks [like Slowloris], it’s a pretty powerful combination."
**From Wikipedia : https://en.wikipedia.org/wiki/Slowloris_%28software%29
SlowLoris Software URL : https://github.com/llaera/slowloris.pl
PyLoris Software Link : https://sourceforge.net/projects/pyloris/
Installation : Follow the Steps Below to install into your /opt folder.
Create Folder in /opt/ called slowloris : mkdir -p /opt/slowloris
Wget file to folder : cd /opt/slowloris&&wget https://github.com/llaera/slowloris.pl
Set Executable : chmod +x /opt/slowloris/slowloris.pl
Run slowloris and look at options : /opt/slowloris/./slowloris.pl
Results with slowloris are quick. Apache quickly climbs to deal with the processes left open. With in seconds the system is not responsive.
Why would anyone want to do this?
There are many different reasons why people do this. Not all of them are legal. Sometimes when you design an application or system, you need to test it. DoS Attacks can be used to measure how much load the system will take before it crashes, produces errors to fix, or when it fails to provide the redundancy the systems needs to operate. Other reasons are not so legal. Some times it's for fun, for profit, for revenge, and even protesting. Many different factors contribute to why someone would or wouldn’t want to DDoS attack on the internet. It depends on motivation. In recent years, there has been a uptrend in using DDoS as a distraction for a hack in a different vulnerability. While the security team is busy dealing with the attack, they are not focused on what the hacker is really doing. Here are a few of my highlighted reasons….
That this attack is really being used as a decoy to lure the security team away from monitoring the real system where the attacker will target.
Black markets that exist on the internet shy away from DDoS as it cannot conduct its illegal business model if the internet doesn’t work.
One of the biggest reasons we found is the people that employee this tech have a territorial nature or may seek revenge for some feeling of wrong.
Sometimes a Bot-Net writer will need to prove the effectiveness of the bot-net, victim may be choose at random, to demo to a prospective sale.
DDoS attacks can be Rented as a Service to hurt a competitor during a big on-line sale. Knock Best Buy or Apple off-line for Cyber Monday for example.
A fast growing Trend is to use DDoS in Demonstration or political statements. Many websites that face DDoS also face website defacement, humiliation, and can even lead to extortion…
While attacks are growing we can never be certain why someone is getting attacked, but one thing is for sure. People are doing this.
What can be done to stop this kind of activity?
While many people will claim to have a silver bullet for DDoS we have not seen one that really is a total fix. The internet is made up of vast amounts of computer networks that all share the burden of routing traffic. Any one point can be a target for attackers. There are services such as cloudflare that will help remove traffic, but that is only if the traffic goes through cloudflare. As with many other pieces of software on the internet, you can find tools such as cloudbunny that will attempt to bypass cloudflare to get the real server IP address.
At the current standpoint the only real solution to DDoS is to have a pipe that is big enough to take the traffic, firewalls that are good enough to drop or filter the traffic you don not want, and systems that are well built enough to talk the load. This really equates to how much money can you throw at it. The more you can, the better your chance. or not losing service to your users.