Raspberry Pi Foundation DDoS Attack

E Crime

The perfect ‘E Crime’ – The Raspberry Pi Foundation

 

Assessment: The perfect ‘E Crime’ – The Raspberry Pi Foundation

 

Table of Contents

1 Introduction

1.1 Aim

1.2 Methodology

1.3 Justification

2 What is E-Crime?

2.1 Types of E-Crime?

3 The Raspberry Pi Foundation

4 The Attack

5 DoS attacks

5.1 DDoS attacks

5.2 Botnets

5.3 Protocol Attack

5.4 SYN Flood

6 Tools

6.1 High orbit ion cannon

6.1.1 High Orbit Ion Cannon Capabilities

6.2 Apache Killer

7 Defending DDoS

7.1 DDoS Defence System

7.2 DDoS Defence System Benefits

8 Example of a DoS attack

8.1 DoSing a website

8.1.1 The Result

9 Possible Perpetrators

9.1 Threat Agents

9.2 Who are the perpetrators?

10 Conclusion

11 References

Figure 1 – DDoS Attack

Figure 2 – High Orbit Ion Cannon

Figure 3 – Apache Killer

Figure 4 – DDoS Defence System

Figure 5 – Command Prompt

Figure 6 – Low Orbit Ion Cannon ready

Figure 7 – Low Orbit Ion Cannon attacking

Figure 8 – Low Orbit Ion Cannon URL

Figure 9 – Result of a successful DoS on a website

1 Introduction

In this report the information will be based around a case study of an e crime against a SME (small-medium enterprise) that has taken place during the past 10 years. The story that has been chosen is the Raspberry Pi Foundation that was hit by DDoS attack on the 7^th march 2013. The report will then explain how a cyber-criminal might have conducted this particular crime and try to assess the method and processes they might have used, including the tools, both hardware and software. While discussing tools, the report will show an example of how the tools are used to commit the crimes used from the story. The report will also show how you can defend systems from the attack that was chosen.

1.1 Aim

The aim of this report is to demonstrate an understanding of cyber-attacks that are used against small, medium enterprises, and the tools (software and hardware) they use to be able to carry out these attacks.

1.2 Methodology

This report was compiled utilising secondary resources, including a variety of books obtained from the library, as well as internet sources such as website’s and PDF’s.

1.3 Justification

E-Crime Wales have documented that a Denial of service attack is one of the most common types of E-crime. (E-Crime Wales, 2012)

Denial of service attack was chosen because it’s one of the most common e-Crimes out there, it is also probably one of the easiest attacks to perform, the tools used for this type of are attack are freely available to find and download, easy to use and very powerful.

The company chosen was a SME and the attack was done in the last ten years.

2 What is E-Crime?

E-Crime is a criminal activity where a computer or computer network is the source, tool, target, or place of a crime. E-Crime is not necessarily just for computing purposes; E-Crime’s can also be crimes such as – fraud, theft, blackmail, forgery and embezzlement. E-Crime is quite difficult to become aware of and also punish because of how difficult it is, and also because attackers are able to hack victims thousands of miles away. Due to E-Crime getting a lot bigger and technology is becoming more advanced, new threats are rising very quickly and are also quite difficult for companies and people to react to them. (E-Crime Wales, 2011)

2.1 Types of E-Crime?

According to the UK Government, around 87% of small businesses were victims of a security incident in 2013 up 10% and the average cost of a company’s worst incident was £35,000 – £65,000 (Gov, 2013)

In Wales alone it is estimated that attacks from e-criminals cost the economy around one billion. This includes financial loss, interruption of business, theft of valuable data, identity theft and a lot more caused by unauthorized access to systems. (Prior, N, 2013)

Types of E-Crime are as follows:

• Hardware Theft
• Identity Theft
• Phishing
• Pharming
• Malware
• Virus’s
• Cyber Terrorism

3 The Raspberry Pi Foundation

The Raspberry Pi Foundation is charity that was founded in 2006 which is supported by the University of Cambridge Computer Laboratory and Broadcom. The charity is there to promote computer science in schools, and is the developer of the single board computer the Raspberry Pi. In 2011, the Raspberry Pi Foundation developed a single-board computer named the Raspberry Pi. The Foundation’s goal was to offer two versions, priced at around £30. The Foundation started accepting orders for the higher priced model on 29 February 2012. (Raspberry,FAQ, 2009)

