WEBVTT 1 00:00:00.040 --> 00:00:02.399 Hey there, and welcome to the deep dive. This is 2 00:00:02.399 --> 00:00:06.160 where we take complex topics and well really dive into 3 00:00:06.200 --> 00:00:08.160 them for you. We try to bring you the most 4 00:00:08.199 --> 00:00:12.160 crucial insights, maybe some surprising facts along the way. Today 5 00:00:12.160 --> 00:00:16.079 we're tackling something that can bring entire online services just 6 00:00:16.160 --> 00:00:19.559 grinding to a halt. You can disrupt critical infrastructure and 7 00:00:19.640 --> 00:00:22.719 it's even used in believe it or not, cyber warfare. 8 00:00:23.079 --> 00:00:26.920 We're talking distributed denial of service ATTACKSS. 9 00:00:27.079 --> 00:00:30.280 Yeah, it's a phenomenon that's really evolved dramatically since the 10 00:00:30.320 --> 00:00:33.479 early Internet days. It's become this persistent threat and honestly 11 00:00:33.840 --> 00:00:36.960 a pretty financially impactful one too. For this deep dive, 12 00:00:37.000 --> 00:00:39.560 our insights are coming from a really comprehensive source, the 13 00:00:39.600 --> 00:00:43.240 textbook Distributed Denial of Service Attacks, Real World Detection and 14 00:00:43.280 --> 00:00:46.039 Mitigation by A. Luker Esselek and Richard Arbrooks. 15 00:00:46.359 --> 00:00:49.640 Right, So, our mission today is to truly unpack what 16 00:00:49.759 --> 00:00:52.600 DEAs attacks actually are. You know, why there's still such 17 00:00:52.600 --> 00:00:55.159 a big problem. We'll get into how these attacks are 18 00:00:55.159 --> 00:00:58.159 executed and maybe more importantly, what cutting edge strategies are 19 00:00:58.200 --> 00:01:01.960 out there to detect and mitigate them. Hopefully you'll walk 20 00:01:01.960 --> 00:01:04.439 away from this well informed, maybe ready to understand those 21 00:01:04.480 --> 00:01:07.200 headlines a bit better and perhaps with a new appreciation 22 00:01:07.280 --> 00:01:12.120 for just how complex our digital world is under the hood. Okay, 23 00:01:12.120 --> 00:01:15.280 so let's unpack this core idea first. When we talk 24 00:01:15.319 --> 00:01:18.640 about Adidas attack, it's way more than just a website 25 00:01:18.719 --> 00:01:23.280 crashing temporarily. It's about deliberately denying you, the legitimate user 26 00:01:23.560 --> 00:01:26.280 access access to an online service or a system. Think 27 00:01:26.319 --> 00:01:28.319 of it maybe like a digital sit in. Instead of 28 00:01:28.319 --> 00:01:31.480 blocking a physical door, attackers or just flooding the digital 29 00:01:31.599 --> 00:01:34.280 entrance to a server making it impossible for anyone else. 30 00:01:34.079 --> 00:01:37.319 To get in exactly. That's a great analogy. The core 31 00:01:37.400 --> 00:01:41.400 goal is what we call resource saturation. Attackers basically try 32 00:01:41.400 --> 00:01:44.200 to consume as much of a victim's critical resources as 33 00:01:44.239 --> 00:01:48.200 they possibly can. That could be system resources think CPU memory, 34 00:01:48.319 --> 00:01:52.359 disk space, or network resources like bandwidth, just overwhelming them. 35 00:01:52.640 --> 00:01:55.040 And what's really striking, I think, is how the motivations 36 00:01:55.079 --> 00:01:58.400 behind these attacks have changed over time. You know, initially 37 00:01:58.480 --> 00:02:01.280 it might have just been curiosity pranks even but today 38 00:02:01.640 --> 00:02:07.359 we're seeing highly organized criminal enterprises, geopolitical aims, even nation 39 00:02:07.519 --> 00:02:08.400 states getting involved. 40 00:02:08.479 --> 00:02:10.479 That evolution is pretty stark, isn't it. From like you 41 00:02:10.520 --> 00:02:13.800 said pranks to actual cyber warfare between nations. It really 42 00:02:13.879 --> 00:02:16.560 makes you wonder, with how much we rely on the internet. Now, 43 00:02:16.599 --> 00:02:18.759 why is this still such an ongoing issue. Why is 44 00:02:18.800 --> 00:02:22.319 it so impactful economically socially? What makes DDAs so hard 45 00:02:22.319 --> 00:02:22.800 to stop? 46 00:02:23.199 --> 00:02:26.719 Well, the sources point to three sort of fundamental reasons. First, 47 00:02:27.199 --> 00:02:30.680 they're relatively easy for attackers to actually pull off. The 48 00:02:30.719 --> 00:02:35.479 tools and resources are unfortunately quite available. Second, it's incredibly 49 00:02:35.479 --> 00:02:38.400 difficult to identify and trace the actual attackers. They have 50 00:02:38.439 --> 00:02:41.960 a lot of anonymity. And Third, despite all the cybersecurity 51 00:02:41.960 --> 00:02:46.120 advancements we've made, it's still profoundly challenging for organizations to 52 00:02:46.240 --> 00:02:50.840 fully protect themselves against a really determined, large scale DDoS attack. 