How to Prevent DDoS Attacks on Mobile Apps?

One of the popular cybersecurity predictions last year was an increase in DDoS attacks. With the growth of the sharing economy, we've definitely seen an increase in the number and damage caused.

In fact, many of our customers have been asking us if DDoS attacks on mobile apps are possible. The short answer is a definite yes.

But this post is about understanding how these attacks on mobile apps work and how you can be safe.

Let's start with some basics.

What is a DDoS attack?

A Distributed Denial of Service attack is a type of cyber attack in which multiple computers or devices, usually infected with malware, act as a network of bots and attack a server to make it unusable.

DDoS attacks on mobile apps

Mobile apps, in general, are a threat to these dreaded attacks. In fact, mobile apps have been used to control mobile devices that are used to perform such attacks.

One reason mobile apps are susceptible to these attacks is that it is easy for an attacker to profile the user, which tremendously increases the probability of performing DDoS attacks on mobile apps successfully.

Many social and sharing apps, such as Facebook, LinkedIn, Instagram, Uber, Ola, Airbnb, etc., are susceptible to such attacks because it is easier to profile individual users through their mobile devices. Another thing about mobile application security is that it is often not very well secured.

We've done a detailed report on security issues in banking apps and another on security issues in m-commerce apps. In both cases, we found that more than 80% of apps are weak in security. Remember, all these apps involve transactions and money, and the expectation for security is way higher.

How does a DDoS attack on Android apps look?

Well, if we take a really simple example, imagine someone builds an app and puts it on the mobile app store, and you, as a user, download this app. This app can expose you to a DDoS attack or open up some new security loopholes on your mobile device so that it can be used for such an attack on some other server.

This means the attacker has control of your device via the app that they built and you downloaded. This way, you can either be a victim of a DDoS attack or a source. Neither is a good sign.

DDoS attacks cause a lot of direct damage, especially to companies, since they block web traffic, leading to reduced revenue and a high remediation cost. Additionally, there's always the threat of losing the customer's trust, which you've built over the years.

7 common DDoS attack types

Let us take a look at some of the standard attack types when it comes to DDoS attacks:

1. UDP flood:

A UDP flood can be defined as a DDoS attack that floods random ports on remote targets with UDP (User Datagram Protocol) packets. This causes the host to continuously look for the application associated with these datagrams and (when no such application is found) respond with a ‘Destination Unreachable’ packet.

This entire mechanism saps host resources and can ultimately lead to inaccessibility on the part of the user.

2. ICMP (ping) flood:

Based on a similar principle to the UDP flood attack, the ICMP or ping flood attack targets resources with ICMP Echo Request (ping) packets.

This attack mainly focuses on pushing packets as fast as possible without caring about replies. It affects both incoming and outgoing bandwidths.

The system further slows down as the victim’s servers respond with ICMP Echo Reply packets.

3. SYN Flood:

In the case of a SYN flood DDoS attack, a known vulnerability in the TCP connection sequence (the “three-way handshake”) is exploited.

In the SYN flood attack scenario, the requester sends multiple SYN requests, but none of them respond to the host’s SYN-ACK or dispatch the SYN requests from a spoofed IP address.

In either case, the host system keeps on waiting for acknowledgment for any of the requests. This continues until no new connections can be made, ultimately resulting in the denial of service.

4. Ping of death:

In the case of the Ping of Death DDoS attack, an attacker bombards a target computer with a series of contorted or malicious pings.

The general maximum length of an IP packet is around 65,535 bytes. However, the Data Link Layer on the networks poses certain limits on the size of packets. In such a scenario, these packets are further split into multiple smaller packets and later reassembled by the beneficiary host into complete packets of the required size.

However, under an attack scenario, recipients receive IP packets of larger sizes that overflow their memory buffers. This ultimately results in the denial of service for authentic packet requests.

5. Slowloris:

One of the most highly dreaded DDoS attacks, Slowloris, prepares one web server to take down another target server without affecting other services or ports on the destined network.

Slowloris makes this possible by keeping multiple connections to the target web server open for as long as desired. It continuously sends multiple HTTP headers but never completes the requests. The unaware target server keeps these false connections open and waits for their completion.

This eventually results in overflowing the maximum concurrent connection pool, further denying legitimate connections from actual consumers.

6. NTP amplification:

In NTP amplification attacks, attackers exploit publicly accessible Network Time Protocol (NTP) servers.

In this attack, the threat actors target servers by overwhelming them with UDP traffic. This attack is generally described as amplification because its query-to-response ratio typically varies between 1:20 and 1:200 and even more.

This implies that an attacker can quickly generate a devastating high-bandwidth, high-volume DDoS attack once he obtains a list of open NTP servers (using data from the Open NTP Project or utilizing devices like Metasploit).

7. HTTP flood:

In an HTTP flood DDoS attack, an attacker exploits seemingly authentic HTTP POST or GET requests to attack applications and web servers. Dependence on malicious packets, web spoofing, or other reflection techniques usually doesn’t happen during an HTTP flood attack.

Moreover, less network bandwidth than other attacks is required to bring down the targeted site or server.

The attack is most dangerous when it forces the target server or application to designate the maximum resources possible in return for every single request.

3 types of DDoS Attacks on mobile apps

Regardless of the type of attack, the threat actors' end goal is always the same: to make the target resources unresponsive and sluggish.

Let’s see how these three types of attacks usually unfold:

1. Volume-based DDoS attacks:

These attacks aim to saturate the bandwidth of the target websites or servers by overwhelming them with massive volumes of bogus traffic. ICMP floods, UDP floods, and other spoofed packet flood attacks fall into the volume-based attacks category.

