Incident response

DDoS Attacks: Targets and ‘Smoke & Mirrors’ Mode

Dimitar Kostadinov
March 11, 2016 by
Dimitar Kostadinov


It is clear that distributed denial-of-service (DDoS) attacks are still in vogue. It is clear that they have become more ubiquitous, more sophisticated, and more powerful than ever before. Ironically, there are many entities providing denial-of-service as a service. It is also clear that these attacks are difficult to defend against. What is sometimes not clear is the answer to questions like, "Why me (or, by extension, you, her, them, etc.)?" or "What is the reason?" The first part of this article could help readers understand why some people or businesses are a more likely target of a cyber attack designed to knock them offline. In the second part, it is explained why DDoS is a particularly convenient weapon if you want to divert victims' attention.

Preferred Targets

Public Figures

Hackers time and again raid high-profile websites and social media accounts, but it is expected that this year there will be more cyber incidents due to the U.S. election cycle, according to John McCormack, a CEO at Raytheon|Websense. "The U.S. elections cycle will drive significant themed attacks. This is just the beginning, and it will get worse -- and more personal -- as candidates see their campaign apps hacked, Twitter feeds hijacked, and voters are targeted with very specific phishing attacks based on public data such as voter registration, Facebook, and LinkedIn," he adds, cited by CSO's Maria Korolov.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

An application layer DDoS attack, for example, was the modus operandi that made the Donald Trump's website inaccessible as one of the criminals responsible for this act said: "We targeted the Trump site because this guy can get quite racist. It doesn't matter to us how crazy he gets. Our member DOC attacked with a layer seven attack and he plans to attack Trump's site later on again."

Media Outlets

The DDoS attack against the website of BBC is considered to be the largest in history. It reached the staggering 602Gbps, topping the previous record of 334Gbps reported by Arbor Networks in 2015. The organization responsible for this criminal act, which occurred on New Year's Eve, describe it as "only a test," perhaps a probe that got out of control because the hackers said that they did not plan to create a prolonged shutdown.

Prof. Alan Woodward from the University of Surrey offers some food for thought on the BBC attacks: "…this could have been so-called hacktivists. The [BBC] has a large and sophisticated structure themselves, and I know they have systems in place to mitigate it so it might have been slightly more than the usual DDoS attack. I can't see why a cyber criminal would do this, they do this for money, the only people who do this to make a point are hacktivists."

As maintained by one of the criminals, the perpetrators managed to hijack at least two Amazon servers to generate actual attack bandwidth: "We have our ways of bypassing Amazon. The best way to describe it is we tap into a few administrative services that Amazon is used to using. The [sic] simply set our bandwidth limit as unlimited and program our scripts to hide it." On the other hand, Amazon states that they have the technology to prevent this sort of misuse.

Also, a tool called BangStresser was used to channel the huge traffic directed toward the BBC. The BangStresser even had its website, and it was, by the way, protected against denial-of-service attacks by Cloudflare. Tools and services offered by criminals for launching distributed-denial-of-service attacks come cheap. Therefore, one can have various attacks at different times – the more attacks, the harder it is to defend against them.

DNS root servers

A vast majority of respondents to an Arbor Networks study deemed application-layer DDoS attacks particularly dangerous, especially those whose goal is to take down DNS and DNS root servers instead of web ones. It would not create an immediate problem if a small number of DNS servers, for instance, are temporarily incapacitated. However, attacks on the root servers should be taken seriously because they can have global repercussions if they become long-term. A real-life cyber attack of this type on 30 November 2015, and the following day rendered 3 out of the 13 critical pillars of the Internet inoperable for a while.

Gambling, Betting & Lottery Websites

The Irish lottery website was knocked offline for a couple of hours on 20 January 2016. Although neither the gaming system nor player data were affected, people "couldn't buy tickets from the ticket machines, which is really interesting, it's not just the website – it would be quite interesting to understand why that happened," revealed to BBC John Graham-Cumming, a representative of the anti-DDoS security company Cloudflare. Apparently, the proverbial luck of the Irish did not suffice to fend off these DDoS attacks. To add more nuances to the story, Graham-Cumming explains what could be the perpetrators' motives in a case like this: "As a rule, record-setting prizes and jackpots result in traffic spikes on lottery sites, and it is very common for DDoS attackers to strike during such predictable peak traffic times, especially when going after big targets." In other words, criminals may resort to extortion to capitalize on their efforts.