53 00:02:52.080 --> 00:02:55.039 It's interesting too, thinking about the history. The whole idea 54 00:02:55.080 --> 00:02:58.680 of denial of service actually goes way back, even before computers. 55 00:02:59.080 --> 00:03:02.879 Groups like the leddie sabotaging automated looms right or civil 56 00:03:02.960 --> 00:03:06.680 rights movements using sit ins to physically block spaces to disrupt 57 00:03:06.680 --> 00:03:10.599 normal activities. Digital didas attacks feel almost like a translation 58 00:03:10.639 --> 00:03:11.960 of that into the network world. 59 00:03:12.199 --> 00:03:15.080 Indeed, it's a modern echo of those older tactics. The 60 00:03:15.120 --> 00:03:18.360 first widely documented digital denial of service attack was Back 61 00:03:18.360 --> 00:03:21.240 in nineteen ninety six, an ISP in New York called 62 00:03:21.280 --> 00:03:23.919 Panics got hit with something called a syn flood for 63 00:03:24.000 --> 00:03:24.719 several days. 64 00:03:25.039 --> 00:03:26.879 S yn flood, what's that exactly? 65 00:03:27.159 --> 00:03:30.520 Ah right? It exploits the way computers start a connection. 66 00:03:30.759 --> 00:03:34.400 It's called the TCP three way handshake. The attacker sends 67 00:03:34.479 --> 00:03:37.360 tons of initial connection requests but never finishes the process, 68 00:03:37.599 --> 00:03:40.639 so the server gets overwhelmed holding all these half open connections. 69 00:03:40.680 --> 00:03:43.960 Okay, so just clogging the pipes from the very start exactly. 70 00:03:44.240 --> 00:03:47.199 And in Panics's case, it was apparently retaliation because they 71 00:03:47.199 --> 00:03:50.400 installed one of the first spam filters on their email system. 72 00:03:50.680 --> 00:03:54.879 Wow. So even back then it was about digital disruption 73 00:03:55.039 --> 00:03:58.560 as a response. But then things got really interesting, didn't they. 74 00:03:58.680 --> 00:04:01.400 The event that sort of shifted public perception you're. 75 00:04:01.240 --> 00:04:04.319 Probably thinking of February two thousand. Yeah, that's when DIDOS 76 00:04:04.360 --> 00:04:07.879 really entered a new era. A fifteen year old from Montreal, 77 00:04:08.159 --> 00:04:12.039 Michael Calcea, alias Mafia Boy, launched attacks that took down 78 00:04:12.159 --> 00:04:16.360 huge names Yahoo, Amazon, Dell, eBay, CNN. 79 00:04:16.519 --> 00:04:17.480 Fifteen years old. 80 00:04:17.560 --> 00:04:20.839 Yeah, and the estimated damage was just staggering. Figures ranged 81 00:04:20.839 --> 00:04:23.920 from like seven point five million dollars up to maybe 82 00:04:24.000 --> 00:04:25.480 one point seven billion dollars. 83 00:04:25.560 --> 00:04:27.439 Incredible. That must have been a massive wake up call. 84 00:04:27.680 --> 00:04:31.319 Oh, it absolutely was. The Mafia Boy attack wasn't just big. 85 00:04:31.639 --> 00:04:35.920 It showed how one person, not even particularly sophisticated technically, 86 00:04:36.240 --> 00:04:40.959 could cripple Internet giants. It permanently shifted cybersecurity from being 87 00:04:41.000 --> 00:04:46.279 this niche. It worry to well a national imperative. Funding spiked, 88 00:04:46.360 --> 00:04:49.360 awareness grew, and the reason we see so many large 89 00:04:49.360 --> 00:04:52.360 scale attacks today, that's largely down to the rise of botanets. 90 00:04:52.759 --> 00:04:55.519 Right. Botanets those sound ominous, What are they exactly? 91 00:04:55.600 --> 00:05:01.319 They're essentially privately run networks of compromised machines, hacked computers, servers, 92 00:05:01.399 --> 00:05:05.079 even IoT devices now all acting as bots, and the 93 00:05:05.120 --> 00:05:07.959 services of these botnets, the ability to launch attacks using 94 00:05:08.040 --> 00:05:09.879 them are often sold online for profit. 95 00:05:10.040 --> 00:05:12.439 So it's a whole criminal ecosystem built around these things, 96 00:05:12.480 --> 00:05:12.959 It really is. 97 00:05:13.079 --> 00:05:15.720 The life cycle usually starts with an initial infection, maybe 98 00:05:15.720 --> 00:05:17.959 your click a bad link, download something sketchy from a 99 00:05:17.959 --> 00:05:20.519 P to P network, or open a malicious email attachment. 100 00:05:21.120 --> 00:05:24.439 Then there's a secondary step where the compromise machine downloads 101 00:05:24.480 --> 00:05:28.319 the actual botnet software, turns into a functioning bot ready 102 00:05:28.319 --> 00:05:29.120 to take commands. 