DDoS – Defense is much harder than attack

DDoS attacks are deliberate attempts to make resources unavailable from their intended use. There are like lightning and are very common on today’s internet landscape having a wide range of negative effects on public, private and small business. A DDoS goal is to draw systems resources, be it bandwidth or a human resource, and block a service from legitimate connections. They are commonly not isolated events and often implemented to facilitate a larger sophisticated attack. They can be used as a mechanism for distraction. For example, a large UDP flood combined with a slow HTTP GET flood. The largest denial of service event in Internet history was an NTP reflection DDoS attack that peaked at 400Gbps. 

DDoS is an expensive type of attack to fully protect against. A port on a Firewall or an IPS device is an expensive port. There are 3rd party infrastructure-as-a-service options available on an on demands basis. In this case, you don’t need to over-provision bandwidth or purchase specialist hardware as 3rd party DDoS companies already have the capacity and capability to deal with such attacks. Content distribution networks help by absorbing DDoS traffic. There are also cloud-based firms specializing in DDoS mitigation. If you are under an attack you can redirect your traffic to their network, which is scrubbed and sent back. They put a shield in front of your services.

Cloud Flare offers a content delivery network and distributed domain name server service. They are known to have protected LulzSec website from a number of high-profile attacks. They use reverse proxy technology and an anycast network, enabling them to take high volume attacks and spread it over a large surface area. CloudFlare recently experienced an attack using Google IP addresses as a reflector, they called this the Google ACK reflection attack. Cloud Flare has special rules so they never block Google legitimate crawler traffic. With a Google ACK reflection, the attacker sends a TCP SYN with fake header pointing back at an IP address to Google, causing Google to respond with an ACK. It was resolved by simply blocking the ACK that didn’t have an SYN attached.


Types of DDoS attack

There are 3 main types of DOS attacks: a) Network-centric Layer 4, b) Application-centric Layer 7, and c) IPv6 Link-Local DoS attacks. The DDoS umbrella holds lots of variations: SYN packets usually fill up connection tables, while ICMP and UDP attacks consume bandwidth.

Layer 4 is the simplest type of attack and has been used to take down companies such as MasterCard and Visa. These style attacks using thousands of machines to bring down oneIt’s a primitive style attack where multiple machines send simple packets to a target, attempting to deplete computing resources like CPU, memory and network bandwidth. The connections are normal, they establish fully and terminate as normal connections do, unlike Layer 7 attacks (discussed below). The connection only takes up a few seconds, which is why thousands of hosts are needed to overload a single target. The tools for a Layer 4 attacks are easily available, for example – low orbit ion cannon (LOIC). LOIC is an open source denial-of-service attack application, written in C#. Layer 4 DDoS attacks are easily tracked back and blocked.

Layer 7 attacks are more sophisticated and usually require one to bring down many. The whistle blowing website Wiki-leaks went down for one day with only one attacker penetrating a Layer 7 attack. A SlowLoris attack is an elegant Layer 7 attack that has been associated with a number of high-profile attacks. It works by opening multiple connections to the targeted web server and keeping them open. It uses up all the lines and blocks legitimate traffic, designed to keep all the tables full. Layer 4 attacks cannot be run through anonymity networks (ToR networks) but Layer 7 attacks can, due to their small packets/second rate. Layer 7 attacks are like a guided missile. The pending requests take up about 400 seconds, so you don’t need to send that many of them.


Firewalls should block all TOR exit nodes  


The most common type of attacks right now are carried out with HTTP. About 80% of the attack surface is coming through HTTP. A Layer 7 HTTP GET attack request send only part of the HTTP GET. As a result, the server assumes that you are on an unreliable network and packets are fragmented. It waits for the other half, which ties up resources; freezing all available lines. All you need is about 1 packet per second. The R-U-Dead-Yet attack is similar to the HTTP GET attack, but it uses HTTP POSTS instead of HTTP GETs. It works by sending incomplete HTTP POSTs affecting IIS servers. IIS are not affected by SlowLoris attack that send incomplete HTTP GET. There are other variations called HTTP Keep-Alive DoS. HTTP Keepalives allows 100 requests in a single connection.  

IPv6 Link-Local DoS attack is an IPv6 Router Advertisement (RA) attack. With this IPv6 attack one attacker can bring down a whole network. It only needs a few packets/sec. With IPv4 DHCP, the host looks up and retrieves an IPv4 address, known as a PULL process. IPv6 is not done this way. IPv6 addresses are provided by IPv6 router advertising, known as a PUSH process. The IPv6 router advertises itself to everyone to join its networks. It uses a multicast to all nodes address – similar to broadcast; one packet to every node. The problem is you can send out a lots of RA messages, which causes the target to join ALL networks.


DDoS is a growing problem that gets more sophisticated every year. ISP and user collaboration is important, but it’s a game we are not winning. Who owns the problem?  The end user doesn’t know that they are compromised and the ISP are just transiting network traffic. Traffic can easily go through multiple ISP so how do the ISP traceback and channel to each other? Who do you hold responsible and what way are they responsible? It is fair to personalise an end user if they don’t know about it? There need to be terms of service of abuse policies. Users should take more control of their computers and understand that Anti-Virus software is not a complete solution. 


About Matt Conran

Matt Conran has created 155 entries.

Leave a Reply