Page 2 of 2
One of the key tools supporting DoS attacks is Mobile LOIC, which stands for Mobile Low Orbit Ion Cannon, an open-source denial-of-service application originally written in C#. LOIC has been used in a variety of hacktivist operations and is known for its simplicity.
"LOIC has evolved into a hosted solution that eliminates the necessity of downloading software," explained Imperva's Beery. "So the attackers are creating an exploit that ensures that it reaches all the way to the application and is not being deselected by some sort of mechanism."
Slowhttptest is an open-source tool that implements several kinds of DoS attacks, frequently low-bandwidth Application Layer DoS attacks that amp up the memory and CPU usage on the server.
"Slowhttp is something that you have to download," said Beery. "It specializes in attacks that create loads on the server but do not require a lot of traffic from the attacker. It often uses Slowloris, which sends never-ending requests to the server. It sends a character every 59 seconds before the connection is closed at the one minute mark. So if the server can only handle 100 connections, you can bring the server down in this manner without sending a huge volume of traffic."
Slowhttp was originally designed as a testing instrument for the white-hat community but eventually made its way to the dark side, as well.
Regardless of which tactic is being used, the common denominator involves some form of extortion combined with a mechanism to pay the criminals to refrain from taking down the site without identifying the specific identities of those criminals.
Best practices for defense include the blocking of known threats as identified through unique HTTP characteristics that can provide a basis for detection; the acquisition of data on potential attack sources; the blocking of key automated processes; and the use of a stateful Anti-DoS rule engine that is able to take repetition into account. This capability is especially important because the HTTP requests associated with most DoS attacks usually appear to be non-threatening when viewed on an individual basis.
"It's also a good idea to have multidimensional defenses," added Beery. "In denial of service, there is no vulnerability, except perhaps in the design of the system because it doesn't prevent the user from flooding it. So, pen testing and other processes, such as code reviews, do not help. You want to stop the denial of service attack as close to the source of the attack as possible. You don't want them to reach all the way to the application. You need a device close to the application that can detect the denial of service and transmit the information to the ISP or to the manager."