103 00:05:29.279 --> 00:05:31.519 In these networks, they can be set up differently, right 104 00:05:31.839 --> 00:05:34.959 the command and control, the C and C structure exactly. 105 00:05:35.000 --> 00:05:38.480 You have different topologies. Some are centralized, with one main 106 00:05:38.519 --> 00:05:41.600 server calling the shots, easy to manage but also a 107 00:05:41.600 --> 00:05:45.079 single point of failure. Others use multiple servers, maybe spread 108 00:05:45.079 --> 00:05:48.120 out geographically or across different legal jurisdictions to make them 109 00:05:48.160 --> 00:05:51.120 harder to take down. Then you've got decentralized ones using 110 00:05:51.120 --> 00:05:53.879 peer to peer protocols much harder to disrupt, and even 111 00:05:53.959 --> 00:05:55.519 hybrid models combining approaches. 112 00:05:55.519 --> 00:05:58.399 It's quite sophisticated, which leads right into this idea of 113 00:05:58.480 --> 00:06:01.279 d dos for hire, a service people can buy. 114 00:06:01.360 --> 00:06:05.319 Disturbingly, yes, there's a thriving market. Back in twenty seventeen, 115 00:06:05.399 --> 00:06:08.360 you could reportedly buy five minutes of a massive one 116 00:06:08.439 --> 00:06:11.120 hundred and twenty five gigabits per second attack for just 117 00:06:11.199 --> 00:06:11.959 five euros. 118 00:06:12.000 --> 00:06:15.199 Five euros. That's alarmingly accessible, it is. 119 00:06:15.240 --> 00:06:17.560 And the price for renting these botnets has actually been 120 00:06:17.600 --> 00:06:20.680 falling by about five percent each year since around twenty fourteen. 121 00:06:20.920 --> 00:06:24.920 It's just widespread availability competition among the bothereders, the people 122 00:06:24.959 --> 00:06:27.920 who run the botnets. A really notable example was the 123 00:06:27.920 --> 00:06:31.319 attack on spam House in March twenty thirteen. Spam House 124 00:06:31.399 --> 00:06:35.120 tracks spam servers, so they made enemies. That attack hit 125 00:06:35.160 --> 00:06:38.120 three hundred gbps, which was huge at the time, and 126 00:06:38.199 --> 00:06:41.360 it was amplified partly by exploiting vulnerabilities in DNS, the 127 00:06:41.439 --> 00:06:44.399 Internet's phone book, and even by infecting home routers. 128 00:06:44.519 --> 00:06:47.680 Wow. So beyond just making MONEYDIDOS has also become a 129 00:06:47.720 --> 00:06:50.000 political weapon, right This activism. 130 00:06:49.560 --> 00:06:53.560 Phenomenon absolutely Groups like the Electronic Disturbance Theater or EDT. 131 00:06:54.000 --> 00:06:57.160 They sort of pioneered the idea of virtual sit in 132 00:06:57.240 --> 00:07:00.639 with a tool called flubnet, basically encouraging online line protests 133 00:07:00.720 --> 00:07:01.720 via flooding. 134 00:07:01.319 --> 00:07:04.439 Websites, which raises a tricky question, doesn't it. Where's the 135 00:07:04.480 --> 00:07:08.240 line between legitimate digital protest, maybe civil disobedience, and just 136 00:07:08.600 --> 00:07:09.439 illegal destruction. 137 00:07:09.800 --> 00:07:12.600 That's a critical point and often a blurry line. Legally 138 00:07:12.639 --> 00:07:16.519 and ethically, you had groups like Anonymous using DDoS their 139 00:07:16.600 --> 00:07:21.480 project Schnology against Scientology, Operation Titstorm against the Australian Parliament 140 00:07:21.480 --> 00:07:25.519 over Internet filtering plans, and Operation Payback targeting credit card 141 00:07:25.519 --> 00:07:29.480 companies because they blocked donations to wiki leagues. From a 142 00:07:29.480 --> 00:07:33.120 purely legal standpoint, though participating in a DDoS attack is 143 00:07:33.160 --> 00:07:36.160 considered illegal pretty much everywhere in the US. You have 144 00:07:36.639 --> 00:07:40.279 the Computer Fraud and Abuse Act. Internationally, the Convention on 145 00:07:40.319 --> 00:07:41.439 Cybercrime covers. 146 00:07:41.199 --> 00:07:44.240 It, and then the stakes get even higher when actual 147 00:07:44.360 --> 00:07:47.000 nation states use these tactics. That really blurs the line 148 00:07:47.040 --> 00:07:49.480 between cybercrime and well war. 149 00:07:49.680 --> 00:07:52.800 Definitely. The conflict between Russia and Estonia back in April 150 00:07:52.879 --> 00:07:55.160 two thousand and seven is often cited as maybe the 151 00:07:55.199 --> 00:07:58.399 first real cyber war involving DDoS. Then in two thousand 152 00:07:58.399 --> 00:08:01.480 and eight, Russia launched large scale adido's floods against Georgian 153 00:08:01.519 --> 00:08:04.480 news and government sites right as a military invasion was happening. 