Most of the time extortionists swing towards high-revenue generating online services, such as online gaming. Online casinos are an appetizing meal for Internet blackmailers, because they are usually under-protected, have to deal with criminal issues all alone, and larger gaming houses store up more than $300 million on hand to cover future debts.

Powerful DDoS attacks is a preferable weapon of choice ready to submerge luxurious e-commerce websites under tons of bogus client requests around peak traffic times. The so-called "digital shakedowns" on online gambling websites occurs at their most profitable moments, e.g., Super Bowl, NBA Finals and All-Star Game, NHL Playoffs and All-Star Game, FIFA World Cup, Grand Slam tennis tournaments, etc. In the course of these betting periods, cyber extortionists, first, launch DDoS attacks that bring the website offline, second, send a blackmail message to the owners—"typically demand $40,000 to $60,000 in ransom to release the website so that users can return and keep playing."

Cloud Companies & Repositories

Linode is a cloud hosting company that has become a victim of a series of DDoS attacks in December 2015, which caused significant turmoil in their DNS infrastructure and data center locations in the following cities: London, Tokyo, Dallas, Frankfurt, and Singapore. These attacks occurred at intervals of several days during the holidays. They were sustained enough to create serious connectivity problems to Linode's DNS infrastructure and on the premises. According to an update on the website of Linode: "The DoS attack affecting connectivity in London is ongoing, and we are still working with our upstream provider to mitigate it. Users can expect to see packet loss and problems with connectivity […]"

As for the reason behind this criminal deed, the COO at Corero Network Security, Dave Larson, opines that "the sheer size and scale of hosting or data center operator network infrastructure and their massive customer base parents an incredibly attractive attack surface due to the multiple entry points and significant bandwidth that acts as a conduit for a damaging and disruptive DDoS attack."

Last year, the software repository GitHub reported that two of their pages are repeatedly loaded and reloaded to produce an endless loop of hacker-caused outages throughout the GitHub's entire network. The first page hosts an anti-censorship service developed by, and it is considered to be the primal motive for the attack. The second one is a mirror website of The New York Times' Chinese edition. came under heavy fire first, not long before GitHub. Again, the method was a massive DDoS attack, so the link between these two events is noticeable. What is common for both attacks is that these operations did not rely on specialized attack tools. Instead, the attackers used traffic hijacked from innocent users around the world. The scheme works like that:

  • An unsuspecting user clicks and opens a website that utilizes Baidu analytics.
  • On the visit to the website, the browser requests Baidu Analytics JavaScript code (whose purpose is similar to Google Analytics).
  • The request for the Baidu Analytics JavaScript is detected by the Chinese passive infrastructure, aka Great Firewall of China.
  • A fake response is sent out by this otherwise passive system (aka Great Cannon) instead of the actual Baidu Analytics script, which gives a command to the user's browser to continuously load the two specific pages on (See the graph bellow)

GreatFire initiated partial mirroring of its content on its GitHub page, pointing users to it, right after the beginning of the cyber onslaught against them. The DDoS traffic, however, did not let the victim out of sight, and the harmful surge swiftly changed its direction to submerge the GreatFire's content stored on GitHub. As alluded earlier, the whole Github's network was forced offline for a couple of days.

According to the investigators, judging by the gravity of the act and methods employed, the Chinese government must have given its blessing for targeting some websites that may undermine their political power. But why a country would unleash "the dragon," fire a huge digital cannon-ball, so to speak, on some petty targets? Fear of foreign interference? Demonstration of power? According to China Digital Times, "one cannot rule out the possibility that some foreign organization possessing this kind of technology carried out the attack...,"given that a very similar technology apparently was developed first by the NSA and Britain's GCHQ, as reported by the Wall Street Journal.

It should be noted that GitHub was allegedly blocked in China for a while in January 2013, and although the block was soon lifted, GitHub users in China experienced a man-in-the-middle attack on 26 January 2013. All in all, the programming website might frequently be targeted because it is a central repository for many projects of considerable importance, some of which remain closed source. Conducting a DDoS in this context would be an excellent diversion move aimed at distracting a target's security.

DDoS as a Distraction: The Owls Are Not What They Seem

According to a report from Kaspersky Lab, 75% of all DDoS assaults come about in combination with another security incident. More than a half of those reporting a DDoS incident state that malware occurred at the same time – 19 % report for a simultaneous customer data theft, 14% financial theft, and 9% loss of intellectual property. "In many cases, it may be a coordinated effort, but even if these attacks originate from different sources, IT staff have to allocate resources to solve two problems at the same time, under a lot of stress," Alexander Vigovsky concludes, a security researcher working at Kaspersky Lab.

