Social botnets
In the past few years, articles on the role of social Internet services in the so-called revolutions have regularly appeared, occasionally breaking out in different parts of the third world (one of them highlights the use of technologies such as Tor, OpenGSM, mesh networking [1]) . As a rule, it did not go further ascertaining the fact of their use. But in this article, with the help of Wikipedia and common sense, we will try to dig a little deeper and see an amazing similarity between the DDoS-attack and the “Twitter-revolution”, as well as ways to counter them.
As this article is intended for a wide circle of readers, definitions explaining one or another term will be given in it. Text taken from Wikipedia will be in italics.
So, what constitutes a DDoS attack : - an attack carried out from a large number of computers on a computing system to bring it to failure, that is, creating conditions under which legitimate (legitimate) users of the system cannot access the resources provided by the system, or this access is difficult. The refusal of the "enemy" system can be both an end in itself and one of the steps to mastering the system. Typically, from a few thousand to hundreds of thousands of infected machines are involved in attacks.
Pay particular attention to this type of DDoS attack like Flood:
')
Flood (English flood) - an attack associated with a large number of usually meaningless or formed in the wrong format requests to a computer system or network equipment, which has the purpose or led to the failure of the system due to the exhaustion of system resources.
But in order to organize such an attack, you first need to create a botnet.
A botnet (born botnet from robot and network) is a computer network consisting of a certain number of devices with running bots — stand-alone software. Most often, a bot in a botnet is a program that is secretly installed on the victim’s computer and allows an attacker to perform certain actions using the resources of the infected computer. Upon receiving a command from the “owner” of the botnet, begins to execute the command. In some cases, the command loads the executable code (thus, it is possible to “update” the program).
Executable code is a system of commands, each of which describes an elementary action.
That is, to create a botnet, you must first infect many computers with a virus.
A computer virus is a type of computer program whose distinguishing feature is its ability to reproduce (self-replication). In addition, viruses can, without the knowledge of the user, perform other arbitrary actions, including harming the user and / or computer.
Infection with a computer virus (written to create a botnet) occurs mainly in two ways: either through virus spam (under the guise of useful content) or when visiting sites on which the virus is located.
Now consider the simplified scheme of DDoS attacks.
Step One: The attacker (hereinafter the Center) creates or purchases a VPN server.
VPN (eng. Virtual Private Network) is a generic name for technologies that allow you to provide one or several network connections on top of another network. They are used to unite several distributed branches of the same organization in a single protected network, which exchange data via open communication channels.
Usually, the VPN server, on the one hand, is under the “legal” control of the Center, and on the other, it is precisely for this reason that it is difficult or impossible to identify its owner.
Step Two: The center connects via VPN to the proxy server. The purpose of using this chain is to hide the traces of the Centre’s involvement in the actions of the botnet.
A proxy server (from the English proxy - “representative, authorized”) is a service in computer networks that allows clients to perform indirect requests to other network services. The proxy server can hide information about the source of the request or user. In this case, the target server sees only the information about the proxy server, but is not able to determine the true source of the request. There are also distorting proxy servers that transmit false information about the true user to the target server.
Step Three: Center through the VPN chain - Proxy gives the botnet command to launch an attack on the chosen victim.
If you have not yet guessed, and here twitter (and other social networks) - look at the diagram above and use other terms.
The center is “the stronghold of democracy”;
VPN - public and human rights organizations, rating agencies, WikiLeaks, etc;
Proxy - the so-called opinion leaders (drugoi, Navalny, Latynina, etc., for every taste and sphere of interest). Proxy is used so as not to compromise a more expensive VPN and is valuable in that it allows the Center to act as a resident of the desired country;
A bot is a person infected with a mental virus. In the terminology of the tweeter - follower (follower). From the bot you can make a proxy. (Suffice it to recall the story with the blogger “Sukhumi”).
The mental virus, the same Meme, is in memetic, a unit of cultural information that is distributed from one person to another through imitation, learning, etc. Like genes, memes are replicators, that is, objects that replicate themselves. For memes, survival depends on having at least one carrier, and reproduction depends on having the carrier trying to spread the essence of the meme. Memes can be modified (combined or split) to form new memes. A fresh example is “Putin’s Palace”.
Mental virus infection occurs in the same way as a computer virus:
Visiting infected sites (Echo of Moscow, kavkazcenter, kasparov.ru, etc.);
The spread of the virus under the guise of useful content (internships, study abroad, the British Council program, etc.). As a rule, this method is used to create not simple Bots, but opinion leaders - Proxy.