4 The Attack

The main attack was the third attack of out of seven days. The foundation was attacked on the afternoon of the 3^rd march, where the site was disrupted for about an hour. The foundation was then again attacked two days later on the 5^th march, but nothing happened and the attackers gave up after a few hours, finally on the evening of 7^th March 2013, the Raspberry Pi Foundation website was attacked by a nasty Distributed Denial of Service (DDoS) attack. The servers where hit by a SYN flood, a botnet that contained around 1 million nodes. This caused the website to become very slow, especially the forum pages. The website was also down for a few hours. This attack proved to be the worst out of the three attempts.

5 DoS attacks

DoS refers to “Denial of service” attack. A DoS attack is an attack that can make a web resource unavailable to its users by flooding the target URL with more requests than the server can handle. That means that regular traffic on the website will be either slowed down or completely interrupted. (Bull Guard, 2012)

5.1 DDoS attacks

DDos refers to “distributed denial of service” attack. A Distributed Denial of Service (DDoS) attack is a DoS attack that comes from more than one source at the same time. A DDoS attack is generated using thousands can be up to hundreds of thousands of zombie machines. The machines used in such attacks are known as “botnets” in this attack there were around one million nodes in the botnet. The botnets are normally infected with malicious software, so they can be remotely controlled by the attacker. Attackers usually create the denial-of-service by either consuming server bandwidth or impairing the server itself. Targets are normally web servers, DNS servers, application servers, routers, firewalls and Internet bandwidth. (Verisign, 2012)

Figure 1 – DDoS Attack

5.2 Botnets

Criminals use bots to infect large numbers of computers. These computers form a network, or a botnet. Criminals use botnets to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If a computer becomes part of a botnet, then the computer might slow down and maybe unintentionally be helping criminals. (E-CrimeWales, 2011)

5.3 Protocol Attack

The attack used against the raspberry pi foundation was a SYN flood from a botnet. This is called a protocol attack. Protocol attacks include attacks such as SYN floods, fragmented packet attacks ETC. These types of attacks target server resources, firewalls and load balancers, and is measured in Packets per second.

5.4 SYN Flood

A SYN flood DDoS attack exploits a weakness in the TCP connection sequence which is known as the three way handshake, SYN requests to start a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK (ACKnowledge) response from the requester. In a SYN flood attack, the requester sends multiple SYN requests, but sometimes it doesn’t respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement, binding resources until no new connections can be made, and then resulting in a denial of service attack. (Incapsula, 2012)

6 Tools

6.1 High orbit ion cannon

Figure 2 – High Orbit Ion Cannon

(Breeden, J, 2012)

The High Orbit Ion Cannon is a tool used mainly by anonymous but also used by other hacktivists. The High Orbit Ion Cannon is an upgrade of the Low Orbit Ion Cannon, but it seems that the High Orbit Ion Cannon is mainly used to just DoS websites instead of servers, which you can do on the Low Orbit Ion Cannon. The High Orbit Ion Cannon is able to use custom scripts to target more than just a website’s home page. Instead of visiting the site from a fake user, the High Orbit Ion Cannon targets sub-pages. So the attackers try to visit the welcome page, help pages, article pages and anything else a victim site has to offer. This method prevents some firewalls from recognising that the website is being attacked. Even if they do detect what’s happening, they will have trouble shutting down because the software is sending multiple fake users to multiple pages within a domain. (Breeden, J, 2012)

The High Orbit Ion Cannon is really not that powerful for single users if they want to attack a big organisation, Anonymous say at least 50 people need to attack a big organisation in order to take the website down. In this instance a single user could of used this type of tool to bring down the Raspberry Pi Foundation website for a few hours, mainly because the Foundation wouldn’t have (or very little) Anti DDoS software to have been able to stop the attack. (Breeden, J, 2012)

6.1.1 High Orbit Ion Cannon Capabilities

• High-speed multi-threaded HTTP Flooding
• Simultaneously flood up to multiple websites at once
• Scripted Boosters to handle DDoS counter measures and increase DoS output.
• Generating Multiple HTTP Header to create the genuine traffic flow scenario.