Probe Attack: A small distributed-denial-of-service attack is being launched in the first phase. Provided that the victim's security posture shows signs of weakness, the aggressors will stick around to perform discrete probing and port scanning to discover vulnerabilities to exploit. The knowledge they collect in this phase will be applied in the phase of data extraction. We can compare the whole act with a burglar checking for unlocked doors so that he can snatch the low-hanging fruit.

False-positives are already a common nuisance for staff entrusted with the duty to monitor network activity, and in times of crisis, it is much easier to be negligent of best practices and permit incidents such as data theft or malware injection to happen.

The classic method is simple: create a distraction in one spot and then hit the victim in another spot while everyone is trying to put out the fire from the first attacks. A malicious actor can commence a DDoS operation out of a desire to deceive the incident responders about his real target. Being obvious by nature, a DDoS attack will quickly attract attention. Just imagine alarms going off, a company's website quickly slowing down pressured by tons of incoming traffic, unhappy clients calling, staff panicking, and so on. Obviousness does not always equal significance. While the incident response team is busy with what seems to be an immediate problem, something bigger might lurk around the corner.

What can be bigger than a DDoS attack? Perhaps bigger is an inappropriate word, but 'more dangerous' would be if the attacker takes advantage of the chaos that causes every cyber threat, especially a visible one. Speaking of visibility, people usually tend to ignore what they do not see, and this is all the more valid for situations victims perceive as full-blown, head-on attacks. While the security team is busy patching up the holes left by the DDoS act, a second act — the true attack — might surreptitiously exploit a known vulnerability or install malware/Trojans on the network, setting the stage for data exfiltration or an advanced persistent threat (APT). A DDoS attack can also serve to cover up the tracks of the small outbound traffic giving away a data theft.

Analysis by the IT firm Neustar suggests that the growing number of the DDoS attacks that struck UK companies in 2013 were likely designed to delude defenders about attempted data breaches or frauds. An unfriendly entity behind DDoS acts sometimes do not reveal their motivations – be that hacktivism, extortion, or political demands. Neustar's explanation for the majority of such cases is 'smokescreening'. A real-life example of this can be found in the banking industry where a DDoS is being performed against the online infrastructure—an act that precisely coincides with a hidden attempt to empty customer accounts via ATMs.

Hence, if enterprises do not know the reason they are attacked in the first place, this could be a tell-tale sign of a DDoS attack used as a smokescreen intended to cover a secondary attack (e.g., the UK's TalkTalk breach). Neustar's market manager Susan Warner elaborates: "A lot of times, firms don't make the connection. If an enterprise can't understand why it was attacked—i.e. no extortion demand or hacktivist message was received for example – the possibility of attempted data theft is probably a good place to start."

Case studies:

  1. In 2013, a series of "low-powered" DDoS attacks overwhelmed several US banks. Criminals succeeded in hijacking the wire payment switch to steal millions from customer accounts. The DDoS attacks followed the well-known scheme – create a huge fire and fan the flame to divert attention and resources; wait for the fire alarm and let the fraudulent wire transfers begin. Having the payment switch, the criminals can "move as much money from as many accounts as they can get away with until their actions are noticed."
  2. Interestingly, not every DDoS attack has to be cyber in nature. One curious variation of the Internet-based DoS attacks is its telecom counterpart—the telephonic DoS. Just like in a common DDoS wave, victims in the telephonic variant are inundated with so many fake phone calls so that they cannot differentiate the real from the fake ones any more. With the phone system taken out, the maintenance team cannot send/receive alerts. This type of attack was conducted recently on a Ukrainian power company to conceal a malware attack – call centers flooded with bogus alert calls were prevented from serving the real customers reporting outages and at the same time attackers snuck in a piece of malware infecting production SCADA systems, workstations, and servers.


There has been a continuous arms race between those who try to initiate DDoS attacks and those who try to prevent them; or it is more like piling up air-to-air missiles vs. devising effective anti-aircraft defense systems.

Although the denial-of-service attacks are very difficult to defense against, every person who values his online presence must follow the latest trends of such criminal acts, because knowing is half the battle. But DDoS is sometimes like a tropical cyclone, you know that is coming, yet there is not much you can do. "Surely, there is a solution!" – experts say – just try to stay as much 'available' as possible. After all, a DDoS attack exists to keep you off the Internet. There are alternative ways to remain in touch with all the parties involved, of course, until the situation gets better. So, continue serving your customers as much as possible and provide frequent updates through other methods at hand (though not overly detailed—the Janet academic group had received a DDoS attack not long ago, and they provided updates on their Twitter page following the attack. However, this information seemed to benefit the attackers themselves as well).

