Addressing DDoS Attacks

DDoS attacks are coordinated efforts by human or machine to overwhelm websites and, at a minimum, to cause them to shut down. The use of this type of malicious software has grown exponentially in the past decade, and despite considerable research, it has proven very difficult to identify, detect, or prevent such attacks. On the other hand, increases in traffic at websites may not be the result of a DDoS attack but a legitimate increase in demand for the Web service.

In the 2011 publication of the World Infrastructure Security Report (WISC, 2011), it was noted that the reported increase in DDoS attacks had been multiplied by a factor of 10 since the first year of the study in 2004 and that ideologically motivated “hacktiv-ism” and vandalism have become the most readily identified DDoS attack motivations, and since 2014, the number and intensity of DDoS attacks has been increased exponentially.

In its simplest form, a DDoS attack is a coordinated set of requests for services, such as a Web page access. These requests may come from many nodes on the Internet, by either human or electronic action, and the requests require resource utilization by the site under attack. The Low Orbit Ion Cannon (LOIC) is easily accessible on the Internet, and use of this software to initiate or participate in a DDoS attack only requires typing in the website name.

A DDoS attack might be indistinguishable from a sudden influx of requests because of a specific event. For example, news sites might have an extraordinary increase in legitimate requests when a significant event occurs—the death of a celebrity, for example, or a ticket brokerage service may be flooded when popular tickets go on sale.

There may be numerous reasons for unusual Web traffic: There may be a cycle in the business of the host site, for example, stock prices at the moment of the opening bell in the stock market, at university home pages on the last day of course registration, or with the “Michael Jackson phenomenon”—when Michael Jackson died, most news sites reported a heavy spike in their Web traffic because of the widespread curiosity in users attempting to discover what had occurred, or there may be an actual DDoS attack underway.

The original reporting on these data came as a result of a joint research team consisting of students and faculty from Howard University in Washington, DC, and the Universidad Santo Tomás in Santiago, Chile, working together to develop this research (Banks et al., 2012).


Ransomware surfaced in 2013 with CryptoLocker, which used Bitcoin to collect ransom money. In December of that year, ZDNet estimated based on Bitcoin transaction information that the operators of Crypto Locker had procured about $27 million from infected users.

Phishing attacks are a form of illicit software designed primarily to obtain information to benefit “Phisher” from an unsuspecting person or account.

These attacks might arise from any source the user contacts for information, and many might occur from opening an email supposedly from some trusted source.

The purpose for the attack might be to urge a recipient to open an attachment. Many users might not realize that opening a Word, Excel, and PowerPoint document may contain within it code (called a macro) that may then infect the system.

Another approach in the phishing attack might be to encourage the recipient to follow a link which purports to require the user to enter an account name, password, or other personal information, which then is being transmitted to the creator of the phishing attack. In such a case, the personal information transmitted may be used by the phishing perpetrator in order to gain other resources of the victim (Figure 1.2).

One example from 2016 involves an email allegedly from the PayPal Corporation. Here is a screenshot of the attack itself. In this case, the objective of the attack is to fool the recipient into believing that this is a legitimate email from PayPal, asking for “help resolving an issue with your PayPal account?” and consequently passing on the login information to the phishing attacker.

A prudent user would look carefully at the email address This email address is being protected from spam bots, you need Javascript enabled to view it and realize that it was a bogus email address.

The year 2010 produced a “game changer.” For perhaps the first time, a malicious hardware and software attack, coined as Stuxnet, infected nuclear facilities in Iran. One critical difference here was that previous malware always was produced by individuals or small groups, sought random targets, easily disabled when identified, and caused relatively minimal damage.

Stuxnet was discovered by security researchers. It was determined to be a highly sophisticated worm that spread via Windows and targeted Siemens software and equipment. Different versions of

6C«f™2“O*’ Cr| M - fi tTK й VI n M O w > n to 3 Kf •> t*^ 0 Uc й i:.i | v <- O Û ’ “**•*•• тТыКсл.мгххга^ФМм*««» * ft L 6 "

A phishing attack using PayPal (facsimile)

Figure 1.2 A phishing attack using PayPal (facsimile).

Stuxnet infected five Iranian organizations, presumably related to the uranium enrichment infrastructure.

The Iranian nuclear program was damaged by Stuxnet, as the infected control system created a change in temperature in the core, thus destroying the equipment. Kaspersky Labs concluded that the attacks “could only have been conducted with nation-state support.” Later reports indicated that Stuxnet was a joint effort of the US National Security Agency and the Israeli comparable agency, the Mossad.

