IP-stressor: how a testing tool became a cyber weapon

[Father]

Cyberspace has evolved significantly over the past two decades. It is almost impossible to find a company or state service that does not have its own resource on the network. Some projects even exist only "in digital form" and do not have their own physical expression. The activity of a huge number of companies is simply impossible without access to the Internet.

This trend also has side effects. One of them is the development of unfair competition using software methods. The easiest way to safely remove a competitor from the game is to "put" their web resources. For example, during the peak of sales. As a rule, IP stressers are used for this purpose, which are used to implement a DDoS attack.

In the past year, unfair competition faded into the background, as the main reason for DDoS attacks was not to gain benefits, but to cause damage. Hacker and hacktivist communities from different countries literally attack everyone they can reach, giving DDoS attacks the scale of an epidemic.

This article will analyze the main technical features of IP stressors, legal aspects of their use, who is involved in denial-of-service attacks, and how the DDoS service market works.

What is IP-stressor?​

Formally, a stressor is any software for testing the load on a resource – a site or server. In this interpretation, a stressor is absolutely legitimate software that specialists use to identify weaknesses in their own infrastructure, distribute and optimize the load, and configure the resource before launching.

However, nothing prohibits a malicious user from using a stressor to "test the load" on other sites. In this case, initially legal software becomes a tool for implementing a DDoS attack.

As a rule, DDoS allows the attacker to:

1. Completely "put" the site.
2. Cause the resource to malfunction.
3. Disguise another attack or divert the defenders ' attention for other purposes.

Timofey Koptyaev
Angara Security System Architect

IP stressor is a very general concept, which implies the principle of generating traffic aimed at testing the bandwidth of network hardware. In fact, any traffic-generating software can be used as an attacking mechanism, and here the main point is the purpose of the attack. If this is some kind of web resource inside a small network and an attacker from his local computer wants to infect it, then most likely he will succeed with the most primitive means (for example, hping), because there will be no security tools or routing devices on the way.

In the reality of the Internet, when the target is some serious public resource, such an attack will not work. Most likely, this generated traffic will be discarded at the last-mile provider level by the most basic threshold rule. For DDoS of public sites, attackers use distributed networks of bots that deploy scripts in public clouds, and usually not even in one. In this case, each bot can also be a means of Ip-stress (the same hping), only in this case, such a flood is not so easy to stop. You can generate a lot of traffic from each bot, so that providers don't cut it, but as a result, the resource will be critically loaded as a result of summing up traffic from each bot.

The world of stressors is quite extensive, most solutions are flexible enough in terms of the traffic sources used and the choice of the type of attacks, which allows you to use the same software both to put an already "barely alive" business card site with zero protection, and a serious corporate site. Much depends on the qualifications of the specialist who implements the attack.

Very popular are "custom" stressors that work according to the principles of the service model and are focused on customers who have little understanding of technical aspects and just want to get results. In this case, all interaction is reduced to adding funds to your wallet, selecting a goal, and clicking on the "start" button.

What is the stressor used for and how legal is it?​

IP-stressor itself is legitimate software that can be found, for example, on GitHub. And as long as the user uses it for its intended purpose – to test their own infrastructure for load, no problems with the law can arise.

Daria Zubritskaya
Marketing and Communications Director of the digital platform for organizing business trips and managing expenses Raketa

Stressors are quite an effective tool for checking your defense system. Using a stressor allows you to determine whether your network is strong enough to withstand a DDoS attack, and helps you determine whether you need to apply any additional security measures. Using a stressor is much easier than launching a DDoS attack through a botnet network. Also, using a stressor is legal compared to other ways to test your resources.

If we talk about other popular ways of using stressors, we can distinguish two main ones, according to the type of their legality:

1. Definitely "black". Use of stressors to conduct DDoS attacks "on order" or for the purpose of extortion. Both options fall under several articles of the Criminal Code at once.
2. Conditionally "gray". Such attacks are usually not financially motivated and have socio-political motives. There is no unambiguous interpretation of such activities, as well as law enforcement practice.

Alexey Morozkov
Senior Team Leader of the ICL Services Cybersecurity Management Center

DDoS attacks may fall under Article 273 of the Criminal Code of the Russian Federation "Creation, distribution and use of malicious computer programs". Moreover, the Criminal Code of the Russian Federation was recently supplemented with a special article 274.1 " Undue influence on the critical information infrastructure of the Russian Federation”, so that in general there is a legal basis for bringing to justice for such offenses.