Do not hesitate to look for help if the situation gets out of control. However, whatever your plan is to deal with a DDoS attack, just remember to stay vigilant at all times and keep in mind that there might be something else behind the veil of smoke. Troubles rarely come alone.

Reference List

Acharya, S. (2016). Donald Trump campaign website: New World Hacking claims DDoS attack. Available at (29/02/2016)

BBC (2016). 'Anti-IS group' claims BBC website attack. Available at (29/02/2016)

BBC (2016). Irish lottery site and ticket machines hit by DDoS attack. Available at (29/02/2016)

Bienkowski, T. (2016). DDoS as a Smokescreen for Fraud and Theft. Available at (29/02/2016)

Bisson, D. (2016). DDoS gang takes down BBC websites, Donald Trump's campaign site over holiday weekend. Available at (29/02/2016)

Brenner, B. (2013). DDoS Attacks Used As Cover For Other Crimes. Available at (29/02/2016)

Citizen Lab (2015). China's Great Cannon. Available at (29/02/2016)

Dunn, J. (2014). DDoS attacks increasingly used as diversions for data theft or fraud. Available at (29/02/2016)

Finnigan, L. and Molloy, M. (2015). BBC's network of websites and iPlayer service suffers DDoS attack. Available at (29/02/2016)

Fisher, D. (2015). DDoS Attack on GitHub Linked to Earlier One Against Available at (29/02/2016)

Goodin, D. (2015). Massive denial-of-service attack on GitHub tied to Chinese government. Available at (29/02/2016)

Keane, J. (2015). DDoS attacks hit record numbers in Q2 2015. Available at (29/02/2016)

Korolov, M. (2016). DDoS attack on BBC may have been biggest in history. Available at (29/02/2016)

Korolov, M. (2016). Telephonic DoS a smokescreen for cyberattack on Ukrainian utility. Available at (29/02/2016)

Lehmann, J. (2016). Don't let cyberattacks bring you down. Available at (29/02/2016)

Martin, A. (2015). Day 2: UK research network Janet still being slapped by DDoS attack. Available at (29/02/2016)

McCarthy, K. (2015). Internet's root servers take hit in DDoS attack. Available at (29/02/2016)

Merriman, C. (2015). Moonfruit sites still suffering after prolonged DDoS attack. Available at (29/02/2016)

Musil, S. (2013). Cybercrooks use DDoS attacks to mask theft of banks' millions. Available at (29/02/2016)

Neal, D. (2016). Anti-terror hackers tested their capabilities on the BBC with a DDoS attack. Available at (29/02/2016)

Plante, C. (2015). Valve's $18 million Dota 2 tournament delayed by DDoS attack. Available at (29/02/2016)

Ranger, S. (2016). HSBC fights off denial of service attack on its internet banking systems. Available at (29/02/2016)

Robinson, T. (2015). Series of DDoS attacks plague Linode data centers, infrastructure. Available at (29/02/2016)

Saarinen, J (2015). Github back online after denial of service attack. Available at (29/02/2016)

Saeed, N. & Zeifman, I. (2015). It's Not a Game: The Ever-Growing Risk of DDoS Attacks on Online Games. Available at (29/02/2016)

Tripwire Guest Authors, (2016). Defending Your Network Against DDoS Attacks. Available at (29/02/2016)

Ungureanu, H. (2016). World's Largest DDoS Attack Breaks Records, Clocks At Massive 500 Gbps. Available at (29/02/2016)

Valmaseda, M. (2016). 2016: The year of a 3000 Gbps DDoS attack? #tech2016. Available at (29/02/2016)

Wade, S. (2015). Minitrue: Cease Fire on "Great Cannon". Available at (29/02/2016)

Walker, D. (2013). Millions stolen from US banks after 'wire payment switch' targeted. Available at (29/02/2016)

Woodward, A. (2016). How Big Can A DDoS Attack Be. Available at (29/02/2016)

Wool, A. (2016). Denying the Deniers: Tackling DDoS Attacks. Available at (29/02/2016)

w0jt (2016). DDoS - Not a Simple Flood Anymore. Available at (29/02/2016)

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

The "From Great Firewall into Great Cannon" graph is based on Figure 1. "Simplified logical topology of the Great Cannon and Great Firewall" published in China's Great Cannon by Citizen Lab. Available at (29/02/2016)

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.