(Avkash, K, 2012)

6.2 Apache Killer

Figure 3 – Apache Killer

(Expert Hacker Home, 2012)

Apache killer is a DDOS/DOS tool written in Perl which sends HTTP get requests with multiple byte ranges, these byte rangesoccupya wide variety of portions in the memory space. Byte Range helps browsers or downloading applications to download required parts of files. This helps reduce bandwidth usage. While the script sends dozens of unsorted components in the request header to cause the apacheserver to malfunction. (Rafayhackingarticles, 2012)

If the attack is successful the results can be devastating and can end up in rendering the original operating system unusable only if the requests are sent parallel. (Hoffman, S, 2011).

7 Defending DDoS

There are a number of ways to defend against DDoS attacks:

• Black-holing or sinkholing: This approach blocks all traffic and diverts it to a black hole, where it is discarded. The downside is that all traffic is discarded good and bad, packet-filtering and rate-limiting measures simply shut everything down, denying access to legitimate users. (ComputerWorld Inc, 2004)

• Routers and firewalls: Routers can be configured to stop simple ping attacks by filtering nonessential protocols and can also stop invalid IP addresses. However, routers are pretty much useless against a more sophisticated spoof attack and application-level attacks using valid IP addresses. Firewalls can shut down a specific flow associated with an attack, but like routers, they can’t perform anti-spoofing. (ComputerWorld Inc, 2004)

7.1 DDoS Defence System

Figure 4 – DDoS Defence System

(Coreo Network Security, 2012)

The DDoS Defence System (DDS) prevents DDoS attacks from crippling firewalls, intrusion prevention systems (IPS), switches and targeted web and DNS servers. It stops all types of DDoS attacks and maintains full availability without effecting performance. DDS provides maximum protection for critical IT assets while allowing full access to legitimate users and applications. (Coreo Network Security, 2012)

DDS detects and blocks all forms of DDoS attacks, including:

• Application layer
• Network layer flooding
• Specially crafted exploits
• Reflective
• Outbound attacks

7.2 DDoS Defence System Benefits

• Detects and mitigates both traditional network-layer DDoS attacks and more advanced application-layer attacks
• Protects your network, allowing legitimate communications to pass without delay
• provides automated real-time defence against identified DDoS attack sources

8 Example of a DoS attack

The following attack was performed in a virtual environment using DoS and DDoS software. In the example the DoS tool that was used was the Low Orbit Ion Cannon and Windows server 2008.

Figure 5 – Command Prompt

As you can see in figure 5, it shows a simple IPconfig command to show the IP address for the attack.

Figure 6 – Low Orbit Ion Cannon ready

In Figure 6 you can see that the Low Orbit Ion Cannon is ready to set off. As you can see the Server 2008 IP address has been locked on ready for it to be DoS’ed. Just underneath the address you can see the speed of the attack, the faster it is the more requests that are sent to the server, underneath that it then shows the method, port, thread and timeout for the attack.

Figure 7 – Low Orbit Ion Cannon attacking

As from figure 6 you can see all the things are the same and ready to go. After clicking “IMMA CHARGIN MAH LAZER” you can see the attack is working by looking at the bottom of Figure 7 where it is showing the number of requests being sent. That number was just after around one minute of the server being attacked, so the amount requested would be a lot higher after around five minutes time which would probably be enough time. The purpose of Dos’ing a server is so that it stops any requests to that server, it sends multiple fake requests to the server stopping anything else being connected to it.

8.1 DoSing a website

Figure 8 – Low Orbit Ion Cannon URL

The Low Orbit Ion Cannon can also be used to DoS a website, by simply typing in the website you want to DoS in the URL tab, click lock on and then fire the cannon. The purpose of DoSing a website is by flooding the target URL with more requests than the server can handle causing the website to crash and to be temporarily unavailable.

8.1.1 The Result

Figure 9 – Result of a successful DoS on a website

If a DoS/DDoS attack is successful on a website then this is normally what you’ll see when you try to access the website, the DoS attack has clearly crashed the website and caused it to offline.

9 Possible Perpetrators

The Possible perpetrators could be a number of people or organised crime. Even though there is no evidence from the foundation on who was behind the attack or the location it came.