The limitation of the length of a twitter message is 140 characters due to the limitation of the size of an SMS. If you allow the use of longer messages that are, in fact, commands (the above-mentioned executable code), then part of the message will be lost, and this will lead to a decrease in coordination and network efficiency.
Focusing specifically on mobile phones suggests that the service was originally intended for developing countries, where the phone is much more common than the computer and the Internet, and mobile operators are often foreign companies that are easily controlled from the outside. At the same time, since 2005, the struggle against “digital inequality” was actively pursued, which consisted in the supply of cheap computers to the Middle East, Tunisia, and Libya. 2] 3 3 personalities. Wife - Diana Negroponte, a member of the US-funded organization Freedom House. (VPN)
The economic return from social botnets is colossal and cannot be compared with the funds invested in them. In the same twitter, they invested tens of millions of dollars without even having a clear monetization model (legal), but after a few years we see a profit - the bank accounts of Egypt, Tunisia, and Libya are frozen ($ 160 billion) . [6]
Now about the methods of protection against social DDoS attacks. They are the same as in computer protection:
Prevention. Prevention of the reasons for those or other individuals to organize DoS-attacks. Very often attacks are the consequences of personal insult, political, religious differences, provoking behavior of the victim, etc.
Filtration. Blocking traffic coming from attacking machines. The effectiveness of these methods decreases as you approach the target of attack and increases as you approach its source.
Elimination of vulnerabilities. It does not work against attacks such as flood, for which the “vulnerability” is the finiteness of certain resources.
Resource Growth.
Dispersal. Building distributed and duplicated systems that will not stop serving users, even if some of their elements become unavailable due to an attack.
Evasion. Withdrawing the immediate target of the attack away from other resources, which are often also affected along with the immediate target.
Active response. Impact on the sources, the organizer or the control center of the attack, both technical and organizational-legal nature.
The introduction of equipment to repel DoS-attacks. (For example, the Russian SORM).
Purchase of a DoS attack protection service. (Military-political alliances).
[1] www.zavtra.ru/cgi/veil/data/zavtra/11/909/print51.html
[2] www.securitylab.ru/news/242122.php?R1=RSS&R2=allnews
[3] hard.compulenta.ru/337824/?r1=yandex&r2=news&country=Russia
[4] news.ferra.ru/hard/2006/10/16/62912
[5] lenta.ru/news/2010/04/29/olpc
[6] news2.ru/story/312155
As this article is intended for a wide circle of readers, definitions explaining one or another term will be given in it. Text taken from Wikipedia will be in italics.
So, what constitutes a DDoS attack : - an attack carried out from a large number of computers on a computing system to bring it to failure, that is, creating conditions under which legitimate (legitimate) users of the system cannot access the resources provided by the system, or this access is difficult. The refusal of the "enemy" system can be both an end in itself and one of the steps to mastering the system. Typically, from a few thousand to hundreds of thousands of infected machines are involved in attacks.
Pay particular attention to this type of DDoS attack like Flood:
')
Flood (English flood) - an attack associated with a large number of usually meaningless or formed in the wrong format requests to a computer system or network equipment, which has the purpose or led to the failure of the system due to the exhaustion of system resources.
But in order to organize such an attack, you first need to create a botnet.
A botnet (born botnet from robot and network) is a computer network consisting of a certain number of devices with running bots — stand-alone software. Most often, a bot in a botnet is a program that is secretly installed on the victim’s computer and allows an attacker to perform certain actions using the resources of the infected computer. Upon receiving a command from the “owner” of the botnet, begins to execute the command. In some cases, the command loads the executable code (thus, it is possible to “update” the program).
Executable code is a system of commands, each of which describes an elementary action.
That is, to create a botnet, you must first infect many computers with a virus.
A computer virus is a type of computer program whose distinguishing feature is its ability to reproduce (self-replication). In addition, viruses can, without the knowledge of the user, perform other arbitrary actions, including harming the user and / or computer.
Infection with a computer virus (written to create a botnet) occurs mainly in two ways: either through virus spam (under the guise of useful content) or when visiting sites on which the virus is located.
Now consider the simplified scheme of DDoS attacks.
Step One: The attacker (hereinafter the Center) creates or purchases a VPN server.
VPN (eng. Virtual Private Network) is a generic name for technologies that allow you to provide one or several network connections on top of another network. They are used to unite several distributed branches of the same organization in a single protected network, which exchange data via open communication channels.