154 00:08:04.920 --> 00:08:07.199 In Ukraine, there were ddo's attacks in two thousand and 155 00:08:07.240 --> 00:08:10.000 eight linked to anti NATO feelings, and in twenty fifteen, 156 00:08:10.079 --> 00:08:13.120 a major hacking incident, likely involving denial of service elements, 157 00:08:13.199 --> 00:08:16.439 knocked parts of the Ukrainian power grid offline power grids. 158 00:08:16.639 --> 00:08:18.160 Wow, that's way beyond. 159 00:08:17.839 --> 00:08:20.600 Websites exactly, and beyond direct attacks. We also see the 160 00:08:20.639 --> 00:08:25.079 Internet used for widespread censorship, sometimes through related techniques, things 161 00:08:25.120 --> 00:08:29.000 like BGP hijacking, which messes with the Internet's core routing. 162 00:08:29.079 --> 00:08:31.839 Remember Pakistan trying to block YouTube in two thousand and eight. 163 00:08:31.959 --> 00:08:33.600 Vaguely yeah, what happened there? 164 00:08:33.720 --> 00:08:37.519 They accidentally re routed YouTube traffic globally, making it unavailable 165 00:08:37.559 --> 00:08:42.639 worldwide for about two hours, a mistake with massive consequences. Similarly, 166 00:08:42.840 --> 00:08:46.840 Iranian sensors trying to block pornography sites accidentally blocked access 167 00:08:46.840 --> 00:08:50.320 for users in India, Russia, Indonesia, Hong Kong. And then 168 00:08:50.399 --> 00:08:53.720 you have the really alarming Internet blackouts where entire countries 169 00:08:53.799 --> 00:08:57.320 or regions just go dark online, often done by authoritarian 170 00:08:57.320 --> 00:09:01.240 governments trying to control information flow during protests or unrest. 171 00:09:01.320 --> 00:09:04.000 Just in twenty fifteen alone, these kinds of Internet shutdowns 172 00:09:04.000 --> 00:09:06.320 were estimated to cost the global economy something like two 173 00:09:06.399 --> 00:09:08.279 point four billion dollars. 174 00:09:08.320 --> 00:09:12.919 Just dat it's cleared the Internet, which was designed for openness, 175 00:09:12.919 --> 00:09:16.399 for connection, can easily be twisted into this powerful tool 176 00:09:16.480 --> 00:09:20.120 for control and disruption. We've seen the impact silencing descent 177 00:09:20.279 --> 00:09:25.720 global outages. It's huge. But to really grasp how these 178 00:09:25.720 --> 00:09:28.639 attacks cause such chaos, we probably need to dive deeper 179 00:09:28.639 --> 00:09:31.519 into the technical side. How do they actually work? 180 00:09:32.039 --> 00:09:35.799 Let's do it so fundamentally, when attackers go for resource saturation, 181 00:09:36.080 --> 00:09:38.200 they're just trying to use up all the victims computing 182 00:09:38.240 --> 00:09:41.919 power or network capacity, simple brute force. Really, these are 183 00:09:41.960 --> 00:09:44.600 often easy to launch, but notoriously hard to stop once 184 00:09:44.639 --> 00:09:47.879 they get going. Examples include things like HTTP floods, just 185 00:09:47.919 --> 00:09:50.399 sending way too many web page requests to exhaust the server, 186 00:09:50.960 --> 00:09:53.600 or what are called layer seven protocol floods. These are 187 00:09:53.600 --> 00:09:56.639 a bit more targeted, going after specific weaknesses and applications 188 00:09:56.720 --> 00:09:57.399 running on the server. 189 00:09:57.519 --> 00:10:01.159 Layer seven that's the application layer, right, the server software. 190 00:10:00.799 --> 00:10:04.159 Itself exactly, So instead of just flooding the network pipes, 191 00:10:04.279 --> 00:10:08.000 they might exploit how the application handles connections, things like 192 00:10:08.320 --> 00:10:11.960 database connection pool exhaustion making the application run out of 193 00:10:11.960 --> 00:10:15.720 ways to talk to its database, or SSL exhaustion overwhelming 194 00:10:15.759 --> 00:10:20.039 the server's ability to handle secure encrypted connections. They're more subtle, 195 00:10:20.360 --> 00:10:21.720 but can be just as effective. 196 00:10:22.000 --> 00:10:25.279 Okay, and you mentioned earlier. These volume based attacks fall 197 00:10:25.360 --> 00:10:28.200 into two main types, symmetric and asymmetric. 198 00:10:28.279 --> 00:10:31.960 That's right. In a symmetric DDoS attack, the attacker, usually 199 00:10:32.039 --> 00:10:35.639 using a botnet, directly sends a massive flood of basically 200 00:10:35.759 --> 00:10:38.840 junk traffic street at the victim. You generally need a 201 00:10:38.879 --> 00:10:42.440 lot of compromise machines hundreds or thousands to generate enough 202 00:10:42.519 --> 00:10:44.960 volume to overwhelm the target's network connection. 