In what might be better known to readers, we have in 2017 and 2018 examples from the 2016 US Presidential Election.

The use of a private email server by Hillary Rodham Clinton while she was secretary of state during the presidential administration of Barack Obama has sparked a reoccurring debate about the use of private email servers by US government officials. In 2016, Hillary Rodham Clinton was the first woman to win the Democratic Party’s nomination for the president of the United States. As is the case in many political situations, there are some angles of the issue that can be more fully explored to understand the nature of the issue. An interesting question to explore the landscape of gender psychology and behavioral cybersecurity is as follows: How might different common conceptualizations of gender along with corresponding

From: _ / X



To: ------------------------

Date 2016-03-09 05 .TH

HbfKt Upditwl irrrtUtxjn UrMt^c OtKvwon (t> WedMx». 20169:10im-iaimÜctmpodHtoÿfnuilcotn)

Tn i e»ex h», Own

T«W: Stratège OiKutwn

Purpow: »Kt«t consuunu' lnt«jt on th» Ksuts or the day


  • 1. HK today
  • 2. Op₽oo»nts’ » today
  • 3. New* today
  • 4. Input on raipomo

When: wed Ma 9.2016 9:30am 10am Eastern Time «Mneedl

Sans Sent • tT- B I U A- E- •= := 3 3 M ST

] A H-’ © û B fc) $

Figure 1.3 Podesta email hacked and sent to WikiLeaks (facsimile).

approaches to understanding the psychology of gender explain the behavior of Secretary of State Hillary Clinton and what caused her use of a private email server?

Attacks that succeeded in obtaining significant email traffic from the internal communications of the US Democratic Party and its presidential candidate, Hillary Clinton, in all likelihood having a significant impact on the outcome of the election. In particular, Clinton’s campaign chairman John Podesta had many of his emails stolen, as he was tricked by an outsider’s phishing attack (Figure 1.3).

Early in 2018 were ransomware attacks known as WannaCry and Petya (WikiPedia, 2017a, b); the former apparently put close to 100,000 computers up for ransom, including computing systems in many hospitals in the United Kingdom, whereas Petya disabled many industries in Ukraine.

Facebook “This is Your Digital Life”

The personal data of approximately 87 million Facebook users were acquired via the 270,000 Facebook users who used a Facebook app called “This Is Your Digital Life.” As a result of users giving this third-party app permission to collect their data, they were also giving the app access to information on using their friends’ data. Underlying this test was a personality assessment of the common Big Five personality traits. This case revealed multiple aspects of interesting questions about personality tests, methods, and assessment. For example, how can an individual’s personality traits be measured through a social media application in a way that yields valid and reliable personality data that can be applied to impact advertising strategies and politics? In a hypothetical world, how can the possible motivational dynamics of the researchers, businesspeople, and social media company be assessed using personality test, methods, and assessment?

Yu Pingan

In August 2017, a sealed indictment was filed, in the Southern District of California, against the Chinese national named Yu Pingan (also known as Gold Sign, on a Charge of Conspiracy Computer Hacking. (US, 2018)

The charge alleges that Mr. Pingan provided malicious software, in particular a software tool known as “Sakula,” to four companies, two in California, one in Massachusetts, and one in Arizona. Then this software was capable of downloading to victims computers without authorization. Secular was then alleged to have been necessary for large-scale breaches including the OPM attack as well as the health insurer Anthem.

Mr. Pingan was at the time a 36-year-old resident of Shanghai, China, but he was subsequently arrested because he flew to the United States to attend a conference.

The (US) Department of Justice Success in Prosecuting Cybercriminals: Who’s Winning?


In order to gain an understanding of the relative success of cybercriminals as compared with law enforcement and its ability to deter cybercriminals, for many years the data regarding cyberattacks were very poorly understood. In some ways, this continues to be the case, but there is now a slightly clearer picture, certainly because to some extent there is a more coordinated effort to report on prosecutions for what is considered computer crime.

One major reason for this is that since the beginning of the computer era and the corresponding security concerns with the appearance of viruses, worms, denial of service, and ransomware, the law has simply not involved as rapidly as the technology. For example, consider the following: I may have a very important file or set of files that can realistically be assessed as having a significant monetary value. For the sake of discussion, let us say that this information is worth $1 million. Now, a cybercriminal somehow successfully copies all of this information. Has a theft occurred?

