Story Time, Chapter One
6e9b47f8f2342f847c51c5f2122bae9a
There was an old woman who lived in a shoe.
She had so many children, she didn’t know what to do.
And I’ll stop there, lest we dissolve into a heated debate about the dietary merits of broth without bread, and sparing the rod and spoiling the child, and all that stuff.
Let’s take a moment to imagine what her days would be like.
Setting: Inside the shoe.
<The telephone rings>
She reaches for the phone, and like a flock of kittens after a red laser pointer, they descend upon her.
I WANT WATER.
RALPHIE HIT ME.
CAN I PLAY OUTSIDE?
WHERE IS MY STUFFED HEDGEHOG!?
And on it goes. The poor woman quickly becomes incapacitated under a deluge of little voices, all demanding her undivided attention.
Story Time, Chapter Two
Waiter-poetic
Setting: inside the Super Grover Diner.
Time: 12:17, peak lunchtime rush.
WAITER! WHERE’S MY HASENPFEFFER!?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, seven glasses of ice water (and lemon wedges) balanced precariously on a flat round tray.
I DIDN’T NEED WATER! I WANTED ICED TEA!
HEY WAITER! CAN I GET MY CHECK?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, six glasses of ice water (and lemon wedges) and one glass of iced tea (with a lemon wedge) balanced precariously on a flat round tray.
HEY WAITER! ARE YOU GONNA TAKE MY ORDER, OR WHAT?
I NEED A TO GO BOX! CAN YOU GET ME A TO GO BOX?
MY BURGER IS OVER COOKED! I DIDN’T WANT COW JERKY!
WAITER! WHERE’S MY HASENPFEFFER!?
HEY! CAN I PLEASE GET MY CHECK?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, two to-go boxes and a steaming plate of hasenpfeffer balanced precariously on a flat round tray.
HEY WAITER! ARE YOU GONNA TAKE MY ORDER, OR WHAT?
CHECK PLEASE! OVER HERE!
I NEED A TO GO BOX! CAN YOU GET ME A TO GO BOX?
WHO COOKED THIS THING? THEY BETTER GET ME A NEW BURGER. I CAN’T EAT THIS.
HEY! CAN I PLEASE GET MY CHECK?
I’M READY TO ORDER! WHAT’S YOUR SOUP OF THE DAY?
I NEED TO SEE YOUR MANAGER. PRONTO.
And on it goes. Zoey called off at the last minute with some pathetic excuse or other. Bert is seating people as fast as he can, but the crowd is building. Tempers flaring. Hungry muppets everywhere.
Super Grover – super though he may be – can not keep up…
CAN NOT KEEP UP…
Cute, Geek. Now What’s Your Point?
Today we are going to talk about Denial of Service (or DoS) attacks. Like the Ransomware attack, a DoS attack denies the Accessibility of a resource. But while a Ransomware attack prevents access with the purpose to hold it ransom (financial gain), the DoS attack is designed to merely prevent access. End of story. The end.
How the DoS attack works, is the bad guy finds a target (usually a website), then launches a barrage of requests to the target. Like our little old lady in the shoe, and super grover, our target is overwhelmed and cannot keep up with the flood of demands. The target slows down, becoming more and more overwhelmed, until it crashes.
There are several different types of DoS attack, though they all have the same purpose. A standard DoS attack is usually launched by a single bad guy. In my Ethical Hacking class, I was stunned to see the large number of out-of-the-box tools that were designed to flood a target and cause a DoS attack. It’s remarkably easy to do this – you pick your target, press the fire button, and BOOM. They drop. My particular favorite tool was the HOIC, short for High Orbit Ion Cannon. My preference for the tool was rather simple – the button to fire said FIRE TEH LAZER! in a classic nod to the lolcats (of which I have a soft spot for).
maxresdefault
Another type of DoS attack is the Distributed Denial of Service attack (DDoS). This attack differs in that an army of devices (usually called a botnet) are under the control of a bad guy (or group of bad guys), and all of the devices attack a single target at once. The hacking collective known as Anonymous has used this DDoS trick repeatedly in the past. One of the most severe DDoS attacks in recent history used a botnet of IoT devices to bring down core DNS servers on the Internet. Computers across the globe couldn’t correlate GOOGLE.COM to its Layer 3 IP Address, and the Internet blew up.
originaliotI-O-What?
