Threat Intelligence Update: New Approaches to Defending Against Distributed Denial of Service (DDoS) Cyber Attacks
Offensive tactics help overcome the limitations of signature-based methods
Modern DDoS attacks are generally executed via a botnet, a large collection of machines that have been infected with a specialized malware that can effectively disable the function of a targeted system or device by flooding it with communication requests. Security research surrounding DDoS attacks has traditionally examined ways to harden networks against intrusions.
The Dirt Jumper variant, "Drive", is one of the most harmful strains of DDoS malware specially designed to avoid detection. Dirt Jumper allows the botnet administrator to utilize the attack command "-smart". This command was designed to follow redirections. It was simultaneously released with other significant updates, and the upgrade improved Dirt Jumper's DDoS functionality. However, the complexity of the "–smart" logic also exposed the malware to new weaknesses.
Deloitte's Advanced Research & Solutions Group effectively reversed engineered the "–smart" logic of Dirt Jumper and identified a mechanism of the malware that can be counter-exploited to significantly cripple the malware's function. The primary contribution of this report is to show how the mechanism of the "–smart" attack can itself be exploited to prevent an attacking Dirt Jumper bot from reaching its desired target application webserver as well as tar-pitting the botnet, reducing its request rate more than a hundred fold.
This work is an example of how advanced malware can sometimes be countered not by signature- and controls-based strategies, but by actively countering the attacks with methods that intervene in the attack process.
As used in this document, "Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.