9.1 Threat Agents

The possible threat agents that could have been behind this attack are as follows

• Employees
• Government agencies
• Hacktivists groups e.g. Anonymous
• Organised criminals

9.2 Who are the perpetrators?

From conducting the research there is no evidence of who was behind the attack and where that attack had come from. Looking at the possible threat agents it’s very unlikely that the attack could of come from a government agency or a type of hacktivist group such as anonymous, Lulzsec etc, if the attack came from one of them two types of threat agents the attack could have been a lot more sophisticated and could have caused a lot more damage. The Raspberry Pi Foundation quote that the attacker was probably “ an angry confused kid” which is easy to believe considering the attack was attempted multiple times throughout that week, but its possible that the attack may not be linked to the same person, it could also be the same attacker with help from others to make sure the attack was successful or it could have been another attacker. The foundation says that the attack was probably for financial gain but there is no comment of any data being stolen.

10 Conclusion

Throughout the report it shows how frightening it is that any sorts of hacker or hacktivist group are willing to attack anyone. It’s scary to think that even charity websites are vulnerable to attacks. Looking at this attack the foundation is lucky that it wasn’t attacked by a bigger threat agent from a hacktivist group which could have caused a lot more damage. The report also shows how easy it is to get your hands on the tools that are commonly used, how easy they are to use and how powerful they actually are. The examples of the attacks show how powerful the tools can be, the Low Orbit Ion Cannon sends a high amount of requests to servers and websites in a short space of time.

11 References

Raspberry, FAQ. (2009). About Us. Available: http://www.raspberrypi.org/about. Last accessed 19/03/2014.

E-Crime Wales. (2011). What is e-Crime?. Available: http://www.ecrimewales.com/server.php?show=nav.8856. Last accessed 17/03/2014.

Breeden, J. (2012). Hacker’s new firepower adds firepower to DDOS. Available: http://gcn.com/Articles/2012/10/24/Hackers-new-super-weapon-adds-firepower-to-DDOS.aspx?Page=2. Last accessed 18/03/2014.

Expert, Hacker Home. (2012). Latest Methods of DDoS attacks. Available: http://experthackershome.blogspot.co.uk/2012/07/ddos-attacks-in-2012-latest-method-of.html. Last accessed 18/03/2013.

E-Crime, Wales. (2011). Botnets Explained. Available: http://www.ecrimewales.com/server.php?show=nav.9390. Last accessed 26/03/2014.

Coreo Network Security. (2012). How to stop DDoS Attacks. Available: http://www.corero.com/en/products_and_services/dds. Last accessed 27/03/2014.

ComputerWorld Inc. (2004). How to defend against DDoS attacks. Available: http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks. Last accessed 27/03/2014.

Bull Guard. (2012). What are DoS and DDoS attacks?. Available: http://www.bullguard.com/bullguard-security-center/internet-security/internet-threats/what-are-dos-and-ddos-attacks.aspx. Last accessed 20/03/2014.

Verisign. (2012). What is a DDoS attacks?. Available: http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/ddos/ddos-attack/index.xhtml. Last accessed 20/03/2014.

Incapsula. (2012). DDoS Attack Types. Available: http://www.incapsula.com/ddos/ddos-attacks. Last accessed 20/03/2014.

rafayhackingarticles. (2012). Apache Killer. Available: http://www.rafayhackingarticles.net/2011/08/zero-day-dos-vulnerability-in-apache.html. Last accessed 23/03/2014.

Hoffman, S. (2011). Apache Killer Tool Exploits DoS Flaw. Available: http://www.crn.com/news/security/231600200/apache-killer-tool-exploits-dos-flaw.htm. Last accessed 23/03/2014.

Avkash, K. (2012). High Orbit Vs Low Orbit. Available http://www.symantec.com/connect/blogs/high-orbit-vs-low-orbit-ion-cannonglimps-some-hacking-techniques. Last accessed 23/03/2014. E-Crime Wales. (2012). Denial of Service. Available: http://www.ecrimewales.com/server.php?show=nav.9335. Last accessed 20/03/2013. Prior, N. (2013). Wales E-Crime. Available: http://www.bbc.co.uk/news/uk-wales-mid-wales-12909246. Last accessed 30/03/2014 Gov. (2013). Small Business Breaches. Available: https://www.gov.uk/government/news/more-small-businesses-hit-by-cyber-attacks. Last accessed 30/03/2014.

1