However, collecting evidence, identifying suspects, and investigating such cases can be difficult. This requires the coordinated work of lawyers, information security specialists and the victim. Judicial practice on such crimes is not yet particularly widespread in Russia, but nevertheless there are companies specializing in the investigation of computer crimes.

Despite the existence of a legal basis for bringing participants in DDoS attacks to justice, in practice this happens quite rarely. There are many reasons, but there are three main ones:

1. The attacker is outside the jurisdiction of law enforcement agencies. Cooperation between countries in catching cybercriminals has been rather slow before, and in the context of the geopolitical crisis, it has practically stopped.
2. There is no applicant. Victims of DDoS attacks rarely contact the relevant authorities for a variety of reasons. Usually because they think it's a waste of time.
3. Couldn't find the attacker. VPNs, proxies, and other anonymization tools are now used even by ordinary users, not to mention cybercriminals.

It is important to understand that refusing to submit an application is, in fact, creating conditions for the existence of DDoS services and encouraging impunity. There is no point in waiting for "perfect cyber legislation" to appear, but you need to use the levers and tools that the existing law enforcement practice offers.

Stressors and hacktivism​

Since last year, hacktivists have become the main users of stressors. This is due to the fact that DDoS is one of the simplest attack techniques in cyberspace, and you don't need to have deep specialized knowledge to master it. The second aspect of the relevance of DDoS is that this type of attack, just the same, needs mass participation. "Mass participation" can be achieved by involving users "in the dark" - the classic creation of a botnet, or "in the open", which is relevant for hacktivism.

In this regard, the group's project No Name 057 (16) can be considered phenomenal, which can be called the first "social botnet", in which people take part absolutely consciously. From the point of view of efficiency, this type of stressor has some problems that the "classic" stressor or botnet does not have.

The main one is the need to coordinate all participants and motivate them to participate. A classic botmaster doesn't need to do all this, since it basically doesn't work with people and uses the power of their devices directly.

How to protect yourself​

It is important to understand that most stressor operators are not high-level specialists who deal with targeted attacks. Their skills and knowledge, in most cases, are not at the highest level, and even the simplest, free protection tools can make the resource " impenetrable "for the lion's share of"ddosers".

Alexander Zubrikov
General Director ITGLOBAL.COM Security

As for efficiency, it all depends on how much computing power the owners of the stressor will be able to concentrate in their hands. These can be your own servers or botnets, or servers with open spoofing. If we talk about monetization, then renting computing power is the main source of income. There may be many variations, such as one-time services, subscription models, prices may vary depending on the target being attacked, and so on.

There are no fundamental differences in comparison with other methods of DDoS attacks from the point of view of technical bases as such. All IP stressors take advantage of well-known protocol bottlenecks at various levels. These are often attacks using OSI/ISO Layer 3, 4, and 7 protocols, such as SYN-flood, ACK-flood, HTTP-Slowloris, and others. It is worth noting that stressors traditionally use botnets to perform attacks.

You can preemptively improve the site's stability even at the development stage by resorting to a branched, microservice architecture. By default, it is more resistant to denial-of-service attacks than a monolithic one.

You can use specialized anti-DDOS solutions, such as DDoS Guard (DDG) or Cloudflare. They, like any other tool, will not give one hundred percent protection, but you will not be able to break through them with primitive stressors.

The ultimate solution is to use a "captcha". For most "DDoS specialists", this is an almost insurmountable obstacle that can only be circumvented by a "long/slow" attack, for the implementation of which you need to be able to generate" clean requests", which is practically impossible without a botnet.

Results​

IP-stressor is not a "god out of the machine" or a unique attack tool that cannot be fended off. If in the case of cryptographic attacks, a discussion about the expediency of ransomware is still possible, then in the case of DDoS attacks, this does not make sense, since there are many budget solutions that make this type of attack on a resource ineffective.

At the same time, along with the use of security tools, it is also important to contact the police on the fact of DDoS attacks. They will not always bring results, since the attacker may be located outside the jurisdiction of Russian government agencies. However, this will help shape the very law enforcement practice and make life more difficult for those cybercriminals who are located inside the country.