203 00:10:45.080 --> 00:10:47.519 Okay, direct fire, what about asymmetric You said that was 204 00:10:47.519 --> 00:10:48.279 more insidious. 205 00:10:48.440 --> 00:10:51.799 It really is. Asymmetric didas attacks are also known as 206 00:10:51.840 --> 00:10:55.240 reflection and amplification attacks. This is where it gets clever 207 00:10:55.399 --> 00:10:59.440 and dangerous. Here. The attacker doesn't send traffic directly from 208 00:10:59.519 --> 00:11:03.360 their box to the victim. Instead, they abuse other innocent 209 00:11:03.480 --> 00:11:07.440 servers on the Internet, things like public DNS servers, NTP 210 00:11:07.720 --> 00:11:12.000 time servers, or memcash servers that aren't properly secured or configured. 211 00:11:12.039 --> 00:11:12.919 How do they abuse them? 212 00:11:12.960 --> 00:11:15.519 They send small requests to these third party servers, but 213 00:11:15.559 --> 00:11:17.879 they spoofed the return address, making it look like the 214 00:11:17.919 --> 00:11:21.159 request came from the victim. These servers then send back 215 00:11:21.320 --> 00:11:24.240 much larger responses to the victim. That's the reflection part. 216 00:11:24.519 --> 00:11:27.759 The amplification comes because the response is often many times 217 00:11:27.840 --> 00:11:29.600 larger than the initial spoofed request. 218 00:11:29.799 --> 00:11:32.480 Ah So a small effort from the attacker triggers a 219 00:11:32.559 --> 00:11:36.039 huge flood aimed at the victim, bounced off unsuspecting servers. 220 00:11:36.360 --> 00:11:40.240 Precisely, this means just a few attacker resources maybe a 221 00:11:40.279 --> 00:11:43.960 small botnet, can generate absolutely massive amounts of attack traffic. 222 00:11:44.200 --> 00:11:47.159 Like that attack in March twenty eighteen, they used misconfigured 223 00:11:47.200 --> 00:11:51.200 mem cased servers. The amplification factor there is huge. That 224 00:11:51.279 --> 00:11:54.720 attack reached a staggering one point seven terabits per second, 225 00:11:54.879 --> 00:11:56.919 one of the biggest single attacks ever recorded. 226 00:11:57.039 --> 00:12:00.759 One point seven terabits. Yeah, that's an unamis adgable amount 227 00:12:00.759 --> 00:12:01.200 of data. 228 00:12:01.279 --> 00:12:05.080 It really is. And attackers also exploit fundamental weaknesses in 229 00:12:05.120 --> 00:12:07.879 core Internet protocols. You mentioned TCP earlier. 230 00:12:07.600 --> 00:12:10.639 Yeah, this is yn flood thing, exploiting the handshake. 231 00:12:10.320 --> 00:12:14.279 Right, that's a classic TCP based attack. The attacker sends 232 00:12:14.279 --> 00:12:17.480 loads of initial syn packets, making the server open connections 233 00:12:17.519 --> 00:12:20.840 and weight, but the attacker uses fake source addresses and 234 00:12:20.919 --> 00:12:23.960 never sends the final acknowledgment to complete the handshake. So 235 00:12:24.039 --> 00:12:26.600 the server just sits there with all these half open connections, 236 00:12:26.720 --> 00:12:30.879 using up resources until eventually legitimate users can't connect anymore. 237 00:12:30.919 --> 00:12:33.720 So they're weaponizing the protocol itself exactly. 238 00:12:33.879 --> 00:12:37.039 And it's not just about flooding networks or protocols. Attackers 239 00:12:37.039 --> 00:12:40.600 can also use specially crafted packets or applications to hit 240 00:12:40.679 --> 00:12:44.679 specific software bugs. Remember back in twenty eleven, a security 241 00:12:44.720 --> 00:12:49.279 researcher released a simple Perl script kill apatch dot pl vaguely. Yeah, 242 00:12:49.320 --> 00:12:52.519 it's sent very specific types of HTTP requests that could 243 00:12:52.559 --> 00:12:55.960 basically crash certain versions of the Apache Web server by 244 00:12:55.960 --> 00:12:59.120 making them consume all the CPU and memory a targeted 245 00:12:59.159 --> 00:13:00.799 software vulnerable exploit. 246 00:13:00.840 --> 00:13:03.879 Okay, and beyond traffic and software bugs, there's also this 247 00:13:03.960 --> 00:13:07.879 idea of filtering based denial of service, right. 248 00:13:07.960 --> 00:13:10.159 That's a bit broader. It can even include things like 249 00:13:10.320 --> 00:13:13.519 legal action, maybe authorities demanding a server be taken down. 250 00:13:13.720 --> 00:13:17.120 That is denying service technically, but technically it also includes 251 00:13:17.159 --> 00:13:20.200 things like DNS tampering. If an attacker can hijack control 252 00:13:20.240 --> 00:13:22.799 of your DNS servers or poison the cash of other 253 00:13:22.879 --> 00:13:23.919 DNS servers. 