Hackers are gonna hack, but can the enterprise do jack?


Millions of gamers got an unwanted Christmas present, when both the Sony PlayStation Network and Microsoft's Xbox Live were hit by a Distributed Denial of Service (DDoS) attack during the festive break.

The attacks should not have surprised anyone, least of all Sony or Microsoft, considering the hacking collective responsible pre-announced its intentions and the dates they would occur a month before.

The Lizard Squad had earlier taken responsibility for hitting the Blizzard (the World of Warcraft folk) and Sony PSN servers in August, before taking down Xbox Live for a few hours a month ago. After that attack on Microsoft, a Lizard Squad spokesperson stated on the group Twitter feed that "Microsoft will receive a wonderful Christmas present from us" and admitted that knocking the service offline was "a small dose of what's to come on Christmas."

Lizard Squad is now selling access to the LizardStresser tool it used in the takedowns, claiming it to be a network stress tester for use in performing dummy attack scenarios on networks. It is nothing of the sort.

Those particular attacks appear to have come to an end after controversial internet entrepreneur Kim Dotcom offered Lizard Squad members 3,000 vouchers for his encrypted cloud storage service called Mega. These had a face value of $99, but are being sold on for $50 each, which means Lizard Squad will have netted a cool $150,000 from the attacks.

Despite news that a couple of alleged members of the hacking collective have been arrested, including a 22-year-old lad from Twickenham, Lizard Squad appear to be moving forward with the profit-making side of things. Although at first it was claimed the attacks were being made to highlight security weaknesses in the various target networks, some security industry insiders are now suggesting it's simply a marketing strategy.

The reason behind this claim is that Lizard Squad is now selling access to the LizardStresser tool it used in the takedown attacks, claiming it to be a network stress tester for use in performing dummy attack scenarios on networks.

Predictably, the tool has a track record of being used for nothing of the sort and such a description is fooling nobody. There are various rental packages on offer, ranging from a bizarrely short 100 seconds of attack time for $5.99 per month, through to a potentially devastating 30,000 seconds (eight and a half hours) for $129.99 per month There's even a referral program offering a 10 per cent bonus on referred subs and a bunch of add-ons, such as 1Gbps of dedicated power and concurrent dual-boot options for additional Bitcoinage.

It has been suggested the real story here isn't yet another bunch of youngsters using the same old tools to take down networks but rather that networks are still insecure enough to be taken down in the first place. I'm not sure this is really fair to the enterprise, at least as far as defending against DDoS attacks are concerned.

The prices above reveal just how cheap it can be to fire off a ready made attack at anyone you like, and LizardStresser is far from being the only, or cheapest, DDoS tool in town. Compare and contrast the pricing to how much it costs to engage the services of a DDoS protection provider, and it's not surprising that for all but the biggest of organisations such services are often seen as being out of reach. Indeed, given that giants such as Microsoft and Sony can still fall victim to a good old fashioned DDoS'ing, even when pre-warned about it, one has to wonder if there's anything that can actually be done to prevent a determined attacker?

Well yes, there is, although perhaps protection is best replaced by mitigation when describing the approach that needs to be taken. I've covered this subject both at IT Pro and at our sister publication Cloud Pro so won't go over old ground again. Needless to say, though, while I appreciate that DDoS attacks are not the easiest nor cheapest threat scenario to defend against, neither is it impossible nor does it have to be out of the financial reach of the enterprise.

What it requires is for organisations to stop shifting the responsibility for these attacks, to move away from the blame culture whereby the focus of guilt is shone everywhere but within and the inevitability of defeat comes to the fore. In the case of Sony and Microsoft, the clever money is on the Lizard Squad take downs being more than just a simple hire-and-fire scripted attack, and actually involving something more sophisticated.

By this I mean the combining of DDoS attack servers and botnets, and the choosing of specific targets such as login servers which would require some kind of vulnerable external DNS server manipulation to accomplish. Most enterprises are not going to be subject to such complex attack methodologies, and employing basic DDoS mitigation services alongside network security best practice is likely to keep you safe. All that's needed is the will to secure rather than an expectation of failure.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.