Usually, the VPN server, on the one hand, is under the “legal” control of the Center, and on the other, it is precisely for this reason that it is difficult or impossible to identify its owner.
Step Two: The center connects via VPN to the proxy server. The purpose of using this chain is to hide the traces of the Centre’s involvement in the actions of the botnet.
A proxy server (from the English proxy - “representative, authorized”) is a service in computer networks that allows clients to perform indirect requests to other network services. The proxy server can hide information about the source of the request or user. In this case, the target server sees only the information about the proxy server, but is not able to determine the true source of the request. There are also distorting proxy servers that transmit false information about the true user to the target server.
Step Three: Center through the VPN chain - Proxy gives the botnet command to launch an attack on the chosen victim.
If you have not yet guessed, and here twitter (and other social networks) - look at the diagram above and use other terms.
The center is “the stronghold of democracy”;
VPN - public and human rights organizations, rating agencies, WikiLeaks, etc;
Proxy - the so-called opinion leaders (drugoi, Navalny, Latynina, etc., for every taste and sphere of interest). Proxy is used so as not to compromise a more expensive VPN and is valuable in that it allows the Center to act as a resident of the desired country;
A bot is a person infected with a mental virus. In the terminology of the tweeter - follower (follower). From the bot you can make a proxy. (Suffice it to recall the story with the blogger “Sukhumi”).
The mental virus, the same Meme, is in memetic, a unit of cultural information that is distributed from one person to another through imitation, learning, etc. Like genes, memes are replicators, that is, objects that replicate themselves. For memes, survival depends on having at least one carrier, and reproduction depends on having the carrier trying to spread the essence of the meme. Memes can be modified (combined or split) to form new memes. A fresh example is “Putin’s Palace”.
Mental virus infection occurs in the same way as a computer virus:
Visiting infected sites (Echo of Moscow, kavkazcenter, kasparov.ru, etc.);
The spread of the virus under the guise of useful content (internships, study abroad, the British Council program, etc.). As a rule, this method is used to create not simple Bots, but opinion leaders - Proxy.
The limitation of the length of a twitter message is 140 characters due to the limitation of the size of an SMS. If you allow the use of longer messages that are, in fact, commands (the above-mentioned executable code), then part of the message will be lost, and this will lead to a decrease in coordination and network efficiency.
Focusing specifically on mobile phones suggests that the service was originally intended for developing countries, where the phone is much more common than the computer and the Internet, and mobile operators are often foreign companies that are easily controlled from the outside. At the same time, since 2005, the struggle against “digital inequality” was actively pursued, which consisted in the supply of cheap computers to the Middle East, Tunisia, and Libya. 2] 3 3 personalities. Wife - Diana Negroponte, a member of the US-funded organization Freedom House. (VPN)
The economic return from social botnets is colossal and cannot be compared with the funds invested in them. In the same twitter, they invested tens of millions of dollars without even having a clear monetization model (legal), but after a few years we see a profit - the bank accounts of Egypt, Tunisia, and Libya are frozen ($ 160 billion) . [6]
Now about the methods of protection against social DDoS attacks. They are the same as in computer protection:
Prevention. Prevention of the reasons for those or other individuals to organize DoS-attacks. Very often attacks are the consequences of personal insult, political, religious differences, provoking behavior of the victim, etc.
Filtration. Blocking traffic coming from attacking machines. The effectiveness of these methods decreases as you approach the target of attack and increases as you approach its source.
Elimination of vulnerabilities. It does not work against attacks such as flood, for which the “vulnerability” is the finiteness of certain resources.
Resource Growth.
Dispersal. Building distributed and duplicated systems that will not stop serving users, even if some of their elements become unavailable due to an attack.
Evasion. Withdrawing the immediate target of the attack away from other resources, which are often also affected along with the immediate target.
Active response. Impact on the sources, the organizer or the control center of the attack, both technical and organizational-legal nature.
The introduction of equipment to repel DoS-attacks. (For example, the Russian SORM).
Purchase of a DoS attack protection service. (Military-political alliances).
[1] www.zavtra.ru/cgi/veil/data/zavtra/11/909/print51.html
[2] www.securitylab.ru/news/242122.php?R1=RSS&R2=allnews
[3] hard.compulenta.ru/337824/?r1=yandex&r2=news&country=Russia
[4] news.ferra.ru/hard/2006/10/16/62912
[5] lenta.ru/news/2010/04/29/olpc
[6] news2.ru/story/312155
Source: https://habr.com/ru/post/124351/
All Articles