254 00:13:23.559 --> 00:13:27.480 They can redirect your users anywhere or nowhere, denying access that. 255 00:13:27.440 --> 00:13:31.720 Way exactly, or they can misdirect traffic. There are also 256 00:13:31.840 --> 00:13:35.720 more refined filtering methods, like URL filtering that could be 257 00:13:35.759 --> 00:13:39.080 based on simple blacklists or whitelists, or it could be 258 00:13:39.080 --> 00:13:42.639 more analysis based using deep packet inspection, looking inside the 259 00:13:42.720 --> 00:13:46.039 data packets for specific keywords or content types to block. 260 00:13:46.399 --> 00:13:49.240 So lots of ways to deny service digitally, but you 261 00:13:49.279 --> 00:13:51.679 mentioned earlier, it can even extend into the physical realm. 262 00:13:51.799 --> 00:13:54.759 Yeah, and This is where it gets particularly chilling. We've 263 00:13:54.799 --> 00:13:58.200 seen how attackers can overwhelm networks or manipulate data flows, 264 00:13:58.879 --> 00:14:02.000 but denial of service isn't just digital. It can involve 265 00:14:02.000 --> 00:14:06.799 physical destruction triggered remotely using digital tools. The most famous 266 00:14:06.919 --> 00:14:09.960 or infamous example is probably the stucks networm back in 267 00:14:10.000 --> 00:14:11.360 twenty ten, ah. 268 00:14:11.360 --> 00:14:14.759 Stucks net that targeted Eran's nuclear program. Right it did. 269 00:14:14.799 --> 00:14:18.679 It's spread through Windows networks, but specifically targeted Siemens industrial 270 00:14:18.679 --> 00:14:22.639 control software Step seven. It's estimated to have physically destroyed 271 00:14:22.679 --> 00:14:26.960 over nine hundred uranium enrichment centrifuges in Iranian facilities by 272 00:14:26.960 --> 00:14:30.440 subtlely manipulating their speeds, cause something like a thirty percent 273 00:14:30.480 --> 00:14:31.320 efficiency loss. 274 00:14:31.360 --> 00:14:33.600 Physically destroying hardware through software. 275 00:14:33.679 --> 00:14:36.600 It shows how these threats evolved, blurring the lines between 276 00:14:36.679 --> 00:14:41.720 cyber and physical. Attackers are constantly finding new angles, new weaknesses. 277 00:14:41.159 --> 00:14:42.960 And to launch all these different types of attacks, they've 278 00:14:42.960 --> 00:14:44.159 got a whole toolkit. 279 00:14:43.840 --> 00:14:47.240 Right, Oh, absolutely, a whole arsenal. Historically, back in ninety nine, 280 00:14:47.279 --> 00:14:50.440 you had tools like TRINDS zero and Tribe Flood Network 281 00:14:50.559 --> 00:14:54.879 or TFN. They exploited common vulnerabilities like buffer overflows to 282 00:14:55.159 --> 00:14:59.120 launch various flood attacks. More recently, you've seen tools like 283 00:14:59.159 --> 00:15:02.720 GoldenEye from around twenty twelve. That one focused on HTTP 284 00:15:02.879 --> 00:15:06.879 and HTTPS doss testing. It cleverly exploited things like HTB 285 00:15:07.000 --> 00:15:09.919 keep Alive and no cash settings to make servers exhaust 286 00:15:09.960 --> 00:15:14.399 their resources keeping connections open. Then there's hoechule K, also 287 00:15:14.519 --> 00:15:17.840 from twenty twelve. That's an application layered doss tool designed 288 00:15:17.879 --> 00:15:21.320 to be sneaky. It generates unique requests each time and 289 00:15:21.360 --> 00:15:24.919 can randomize source IP addresses to try and bypass detection systems. 290 00:15:25.440 --> 00:15:27.759 And of course, for simpler attacks often used in those 291 00:15:27.799 --> 00:15:31.120 activist campaigns, there's the well known low orbit Ion canon 292 00:15:31.240 --> 00:15:34.679 or LOIC. Pretty basic but can be effective in numbers. 293 00:15:34.759 --> 00:15:38.240 So arrange from simple flutters to quite sophisticated. 294 00:15:37.600 --> 00:15:40.399 Tools definitely, and tools like H and three are like 295 00:15:40.559 --> 00:15:44.080 Swiss army knives for network packets. They let users craft 296 00:15:44.200 --> 00:15:47.879 custom TCPIP packets to launch all sorts of layer three 297 00:15:48.039 --> 00:15:51.600 or layer four floods hitting the network in transport layers. 298 00:15:52.039 --> 00:15:55.200 And for those reflection amplification attacks we talked about, there 299 00:15:55.200 --> 00:15:57.919 are specific tools too, like the Saddam d DOS tool. 300 00:15:58.240 --> 00:16:01.480 It can be configured to use d or NTP servers 301 00:16:01.480 --> 00:16:03.799 for that amplification effect. You can actually see it working. 