Of course, our instinct would say yes. But if you look at any legal definition of theft, this action cannot be described this way, since the original owner still possesses that information. It is apparent that there is conflict in the definition of the term. On the one hand, obtaining electronic information without the permission of the owner satisfies part of the definition of theft, but on the other hand, the legitimate owner still retains the same information.

A number of years ago, the US Department of Justice began to categorize press releases related to legal actions, usually successful prosecutions, related to a category called “Cyber Crime.” These releases can be found at the website: news?f%5BO%5D=field_pr_topic%3A3911.

It should also be noted, appropriately, that the DoJ only reports crimes that fall under the jurisdiction of the U.S. federal government and not similar crimes that might be violations of state or local law. Nevertheless, aggregating these data would allow us to project an average approximately 30 such cases per year; in particular, 21 in 2015, 37 in 2016, 23 in 2017, and 29 in 2018.

But Sophos reports that “the total global number of malicious apps has risen steadily in the last four years”. In 2013, just over Vi million samples were malicious. By 2015 it had risen to just under 2.5 million. For 2017, the number is up to nearly 3.5 million. The vast majority are truly malicious with 77% of the submitted samples turning out to be malware.

This is a worldwide sample; however, the U.S. data represent 17.2% of the global figure. Thus, we could estimate reasonably that for 2017, the prevalence of grants and more attacks in the United States would exceed 500,000.

It would lead one to believe that the odds are pretty good for the cybercriminal.

“Fake News” Concerning the Coronavirus

The worldwide pandemic COVID-19, or the coronavirus, has sparked its own plethora of fake news meant to confuse the public and serve to the advantage—for political, monetary, or other malicious reasons—of the propagators of these items of fake news.

A few of many examples include statements by the President of Brazil pandemic as “only a mild flu.” Both Twitter and Facebook have deleted posts by him as fake news. The President of the United States suggested in a news conference that COVID-19 could be eradicated by drinking bleach. The Mafia in Italy has distributed information about getting (for a substantial fee) a virus test, which is fake in itself. One county official in Florida said that the coronavirus can be killed by holding a blow dryer up to your nose. One post originating in England offered a 5000 pound credit to “help people through the Corona virus prices” if they can collect 520 pounds in cash; someone would come around to pick it up. Also in England, a text in Facebook claims the British Army has been called in to help with the response to the virus—but the military images are taken out of context. Another tweet claims the Dutch Air Force was going to disinfect the entire country with helicopters. And finally, among many others, a screenshot on Twitter claimed that Russia had unleashed 500 lions to keep people indoors.


  • 1. Estimate the number of computers infected by the Morris worm.
  • 2. Discuss the GAO estimates of the cost of the Morris worm. Find alternative estimates.
  • 3. What organization or organizations have given awards to WikiLeaks for humanitarian efforts?
  • 4. Find an organization for which one can make donations through PayPal.
  • 5. Identify a ransomware attack and an estimate of the amount of funds paid to the perpetrator or perpetrators.
  • 6. What is the difference between phishing and spear phishing?
  • 7. How many emails related to the 2016 Presidential Election were estimated to be released by WikiLeaks?
  • 8. You can find on the WikiLeaks website the text of the emails to and from John Podesta during the 2016 Presidential

Election campaign. Select ten of these for further analysis. Rank them in terms of their potential damage.

9. In the Department of Justice news website (, find the number of cases in 2017 and 2018 involving:

a. Hacking

b. Phishing

c. DDoS

d. Ransomware

Is each on the increase, decline, or nonexistent (according to DoJ)?


Alexa Internet, Inc. 2018. Alexa,

Banks, K. et al. 2012. DDoS and other anomalous web traffic behavior in selected countries. Proceedings of IEEE SoutheastCon 2012, March 15-18, 2012, Orlando, FL.

Department of Justice. 2018. Office of Public Affairs, Russian National Charged with Interfering in U.S. Political System, October 19, 2018.

Office of Personnel Management. 2018. 0PM.

US. 2018. U.S. v. PINGAN YU Case No. 17CR2869-BTM. United States of America, Plaintiff, v. PINGAN YU, aka “GoldSun.” Defendant. United States District Court. S.D. California, August 9, 2018.

WikiLeaks. 2018. WikiLeaks,

WikiPedia. 2017a. “WikiPedia, Petya Ransomware Attack,” WikiPedia, May 2017.

WikiPedia. 2017b. “WikiPedia, WannaCry Ransomware Attack.” WikiPedia, May 2017. ransomware_attack.

WISC. 2011. World Infrastructure Security Report 2010. Arbor Networks, Chelmsford, MA.

< Prev   CONTENTS   Source   Next >