CEBIT 2018: Researchers expose perpetrators behind mass Internet attacks
World map with DDOS attacks.
Professor Christian Rossow and his research group at the CISPA Helmholtz Center in Saarbrücken are researching attacks that strike fear not only in the hearts of companies, but of sovereign states too. The technical jargon for such attacks is “Distributed Denial-of- Service Attacks” (DDoS), because they flood online services with huge amounts of data, which then renders them inoperative. Rossow and his team of researchers are developing methods and tools that will analyse and stop such attacks. By doing so, they are even able to uncover the perpetrators behind these attacks. They will present their latest results during the CEBIT computer expo at stand F68 in hall 27.
Webstresser.org is notorious for being the online platform where you can purchase everything you need to mount a successful massive online attack. According to Europol, it is likely the world’s largest marketplace for DDoS attacks. Victims include banks, online traders and governments. A few weeks ago, European prosecutors responded and took action, announcing shortly thereafter on their website that the platform is now off-line.
Before making their online raid, investigators had access to the results of Professor Christian Rossow’s research. Rossow, a researcher at the CISPA Helmholtz Center and professor at Saarland University, has been analysing the modus operandi of cyber criminals for years. In recent years he has given special attention to a specific type of DDoS attack, the “amplification attack”.
“Imagine that it’s your birthday, the barbecue has been lit and a few friends have come around for a celebratory drink. But a malicious contemporary has circulated a false advertisement which alleges that you are offering tickets for the forthcoming Football World Cup at a bargain price. Your landline telephone is now ringing constantly all evening and you can forget your quiet drink together.” This is how Rossow explains the principle behind these attacks. According to Rossow, the most perfidious thing about this type of attack is that the attacker achieves the maximum effect with a minimum of effort.
Together with his PhD students at Saarland University and colleagues from Japan, he has developed a kind of digital trap for such attacks. During the development phase, the scientists drew on the knowledge that these attacks are comprised of two phases. During the first phase, the perpetrators scan for computers that they can harness for their attack. In the second phase, they use these computers to launch their massive attack. Rossow and his colleagues have been able to document 1.5 million of these attacks.
In a subsequent paper, Rossow, together with Johannes Krupp and Michael Backes, founding director of the CISPA Helmholtz Center, has uniquely fingerprinted the respective scanning attempts. This has allowed researchers to link the attacks with scanning attempts and, therefore, identify the people behind them. “This is probably our greatest achievement”, explains Rossow, “Because the perpetrators behind the attacks usually remain hidden.” The computer scientists from Saarbrücken were able to identify a total of 34 networks as the sources of attacks with 98 percent confidence.
Last year, the scientists were able to build on this success and, together with colleagues from Google and New York University, prove which attacks had been organised via online marketplaces such as webstresser.org. They were furthermore able to identify the extent of the range of products for launching DDoS attacks and, therefore, the level of the associated threat. This involved large-scale analysis of data, which was carried out over a period of two years in cooperation with researchers from the University of California in San Diego and the University of Twente. Explaining the direction future research projects will take, Rossow stated: “In the future, we need even more data that covers an even longer time span. This is the only way that we will be able to make a well-founded statement about the health of the Internet”.
Saarland Informatics Campus (SIC)
1,700 students from 81 nations are studying 15 computer-science-related courses in three established faculties at the Saarland Informatics Campus (SIC) of the University of Saarland. At two graduate schools and six globally respected research institutes more than 800 scientists are researching the entire spectrum of computer science related subjects and furthering progress, particularly in IT security, artificial intelligence, visual computing, bioinformatics and the semantic web – from the fundamentals right through to innovative applications. The SIC cooperates with international groups such as Google, Microsoft and Facebook, promotes a large number of business start-ups with its IT incubator (ITI) and acts as a driver for further developments through industrial, research and development laboratories. The overall potential of the site is leveraged in order to take advantage of scientific publications, prizes, patent applications and technological innovations. Thanks to the excellent levels of expertise and competitiveness, joint success at the Saarland Informatics Campus is guaranteed.