Hackers are now using mobile apps to launch distributed denial of service (DDoS) attacks against enterprise clients, according to a new report from Prolexic Technologies Inc., a security solutions provider focused on protecting against DDoS attacks.
In the fourth quarter of 2013, a team of security engineers at Prolexic uncovered a case where hackers were targeting a major, unnamed financial services firm located in Asia using AnDOSid, an Android operating system app.
The app launched a HTTP POST flood attack, where the number of HTTP requests becomes so huge, a victim’s server has trouble responding to them all. When the server begins to rely too heavily on its system resources, it crashes.
While Prolexic’s report highlighted this specific case, it also noted this won’t be the last we’ll see of mobile app-enabled DDoS attacks. It’s simple enough to download an app that will perform a DDoS attack from an online app store, and any aspiring hacker would be able to use it, without having any experience in mounting cyber attacks, researchers wrote.
In the attack on the financial services firm, the attackers used at least 12 unique attacks, one of which had a hacktivist message to recruit others to help them. That means many of the people involved were volunteers who purposely connected to the command and control server and joined the botnet. The hackers were then able to control their devices remotely and kickstart the attack.
“The prevalence of mobile devices and the widespread availability of downloadable apps that can be used for DDoS is a game changer,” said Prolexic president Stuart Scholly in a statement.
“Malicious actors now carry a powerful attack tool in the palm of their hands, which requires minimal skill to use. Because it is so easy for mobile device users to opt-in to DDoS attack campaigns, we expect to see a considerable increase in the use of these attack tools in 2014.”
Part of the reason is that it’s easier to launch an attack using a mobile device is because the apps involved, like AnDOSid, have an easy-to-use interface. While AnDOSid was originally designed for security professionals to test their own sites for vulnerabilities, the attackers leveraged it for this particular attack campaign against the financial services firm because it provides simple instructions like “Go” and “Stop” – perfect for directing volunteers.
And AnDOSid isn’t the only tool. Prolexic researchers also found a new app called Low Orbit Ion Cannon, also used to participate in the same attack campaign on the financial services firm. The app was available in the Google Play store in December 2013.
“Mobile devices add another layer of complexity. Because mobile networks use super proxies, you cannot simply use a hardware appliance to block source IP addresses as it will also block legitimate traffic,” Scholly said.
“Effective DDoS mitigation requires an additional level of fingerprinting and human expertise so specific blocking signatures can be developed on-the-fly and applied in real-time.”
Beyond adding mobile apps to hackers’ weapons arsenal, Prolexic researchers also noted between 2012 and 2013, they were seeing more sophisticated attacks reaching a greater number of targets. About a fifth of these attacks came from the U.S., the biggest source of DDoS attacks, followed by China, Thailand, the U.K., and South Korea.
Seeing an attack campaign staged by multiple mobile device owners running at least 12 attacks is something we should expect to see more often, Prolexic’s team said in their report, writing this particular case was a “prime example of DDoS attacks today.”
“No longer are they simple attacks, but instead they take a scatter shot approach, seeking to find any weakness with which to take down a website in a number of ways,” the report said.
Researchers noted they expect China to eclipse the U.S. as a source of DDoS attacks in the coming years, as it has a large Internet population and a foreign policy that encourages government employees to use the Internet to their country’s advantage.