A DDoS Emerges That Busies A Cipher with CPU Intensity

On June 13, the Hong Kong University’s Public Opinion Programme voting site went live and suffered the largest DDoS attack ever in Hong Kong. The voting website aims to provide a referendum on constitutional reforms. CloudFlare’s CEO and co-founder Matthew Prince, reported the traffic going beyond 300Gbps+.

Battling 300Gbps+ attack right now. Knew it was coming so well prepared. Helluva story someday. pic.twitter.com/YJW9u5TBoL

— Matthew Prince (@eastdakota) June 20, 2014

According to digitalattackmap.com, a service that visualizes and replays a year’s worth of DDOS attacks worldwide developed in collaboration with Google Ideas and Arbor Networks, the attacks volumes are visible after the voting site went live. The difference between this attack and the other DDoS attacks, as noted by Matthew Prince was the prioritized use of a strong cryptographic cipher in the attack. Notably, the attacks observed by CloudFlare were application level (layer 7) HTTPS flood, that prioritized TLSv1 DES-CBC3-SHA, a cipher that is CPU intensive compared to the other low-level default ciphers in use.

This is new: Layer 7 HTTPS flood that prioritizes TLSv1/DES-CBC3-SHA, which is CPU intensive. #clevergirl https://t.co/lgYna3csqN — Matthew Prince (@eastdakota) June 20, 2014

This means that the voting site’s web server was flooded with a certain billion requests per second, each deliberately requesting a processor-intensive activity resulting in a time-consuming and resource-draining security handshake. Subsequently, the website was unable to process more information with each request and  could not serve the actual poll traffic coming from legitimate voters.

This, in a way, is quite poetic. A security cipher algorithm whose purpose is to ensure the confidentiality and integrity of the Internet is being used to bring down another service, impacting the availability in reference to the CIA triad of security models.

The incident also demonstrates an increased understanding and sophistication put into DDoS attacks these days. The attacks are often used as a veil to hide more malicious and damaging activities, both financial and reputational.

DDoS attacks are becoming frequent, the latest victims being Evernote, Deezer and Ancestry.com. Earlier this month, CodeSpaces.com suffered an attack that forced them to shut down. For startups and enterprises alike, whose internet facing services are fundamental to running their business, DDoS mitigation costs and recovery plans should be built into the operational strategy.

Businesses, startups and enterprises alike, should monitor the traffic and establish alert mechanisms based on any suspect traffic that needs review. Since these attacks typically have a short time window within which they reach their full scale, the response to such attacks must be quick and effective. Processes and automated scripts should be prepared with network engineers and security specialists to implement rate limiting thresholds, filters and work closely with their network service providers. Additionally, since DDoS attacks these days mask a more malicious attack behind their facade, once such attacks are determined, businesses should increase vigilance on all the other security controls in place. If the project budget allows, there are subscription services from CloudFlare, Prolexic (owned by Akamai), Incapsula (owned by Imperva) amongst other dedicated services that provide advanced DDoS mitigation.

Evidently, DDoS attacks are here to stay and they are only getting more intelligent. The defenses against these attacks will need to respond similarly.