Kaspersky Labs just published a report on DDoS attacks in Q4 2017 and found that a surprising number of DDoS attacks are not motivated by financial gain or to profit on the huge spike in Bitcoin, but are in fact the accidental outcome of botnet side activities.
In December 2017, Kaspersky noted a massive number of requests to non-existent second and third level domains, which led to an unusual load on DNS servers in the RU zone. The DDoS attack was in fact due to poor design by a malware developer. The long-running Lethic Trojan malware allows spam traffic to pass through infected devices, acting like a proxy server. The version of Lethic that Kaspersky discovered had been modified to mask the command-and-control (C&C) server addresses behind various junk requests, and the huge load then placed on the DNS servers was not deliberate, but accidental.
Kaspersky summed it up as such: “Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.”
Accidental DDoS has often been claimed by script kiddies, including a Phoenix teenager in October 2016 who mistakenly tweeted a link to a JavaScript exploit, which launched a DDoS attack on 911 systems. The exploit forced iOS devices to automatically dial and re-dial 911. The previous month, researchers calculated that only 6,000 smartphones were needed to knock out an entire state’s 911 system.
In this instance, the teenager’s home was searched by the local Sheriff’s office and “several items were seized”. He was charged with three felony counts for computer tampering. The teenager maintains he was attempting to prank his friends by weapon-izing a bug that would constantly dial a phone number, or show annoying popups. Instead he shared a version, which redialled 911.
Of course accidental DDoS can also occur when there is a sudden surge in traffic to a website which doesn’t have the requisite capacity to handle it. This was the case in August 2015 when the U.K. Labour party website was knocked offline as a result of a spike in traffic from well-intending supporters. The party had extended its deadline to register and vote in the upcoming leadership elections, but failed to put into practice new measures for its website to handle the related surge in traffic.
Marc Gaffan, general manager of Imperva, explained at the time what the party should have done in preparation for the spike in traffic to its site: “While it’s interesting that the term DDoS has entered the vernacular, a site that is overwhelmed by its own users is obviously not under attack. Organizations that expect a surge in traffic leading up to a deadline, whether political or retail, need to employ both load balancing and caching to spread the load and speed up the user experience, respectively. That prevents too many users on a single server, and reduces the number of frustrated users who hit the reload button, thereby making the problem worse.”