Rear view of hacker in front of computer with multiple screens in dark room.

DDoS Attacks

 

 

DDoS attacks

In today’s interconnected world, where the internet plays a pivotal role, we are constantly exposed to various online threats. One such threat is Distributed Denial of Service (DDOS) attacks. In this blog post, we will delve into DDOS attacks, exploring their nature, impact, and the measures individuals and organizations can take to mitigate such risks.

A DDOS attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. Unlike traditional hacking attempts focusing on breaching security defenses, DDOS attacks aim to render a system or network unavailable by exhausting its resources, such as bandwidth, processing power, or memory.

 

Highlights: DDoS Attacks

  • A mechanism for distraction

DDoS attacks are deliberate attempts to make resources unavailable for their intended use. There are like lightning and are very common in today’s internet landscape, having a wide range of adverse effects on public, private, and small businesses. A DDoS goal is to draw systems, bandwidth, or human resources and block service from legitimate connections. They are commonly not isolated events and are often implemented to facilitate a more significant sophisticated attack. In addition, they can be used as a mechanism for distraction.

  • NTP Reflection Attack

For example, a large UDP flood combined with a slow HTTP GET flood. Internet history’s most significant denial of service event was an NTP reflection DDoS attack that peaked at 400Gbps. And now we have a range of new IPv6 DDoS attacks to circumvent. Opening up a range of IPv6 attacks, some targeting IPv6 host exposure

 

For additional information, you may find the following posts helpful:

  1. Technology Insight for Microsegmentation
  2. DNS Reflection Attack
  3. Virtual Firewalls
  4. DNS Security Designs

 



DDoS IPv6.

Key DDoS Attacks Discussion points:


  • Introduction to DDoS attacks and the damage they cause.

  • Discussion on the different types of DDoS attacks.

  • Layer 4 and Layer 7 attack.

  • IPv6 DDoS examples.

 

Back to basics with the DDoS Attacks

DDoS attacks have existed for almost as long as the web has existed. Unfortunately, they remain one of the most effective ways to disrupt online services. The most common DDoS attack is to congest your network, which can be performed in several ways. This congestion can happen at your internet egress or another network bottleneck.

The pre-mitigation step against these flooding scenarios demands you to understand your current capacities. This can be your bandwidth capacity and packets-per-second capabilities. This information will be matched to the flood level you are observing; at this point, you need to initiate the different mitigation tools you have at your disposal.

 

Types of DDOS Attacks:

1. Volume-based attacks aim to saturate the target’s network or server capacity by flooding it with massive traffic. Standard techniques used in volume-based attacks include ICMP floods, UDP floods, and amplification attacks.

2. Application layer attacks exploit vulnerabilities in the target’s web applications or services. By sending many seemingly legitimate requests, the attacker aims to exhaust the target’s resources, rendering it unable to serve genuine users. Examples of application layer attacks include HTTP floods and Slowloris attacks.

3. Protocol attacks: These attacks exploit vulnerabilities in network protocols to overwhelm the target’s resources. For instance, SYN floods flood the target with high SYN requests, depleting its capacity to respond to legitimate traffic.

Impact of DDOS Attacks:

DDOS attacks can have severe consequences for both individuals and organizations. Some of the notable impacts include:

1. Financial losses: A successful DDOS attack can result in significant financial losses for businesses, as their online services become unavailable, leading to decreased productivity, lost sales, and potential reputational damage.

2. Reputation damage: Organizations that fall victim to DDOS attacks may suffer reputational damage, as customers and clients lose trust in their ability to provide reliable services. This can further impact their long-term growth and success.

3. Disruption of critical services: DDOS attacks can disrupt critical services, such as banking, healthcare, or government systems, leading to potential chaos and loss of essential services for individuals and communities.

Mitigating DDOS Attacks:

While it is impossible to eliminate the risk of DDOS attacks completely, there are several measures individuals and organizations can take to mitigate the impact:

1. Implementing robust network infrastructure: Organizations should invest in scalable and resilient network infrastructure that can withstand high traffic volumes. This includes load balancing, traffic filtering, and redundant systems.

2. Utilizing DDOS mitigation services: Professional DDOS mitigation services can help organizations identify, mitigate, and respond to attacks effectively. These services employ advanced techniques like traffic analysis, rate limiting, and behavior-based anomaly detection.

3. Regular security audits: Regular security audits can help identify vulnerabilities that could be exploited in a DDOS attack. By addressing these vulnerabilities promptly, organizations can reduce their risk exposure.

 

DDoS: An Expensive Type of Attack

A port on a Firewall or an IPS device is an expensive port. There are 3rd party infrastructure-as-a-service options available on a demand basis. In this case, you don’t need to over-provision bandwidth or purchase specialist hardware, as 3rd party DDoS companies already have the capacity and capability to deal with such attacks.