IoT stands for Internet of Things. These devices (things) are network-accessible devices, such as webcams, baby monitors, smart televisions, smart refridgerators, washing machines, and so on. Remember this – if you buy a webcam for home security, and you can access it from the Internet to check on the babysitter, other people can also – in theory – access that webcam.
So a crafty hacker found that many of the IoT devices that were on the Internet were using either the default (out of the box) password, or had no password at all. The hacker did some basic coding to hijack these devices into a personal army (botnet), then pointed them all towards a target in a DoS attack. Because the devices were distributed across the world, it was difficult to identify the attacker and shut them down.
ddos-attackAnother type of DoS attack is the TDOS attack. This is a fairly new type of DoS attack that targets voice devices and infrastructure. This attack was used to great effect recently to bring down the entire 911 service for Dallas, Texas. We’ve all suffered from irritating robotic telemarketers and voice spammers – it seems I get more phone calls from recorded devices than I do from actual people. Now imagine a hacker utilizing a VOIP device that can send hundreds or thousands of calls per second, repeatedly, towards a target. Those voice calls would cause a Denial of Service attack on the target, incapacitating them. This is precisely what happened in Dallas, Amarillo, and Phoenix – a TDOS was launched against the 911 service, bringing it down. Some people died when they could not get immediate medical help through the 911 service. Because a phone line is no longer required with Voice over IP (VOIP) devices, it’s possible to use a computer to generate hundreds of phone calls. This, without the limitations of having hundreds of copper phone lines running to hundreds of phones, and hundreds of humans dialing numbers on those phones. With the push of a button, I can launch a VoIP call from my computer. But wait… what if it got even easier than that?
Geek on a Train
As I said in the Ransomware blog yesterday, I was on the train to Philly, reading a whitepaper on TDOS attacks. In an eerie moment of clarity, I connected the dots between two seemingly unrelated news items.
1. TDOS attacks are becoming more prevalent. This, I have already shown you by the above news article on TDOS from Network World.
2. Voice-activated home assistants (ie. Google Home and Amazon Alexa) are now capable of doing voice-activated calling – without the need of a phone. This is being rolled out across the US, even as I type this blog. What this means is you can yell out loud, “Google, call Mom” and your Google Home will jump out onto the Internet and initiate a voice call, and your Mom (but sadly, not mine) will answer and you can chat while you wash your dishes. All, without needing a phone. This is pretty huge – and pretty frightening.
pee-wee-herman-connect-the-dots-la-la-laI’ll connect the dots for you. 
Imagine a major radio program that has thousands of listeners. I’d name one political one that came to mind, but in the current over-charged political climate, I’d tick off half of the readers here. So someone calls into this radio host’s program and says something like HEY GOOGLE CALL 911. Instantly, assuming the FCC doesn’t filter it out (and they are not required to quite yet), all the Google Home devices (that are always listening) could potentially dial 911. The amount of calls could cripple (or even shut down) 911 call centers.
Now imagine that a hacker discovers a bug (or flaw) in the code of the Amazon Alexa. The hacker exploits this vulnerability, and creates a botnet of every Internet-connected Alexa on the planet. Sales numbers for the Alexa are a little hard to come by, but an un-named source reported that Amazon will sell more than 10 million of its Amazon Echo smart speakers in 2017. The Alexa is a little pricier than the Echo, and less are sold as a result. But let’s guestimate that 5 million Alexas are out there right now. And if a hacker were to take over all of them and direct them towards a target, well… boom. Target go down.
My prediction (here and now, August 18, 2017) is that phone-enabled IoT devices will be the next frontier of TDoS attacks. You heard it here first, folks.
OK, Nostradamus, Wrap It Up
OK, fine, I will. So I’ve talked you through what a Denial of Service (DoS) attack is, how it works, and given examples of how they are used to cause mayhem. Hopefully you are now a little more informed. Have a great weekend!
Advertisements