2. Protocol or network-layer DDoS attacks:

Protocol or network-layer attacks consume the resources of the target infrastructure tools by sending large amounts of spoofed packets. Generally measured in PPS (Packets Per Second), these attacks include Ping of Death attacks, SYN floods, and Smurf DDoS attacks, among others.

3. Application-layer DDoS attacks:

Application layer attacks involve overwhelming applications by flooding them with malicious code requests. These requests seem legitimate only at first glance, but they eventually crash the entire web server and cause a denial of service.

These attacks involve slow, low-level attacks like POST or GET floods and generally target Windows, Apache, and OpenBSD vulnerabilities. Their size is measured in RPS (Requests Per Second).

Examples of apps used to launch DDoS attacks from the Play Store

The WireX botnet (a collection of internet-connected devices) recently caused havoc worldwide and disrupted many popular services. This was one of the first and biggest DDoS attacks on Android systems. This botnet was hidden within some 300 apps that were available officially on the Google Play Store.

When users installed the app, WireX added individual mobile devices to a more extensive network, which was then used to send junk traffic to certain websites, bringing them down and making them unusable.

Google has removed roughly 300 apps from its Play Store after security researchers from several internet infrastructure companies discovered that the seemingly harmless apps—offering video players and ringtones, among other features—were secretly hijacking Android devices to provide traffic for large-scale distributed denial of service (DDoS) attacks.

Another significant attack that caught everyone's attention last year was the Mirai botnet, which crippled the Internet and brought down sites such as Amazon, Github, PayPal, Reddit, and Twitter.

Related Topic- Man in the Middle Attack ( MITM ) on Mobile Applications

Features of DDoS attacks on mobile apps

Some of the standard features of DDoS attacks involving mobile devices and mobile apps are as follows: 

• Most of these attacks involve almost equal numbers of Android (60 percent) and iOS (40 percent) devices. 
  
  
• Attackers generally initiate attacks with a large number of mobile devices. In a typical attack, the number of mobile devices may reach half a million, and the number of requests per second (QPS) can reach up to millions. Moreover, it's challenging to track their IP address as well.
  
  
• Attackers generally use source IP addresses widely distributed across hundreds of countries worldwide. 
  
  
• It has been observed that DDoS attacks involving mobile apps use cellular base stations as their gateway IP addresses. These stations handle both user traffic and attack traffic. 

In typical DDoS attacks, the attack duration and the attack frequency of the attack source IP address vary according to the target mobile app and device configuration. 

How attacks involving malicious apps are initiated by hackers?

Hackers follow a series of steps in order to initiate DDoS attacks involving malicious apps.

• At first, hackers embed WebView into apps, and the central control link is requested. The link redirects to a page embedded with JavaScript files to obtain JSON instructions.

• In case no attack is initiated, the JSON instruction reads - {"message": "no data", "code": 404}. The instructions are read periodically by pushing the JavaScript files into a continuous loop. 

• The JavaScript files exit the continuous loop when attack-type instructions are passed and JSON instructions are parsed. The JSON instructions carry all the necessary details for the attack, such as the packet content, header, request method, and target URL, and also specify parameters like attack start time, attack end time, frequency of attack, and so on.  

• After this, WebView finds out the devices' operating system using UserAgent. Later, WebView triggers the loading of Java code into a malicious app using different functions for different device types. Subsequently, based on the JSON instructions, an attack is initiated.

Once these techniques are followed and the users install such fraudulent apps, hackers could successfully initiate DDoS attacks targeted at desired institutions and businesses. Using deceptive ads, the owners of these malicious apps attract users to install these apps.

These fraudulent apps can not only control mobile devices to initiate DDoS attacks but also access sensitive user data like location, bank accounts, contacts, and more. This can result in identity theft and telecommunication fraud. 

How to prevent DDoS attacks?

So, what can you do to stop DDoS attacks?
These rules apply to all mobile users, irrespective of whether it is for personal or enterprise use. Needless to say, it's even more critical for enterprises because of the impact of the damage these attacks can cause.

1. Think twice, always: 

Sometimes, an app might sound too good to be true. It's always good to look at it with some skepticism. Before you download the app, read some reviews, check the ratings, and even do a quick Google Search to see if there's some troubling history with it.

2. Stay updated: 

Always ensure your mobile operating system and apps are regularly updated. Manufacturers, platforms, and app developers work with security companies to identify security issues and push critical updates that solve these security bugs. You won't benefit unless you update the app.

3. Choose wisely:

Always search a little more for the apps that you need for a particular purpose. If you see an app with bad reviews and ratings, a deeper search can help you find other apps with the same purpose but better.

4. Perform security audits: 

Establish different layers of security in your perimeter. As an enterprise, you can use various sophisticated mobile app security solution providers to help with your security needs. As an individual user, ensure you have anti-malware apps on your mobile devices to help you detect any abnormalities.

With the vast amount of data flowing through the sharing economy, these apps are undoubtedly a prime target for attackers—sometimes for ransom and sometimes just to disrupt services or exploit the personal data of millions of users.

You should be aware of all security risks, and your employees and customers should be, too.

How to cope with DDoS attacks?

It becomes tough to defend security systems when many mobile devices become sources of DDoS attacks.

Following traditional methods like blacklisting and rate-limiting doesn’t help, and organizations have to come up with more innovative methods of security. Some of the measures which can help mitigate these threats are: 

• The identification techniques for attack traffic must be extended. Each server request should be tested in real time on a multidimensional testing platform.
   
• Steps must be taken to filter out attack traffic by organically combining various dimensions like intelligent identification techniques, imposing fines, and making the control unit more flexible. 
  
  
• Organizations must replace artificial troubleshooting with other techniques, such as machine intelligence, to reduce the impact on business and improve the speed of response.