302 00:16:03.840 --> 00:16:06.000 If you capture the network traffic on the victims in 303 00:16:06.320 --> 00:16:09.240 you'll see all the DNS or NTP replies flooding in. 304 00:16:09.399 --> 00:16:11.799 It's kind of amazing and scary how many tools are 305 00:16:11.799 --> 00:16:12.200 out there. 306 00:16:12.279 --> 00:16:14.759 It is, and it raises that crucial question of again, 307 00:16:15.240 --> 00:16:19.120 what's the shared vulnerability? Why are so many different protocols 308 00:16:19.200 --> 00:16:23.840 DNS ANDTP, memecash, even TCP itself seemingly so easy to 309 00:16:23.879 --> 00:16:26.919 exploit for these attacks. Why haven't we fixed these fundamental issues. 310 00:16:27.399 --> 00:16:29.399 That's a great question, and it really speaks to the 311 00:16:29.440 --> 00:16:32.120 scale of this challenge. Okay, so we know the attacks 312 00:16:32.120 --> 00:16:35.360 are very sophisticated and the tools are available. How on 313 00:16:35.399 --> 00:16:37.720 earth do we defend against all this? It must start 314 00:16:37.720 --> 00:16:40.919 with just knowing you're under attack, right detection exactly. 315 00:16:41.200 --> 00:16:45.120 Detection is the first critical step, and generally detection methods 316 00:16:45.159 --> 00:16:49.679 fall into three main categories. First is signature detection. This 317 00:16:49.759 --> 00:16:52.440 works kind of like your antivirus software. It looks for 318 00:16:52.519 --> 00:16:56.159 known patterns or signatures of DDoS attack traffic. Good for 319 00:16:56.240 --> 00:16:58.440 known threats, but useless against new ones. 320 00:16:58.679 --> 00:17:01.279 Right it needs to have seen the attack precisely. 321 00:17:01.519 --> 00:17:07.119 Second is anomaly detection. This approach doesn't look for specific signatures. Instead, 322 00:17:07.519 --> 00:17:10.400 it establishes a baseline of what your normal network traffic 323 00:17:10.440 --> 00:17:14.279 looks like and then watches for significant deviations from that baseline. 324 00:17:14.720 --> 00:17:17.960 It looks at statistics like sudden spikes in packet arrival rates, 325 00:17:18.279 --> 00:17:21.119 or changes in the distribution of source IP addresses, or 326 00:17:21.160 --> 00:17:24.160 even the randomness of certain data fields in the packet headers. 327 00:17:24.240 --> 00:17:27.279 And the third type hybrid systems. As the name suggests, 328 00:17:27.480 --> 00:17:29.799 these try to combine the strength of both signature and 329 00:17:29.839 --> 00:17:34.079 anomaly detection. Use signatures for known attacks, anomaly detection to 330 00:17:34.119 --> 00:17:35.160 catch the unknown ones. 331 00:17:35.440 --> 00:17:40.079 Anomaly detection sounds really powerful, especially for those zero day attacks, 332 00:17:40.200 --> 00:17:43.759 the brand new ones. You mentioned entropy earlier. Can you 333 00:17:43.799 --> 00:17:46.720 break that down a bit more? How does measuring randomness 334 00:17:47.039 --> 00:17:48.200 help spot and attack? 335 00:17:48.319 --> 00:17:51.400 Sure? So, anomaly detection is crucial for zero days, even 336 00:17:51.400 --> 00:17:54.400 though it can sometimes generate more false positives. Flagging normal 337 00:17:54.440 --> 00:17:58.359 traffic is bad. One common statistical method used is cumulative 338 00:17:58.400 --> 00:18:02.759 sum or CUS. It's good at detecting small but persistent 339 00:18:02.839 --> 00:18:05.319 increases in traffic volume that might get lost in the 340 00:18:05.400 --> 00:18:08.519 usual noisy bursts of Internet traffic. Then there's entropy. This 341 00:18:08.599 --> 00:18:11.519 comes from information theory, and basically it's a measure of 342 00:18:11.599 --> 00:18:16.079 disorder or unpredictability in data. Think about source IP addresses 343 00:18:16.119 --> 00:18:18.000 in normal traffic. They tend to come from all over 344 00:18:18.000 --> 00:18:22.079 the place, fairly randomly distributed, high entropy. But during many 345 00:18:22.079 --> 00:18:25.640 types of DEDOS attacks, especially from botanets, you might suddenly 346 00:18:25.640 --> 00:18:28.359 see a huge flood of traffic coming from a relatively 347 00:18:28.400 --> 00:18:30.400 small predictable set of source ips. 348 00:18:30.559 --> 00:18:33.480 The randomness drops, ah, so the entropy the source iepiece goes. 349 00:18:33.319 --> 00:18:37.000 Way down exactly. That sudden drop in entropy is a 350 00:18:37.000 --> 00:18:40.599 strong signal that something unnatural, something non random, is happening, 351 00:18:40.720 --> 00:18:43.599 like an attack. The tricky part with detection, though, is 352 00:18:43.599 --> 00:18:46.599 where you do it. It's most accurate closer to the target 353 00:18:46.640 --> 00:18:50.039 where you see the traffic consolidation, but by then. 354 00:18:50.440 --> 00:18:52.799 It might be too late to actually stop it effectively. 