The threat is real, and it is only getting worse.
The group that has claimed responsibility for taking down the PlayStation Network and Xbox Live online gaming services is capable of doing real damage, according to NexusGuard chief scientist Terrence Gareau. NexusGuard is a cyber-security firm that specializes in dealing with distributed denial-of-service (DDoS) attacks, which is precisely what overwhelmed Sony’s and Microsoft’s servers on Christmas and the following days. And while Gareau says that Lizard Squad is likely exaggerating with some of its claims, he warns that the group is potentially wielding some serious power.
“Lizard Squad’s attacks exceed that of your typical DDoS group,” Gareau told GamesBeat. “Their infrastructure is bigger than your typical script-kiddie DDoS.”
How much bigger? Well, Lizard Squad has made bold claims like it has rooted a transatlantic undersea router that is a cornerstone of the Internet. But it’s probably not that big.
“Groups like these enjoy toying with the global media by stating outrageous claims,” said Gareau. “[A rooted transatlantic router] would be an example of those claims.”
The assaults on PSN and Xbox Live are not new. People have used DDoS attacks to take down websites for years, and Gareau’s reference to “script-kiddie” is a way of saying a “kind of person with no real hacking knowledge” who uses “off-the-shelf” software to perform attacks.
A good example of this is the attack on the Church of Scientology’s website in January of 2008. Another group of Internet cyberattackers, then known as Anonymous, decided to go after Scientology. One of the ways it did that was by pointing members to a free tool called the Low Orbit Ion Canon (LOIC), which is a program that enables anyone to automate a DDOS attack. You just enter the URL, hit go, and it’ll slam your target site.
Using this method, Anonymous was able to take down Scientology’s website, and it was thanks to people like Brian Mettenbrink, a former member of Anonymous. Mettenbrink set his LOIC to attack Scientology over the weekend after seeing a thread about it on 4Chan, and his computer requested data from Scientology.org over 800,000 times. Mettenbrink eventually turned off his LOIC, forgot about it, and eight months later he was pleading guilty to participating in the attack after the Federal Bureau of Investigation tracked him down.
But the question is this: Is Lizard Squad just a bunch of Brian Mettenbrinks? A group of loosely affiliated kids with too much time and access to powerful software?
Gareau doesn’t think so.
“Last August, I would have said yes, it is just another group looking to secure attention,” he said. “Today, I still believe that to a certain degree. Yet, Lizard Squad is deploying infrastructure and attacks methods that far exceed that of your typical script-kiddie attackers.”
How Lizard Squad is different
A hack against Sony that could take down PSN for days likely requires a tool a bit more powerful than a LOIC. And Lizard Squad is now so confident in its technology that it is selling DDoS attacks as a service.
This morning, Lizard Squad launched its LizardStresser tool. It is a subscription service that offers anyone access to the tool that the group claims brought down PSN and Xbox Live. Anyone can sign up for an account for as low as $6 a month to take down a site for 100 seconds. A more expensive fee, like $130 a month, will let you take down a site for eight hours.
Offering an attack service like this to anyone who wants it likely means that Lizard Squad has combined a number of tools into one easy-to-use program. One possibility is that the group has built its own LOIC tool and distributed it across thousands of computers that it controls either through a private network or a botnet service where you can rent access to thousands of computers for cheap. Alternatively, LizardStresser may know how to spoof a signal from a target URL that calls for a response from hundreds of other servers around the web. These servers will then send a data packet to the target. The return packets are often much larger than the requests.
It’s possible that LizardStresser uses one of these methods, a combination, or something new — but it is clearly more than just a kid in his basement with a LOIC.
Not long after LizardStresser went live, the anime-streaming website Crunchyroll reported that it was under attack — although Lizard Squad has not taken credit for it.
Hey guys, we’re under a DDoS of the same magnitude that Xbox and PSN experienced. We're working hard to fix this, thanks for your patience.
— Crunchyroll (@Crunchyroll) December 30, 2014
Sony and Microsoft both have systems in place to protect themselves from a variety of cyberattacks. That includes DDoS, but Gareau believes that neither company was prepared for an attack on this scale.
“It is not every day that a company has to face highly motivated adversary,” said Gareau. “When they do, the groups brew a ‘recipe of attack’ that is specifically targeted to the defenses that companies put in place. When that happens, it is far worse than your typical DDoS for hire.”
And Sony and Microsoft both had protection against DDoS in place. While Gareau does not have first-hand knowledge of Sony’s or Microsoft’s infrastructure, it’s well known that both companies spend and invest in defensive measures.
“Yet I believe [Sony and Microsoft] were overwhelmed at the skill of these attackers,” he said.
A big reason why cyber security is so tough is because of that old Condoleezza Rice saying that the “terrorists only have to get it right once.” If a company builds a defensive wall so high, it’s only going to work until someone comes along willing to build a tall enough ladder. Build a moat, and now you’re waiting for someone who knows how to build a bridge. But it’s all a matter of determination.
The size of companies like Sony and Microsoft doesn’t always help either. Security requires lots of preparation and a coherent strategy. That’s not easy in a global multimedia conglomerate.
“In larger companies, there are multiple departments involved in a denial-of-service,” said Gareau. “And it requires a proper run book. Panic is the worst scenario that can transpire yet it is also the most likely response without proper planning.”
The best defense, according to NexusGuard’s top scientist, is to have a clear plan when an attack starts. To counteract the confusion that can happen with a large organization, companies like Sony and Microsoft should practice their plan each quarter.
More specific suggestions include setting up a strong server at the access point of a data network that can withstand a ton of data. Preferably, this solution would use the cloud and could spool up more capacity as needed to throw off bad data and find the relevant packets.
What about the police?
You’re probably seeing terms like “attack” and “cyber warfare” and wondering where the hell the cops are? Well, they are looking into it.
An attack on a website or server turns into a crime once it causes more than $5,000 in damages. For something like the PSN outage, that kind of damage racks up in almost no time since Sony is missing out on potential sales in addition to any repairs or maintenance it needs to perform on overloaded hardware. That means just about every newsworthy DDoS is also a crime — although, individuals could file civil charges against anyone.
But in a criminal case involving the Internet, the FBI steps in. That’s what happened to Mettenbrink as a result of the aforementioned Scientology attack, and that is now what is happening to Lizard Squad.
Yesterday, the FBI confirmed to GamesBeat that it is investigating the PSN and Xbox Live hacks, and Lizard Squad is part of that investigation.
“The FBI is investigating the matter,” a spokesperson for the bureau told GamesBeat. “Given the pending nature of the case, we cannot comment further.”
The FBI takes these matters seriously. Lizard Squad is, perhaps jokingly, calling itself a “cyber-terrorist group.” And that’s the kind of thing that the top law-enforcement agency in the U.S. isn’t really going to ignore.