Content distribution networks help by absorbing DDoS traffic. There are also cloud-based firms specializing in DDoS mitigation. If you are under an attack, you can redirect your traffic to their network, which is scrubbed and sent back. They put a shield in front of your services. 

Cloud Flare offered a content delivery network and distributed domain name server service. They are known to have protected the LulzSec website from several high-profile attacks. They use reverse proxy technology and an anycast network, enabling them to take high-volume DDoS attacks and spread them over a large surface area.

Cloudflare recently experienced an attack using Google IP addresses as a reflector; they called this the Google ACK reflection attack. Cloud Flare has special rules, so they never block Google’s legitimate crawler traffic. With a Google ACK reflection, the attacker sends a TCP SYN with a fake header pointing back at an IP address to Google, causing Google to respond with an ACK. It was resolved by blocking the ACK that didn’t have an SYN attached.

 

DDoS attacks: Types

There are three main types of DOS attacks: a) Network-centric Layer 4, b) Application-centric Layer 7, and c) IPv6 DDoS Link-Local DoS attacks. The DDoS umbrella holds lots of variations: SYN packets usually fill up connection tables, while ICMP and UDP attacks consume bandwidth.

 

Layer 4 attacks

Layer 4 is the simplest type of attack and has been used to take down companies such as MasterCard and Visa. These style attacks use thousands of machines to bring down one. It’s a primitive-style attack where multiple machines send simple packets to a target, attempting to deplete computing resources like CPU, memory, and network bandwidth.

The connections are standard; they establish fully and terminate as regular connections do, unlike Layer 7 attacks (discussed below). The connection only takes a few seconds, so thousands of hosts must overload a single target. For example, the tools for Layer 4 attacks are readily available – low orbit ion cannon (LOIC). LOIC is an open-source denial-of-service attack application written in C#. Layer 4 DDoS attacks are easily tracked back and blocked.

 

Layer 7  attacks

Layer 7 attacks are more sophisticated and usually require one to bring down many. For example, Wikileaks’s whistle-blowing website went down for one day with only one attacker penetrating a Layer 7 attack. A SlowLoris attack is an elegant Layer 7 attack associated with several high-profile attacks. It opens multiple connections to the targeted web server and keeps them open.

It uses up all the lines and blocks legitimate traffic, designed to keep all the tables full. Layer 4 attacks cannot be run through anonymity networks (ToR networks), but Layer 7 attacks can, due to their small packets/second rate. Layer 7 attacks are like guided missiles. The pending requests take up to 400 seconds, so you don’t need to send many.

 

Common types of attacks

The most common type of attacks right now are carried out with HTTP. About 80% of the attack surface is coming through HTTP. A Layer 7 HTTP GET attack requests to send only part of the HTTP GET. As a result, the server assumes you are on an unreliable network and have fragmented packets. It waits for the other half, which ties up resources, freezing all available lines.

All you need is about one packet per second. The R-U-Dead-Yet attack is similar to the HTTP GET attack but uses HTTP POSTS instead of HTTP GETs. It works by sending incomplete HTTP POSTs affecting IIS servers. IIS is not affected by the SlowLoris attack that sends incomplete HTTP GET. There are other variations called HTTP Keep-Alive DoS. HTTP Keepalives allows 100 requests in a single connection. 

 

IPv6 DDoS

  • IPv6 Link-Local DoS

IPv6 Link-Local DoS attack is an IPv6 RA ( Router Advertisement ) attack. With this IPv6 attack, one attacker can bring down a whole network. It only needs a few packets/sec. With IPv4 DHCP, the host looks up and retrieves an IPv4 address, a PULL process. IPv6 is not done this way. IPv6 addresses are provided by IPv6 router advertising, a PUSH process.

The IPv6 router advertises itself to everyone to join its networks. It uses multicast to all node addresses – similar to broadcast; one packet to every node. The problem is you can send out many RA messages, which causes the target to join ALL networks.

DDoS is a growing problem that gets more sophisticated every year. ISP and user collaboration are essential, but it’s a game we are not winning. Who owns the problem? The end-user doesn’t know they are compromised, and the ISP is just transiting network traffic.

Traffic can quickly go through multiple ISP, so how do the ISP trace back and channel to each other? Who do you hold responsible, and in what way are they responsible? Is it fair to personalize an end-user if they don’t know about it? There need to be terms of service for abuse policies. Users should control their computers more and understand that Anti-Virus software is not a complete solution.

 

Conclusion:

DDOS attacks continue to be a persistent threat in the digital world, with potentially devastating consequences for individuals and organizations. By understanding the nature of these attacks and implementing appropriate security measures, we can better protect ourselves and ensure a more secure online environment.

 

IPv6 DDOS