355 00:18:52.960 --> 00:18:56.119 Right the flood might already be overwhelming your connection or 356 00:18:56.119 --> 00:18:57.240 your servers. 357 00:18:57.039 --> 00:19:00.359 Which leads us straight into mitigation. Once you detect that attack, 358 00:19:01.119 --> 00:19:03.759 what can you actually do and how do you balance 359 00:19:04.039 --> 00:19:08.039 needing strong defenses with the cost and complexity of it all. 360 00:19:08.160 --> 00:19:12.000 That's the million dollar question. Mitigation strategies get classified in 361 00:19:12.039 --> 00:19:14.000 lots of ways. You can think about when they happen. 362 00:19:14.519 --> 00:19:17.839 Are they preventative, do they react during an attack or 363 00:19:17.920 --> 00:19:21.079 is it clean up after? Or how they're deployed centralized 364 00:19:21.079 --> 00:19:25.519 defense or distributed, or where they're located protecting at the 365 00:19:25.559 --> 00:19:28.160 source of the traffic near the destination, somewhere in the 366 00:19:28.200 --> 00:19:32.440 network core or a hybrid, and increasingly where the reaction happens. 367 00:19:33.079 --> 00:19:35.680 Is it equipment on your own premises where services running 368 00:19:35.680 --> 00:19:38.920 in the cloud. A lot of modern mitigation heavily leverages 369 00:19:38.960 --> 00:19:42.799 the cloud. Content delivery networks CDNs are a big one. 370 00:19:42.839 --> 00:19:46.319 CDNs yeah, like Akamaine cloud Flare are those guys. They're 371 00:19:46.400 --> 00:19:48.000 used for speeding up websites. 372 00:19:47.599 --> 00:19:50.200 Mostly right primarily, Yes, their main job is to cache 373 00:19:50.200 --> 00:19:52.680 website content on servers all around the world closer to 374 00:19:52.759 --> 00:19:55.799 users to improve load times and performance. But that distributed 375 00:19:55.880 --> 00:19:59.240 architecture inherently makes them pretty good at absorbing DEDOS attacks too. 376 00:20:00.039 --> 00:20:03.119 Running the incoming traffic across this huge network of servers, 377 00:20:03.359 --> 00:20:05.599 they can dissipate the effect of an attack. It makes 378 00:20:05.640 --> 00:20:08.519 it much harder for an attacker to overwhelm any single point. 379 00:20:08.400 --> 00:20:11.000 So their structure provides a kind of built in resilience. 380 00:20:11.039 --> 00:20:13.279 Even if that wasn't the primary goal exactly. 381 00:20:13.920 --> 00:20:17.240 They offer significant d'dos protection as a side benefit, and 382 00:20:17.279 --> 00:20:21.119 now many CDNs offer specific DIDOS mitigation services too. 383 00:20:21.200 --> 00:20:24.079 But I seem to remember hearing about cases where even 384 00:20:24.160 --> 00:20:27.720 big CDNs struggled or maybe even dropped clients during massive 385 00:20:27.720 --> 00:20:30.359 attacks because it was just too much or too expensive. 386 00:20:30.640 --> 00:20:33.680 That's a valid point and a real challenge. CDN's specially 387 00:20:33.759 --> 00:20:37.400 robust DEDOS protection from them can be expensive, and relying 388 00:20:37.440 --> 00:20:40.960 solely on one CDN provider does create a potential single 389 00:20:41.000 --> 00:20:43.319 point of failure, or at least a single point of 390 00:20:43.319 --> 00:20:47.759 financial pain. You mentioned Krebs on security Brian Krebb's security 391 00:20:47.799 --> 00:20:50.200 news site back in twenty sixteen. It got hit by 392 00:20:50.240 --> 00:20:54.079 a massive DIDAS attack, largely from the Maria botnet. Akamai. 393 00:20:54.240 --> 00:20:56.839 His CDM provider at the time was mitigating it, but 394 00:20:56.920 --> 00:20:59.640 the sheer scale and costs led them to eventually drop 395 00:20:59.640 --> 00:21:02.480 his site from their free to protection. It highlighted the 396 00:21:02.480 --> 00:21:03.720 economic limits, right, So. 397 00:21:03.680 --> 00:21:06.480 Relying on one provider, even a big one, isn't foolproof. 398 00:21:06.799 --> 00:21:10.359 It forces organizations to think about more complex strategies, maybe 399 00:21:10.480 --> 00:21:14.160 using multiple CDMs or combining cloud protection with some defenses 400 00:21:14.160 --> 00:21:17.519 on their own premises. It adds layers, but also complexity and. 401 00:21:17.519 --> 00:21:21.240