DDoS Attacks

The underlying mechanism of software or infrastructure does not need to be understood to carry out a successful DDoS attack. Some of the more successful attacks have been carried out by industry outsiders who understand the architecture. The attacker must control many administrated sources for the attack to be complex. With everyone carrying a smartphone in their pocket, living in a home with embedded computers, and traveling in self-driving cars with supercomputers for brains, it is not hard to imagine such hosts.

DDoS Mitigation

It is already well known that a DDoS attack can have catastrophic effects on your service, business, and infrastructure.

Even though macro and micro behavior can detect an attack, to devise a mitigation strategy, we need to get down to the nitty-gritty of the attack. Mitigation strategies must be tailored to the attack you are experiencing, just as doctors prescribe precise medication based on symptoms. For example, TCP SYN floods cannot be stopped by a payload filter that stops HTTP GET floods.

As a general rule, DDoS attacks rely on the same type of exploit repeated several times. An example of a TCP SYN Flood attack is when a packet, TCP SYN, is repeated from different sources repeatedly and reaches your network. The volumetric and differentiation aspects of the attack present the biggest challenge to mitigating it. Using a very high traffic rate, the mitigation distinguishes the legitimate request (in this instance, TCP SYN) from the malicious request.

A mechanism for distraction

DDoS attacks are deliberate attempts to make resources unavailable for their intended use. They are like lightning and are very common in today’s internet landscape, having a wide range of adverse effects on public, private, and small businesses. A DDoS goal is to draw systems, bandwidth, or human resources and block service from legitimate connections. They are commonly not isolated events and are often implemented to facilitate a more significant sophisticated attack. In addition, they can be used as a mechanism for distraction.

NTP Reflection Attack

For example, a large UDP flood combined with a slow HTTP GET flood. Internet history’s most significant denial of service event was an NTP reflection DDoS attack that peaked at 400Gbps. Now, we have a range of new IPv6 DDoS attacks to circumvent. Opening up a range of IPv6 attacks, some targeting IPv6 host exposure. 

For additional information, you may find the following posts helpful:

1. Technology Insight for Microsegmentation
2. DNS Reflection Attack
3. Virtual Firewalls
4. DNS Security Designs

Back to basics with the DDoS Attacks

DDoS attacks have existed for almost as long as the web has existed. Unfortunately, they remain one of the most effective ways to disrupt online services. The most common DDoS attack is to congest your network, which can be performed in several ways. This congestion can happen at your internet egress or another network bottleneck.

The pre-mitigation step against these flooding scenarios demands you to understand your current capacities. This can be your bandwidth capacity and packets-per-second capabilities. This information will be matched to the flood level you are observing; at this point, you need to initiate the different mitigation tools you have at your disposal.

Types of DDOS Attacks:

1. Volume-based attacks aim to saturate the target’s network or server capacity by flooding it with massive traffic. Standard techniques used in volume-based attacks include ICMP floods, UDP floods, and amplification attacks.

2. Application-layer attacks exploit vulnerabilities in the target’s web applications or services. By sending many seemingly legitimate requests, the attacker aims to exhaust the target’s resources, rendering it unable to serve genuine users. Examples of application-layer attacks include HTTP floods and Slowloris attacks.

3. Protocol attacks: These attacks exploit vulnerabilities in network protocols to overwhelm the target’s resources. For instance, SYN floods flood the target with high SYN requests, depleting its capacity to respond to legitimate traffic.

Impact of DDOS Attacks:

DDOS attacks can have severe consequences for both individuals and organizations. Some of the notable impacts include:

1. Financial losses: A successful DDOS attack can result in significant financial losses for businesses, as their online services become unavailable, leading to decreased productivity, lost sales, and potential reputational damage.

2. Reputation damage: Organizations that fall victim to DDOS attacks may suffer reputational damage, as customers and clients lose trust in their ability to provide reliable services. This can further impact their long-term growth and success.

3. Disruption of critical services: DDOS attacks can disrupt critical services, such as banking, healthcare, or government systems, leading to potential chaos and loss of essential services for individuals and communities.

Mitigating DDOS Attacks:

While it is impossible to eliminate the risk of DDOS attacks completely, there are several measures individuals and organizations can take to mitigate the impact:

1. Implementing robust network infrastructure: Organizations should invest in scalable and resilient network infrastructure that can withstand high traffic volumes. This includes load balancing, traffic filtering, and redundant systems.

2. Utilizing DDOS mitigation services: Professional DDOS mitigation services can help organizations identify, mitigate, and respond to attacks effectively. These services employ advanced techniques like traffic analysis, rate limiting, and behavior-based anomaly detection.

3. Regular security audits: Regular security audits can help identify vulnerabilities that could be exploited in a DDOS attack. By addressing these vulnerabilities promptly, organizations can reduce their risk exposure.

DDoS: An Expensive Type of Attack

A port on a firewall or an IPS device is expensive. There are 3rd party infrastructure-as-a-service options available on a demand basis. In this case, you don’t need to over-provision bandwidth or purchase specialist hardware, as 3rd party DDoS companies already have the capacity and capability to deal with such attacks.

Content distribution networks help by absorbing DDoS traffic. There are also cloud-based firms specializing in DDoS mitigation. If you are under an attack, you can redirect your traffic to their network, which is scrubbed and sent back. They put a shield in front of your services. 

Cloud Flare offered a content delivery network and distributed domain name server service. They are known to have protected the LulzSec website from several high-profile attacks. They use reverse proxy technology and an anycast network, enabling them to take high-volume DDoS attacks and spread them over a large surface area.

Cloudflare recently experienced an attack using Google IP addresses as a reflector; they called this the Google ACK reflection attack. Cloud Flare has special rules, so they never block Google’s legitimate crawler traffic. With a Google ACK reflection, the attacker sends a TCP SYN with a fake header pointing back at an IP address to Google, causing Google to respond with an ACK. It was resolved by blocking the ACK that didn’t have an SYN attached.

DDoS attacks: Types

There are three main types of DOS attacks: a) Network-centric Layer 4, b) Application-centric Layer 7, and c) IPv6 DDoS Link-Local DoS attacks. The DDoS umbrella holds lots of variations: SYN packets usually fill up connection tables, while ICMP and UDP attacks consume bandwidth.

Layer 4 attacks

Layer 4 is the simplest type of attack and has been used to take down companies such as MasterCard and Visa. These style attacks use thousands of machines to bring down one. It’s a primitive-style attack where multiple machines send simple packets to a target, attempting to deplete computing resources like CPU, memory, and network bandwidth.

The connections are standard; they establish fully and terminate as regular connections do, unlike Layer 7 attacks (discussed below). The connection only takes a few seconds, so thousands of hosts must overload a single target. For example, the tools for Layer 4 attacks are readily available – low orbit ion cannon (LOIC). LOIC is an open-source denial-of-service attack application written in C#. Layer 4 DDoS attacks are easily tracked back and blocked.

Layer 7  attacks

Layer 7 attacks are more sophisticated and usually require one to bring down many. For example, Wikileaks’s whistle-blowing website went down for one day with only one attacker penetrating a Layer 7 attack. A SlowLoris attack is an elegant Layer 7 attack associated with several high-profile attacks. It opens multiple connections to the targeted web server and keeps them open.

It uses up all the lines and blocks legitimate traffic, designed to keep all the tables full. Layer 4 attacks cannot be run through anonymity networks (ToR networks), but Layer 7 attacks can, due to their small packets/second rate. Layer 7 attacks are like guided missiles. The pending requests take up to 400 seconds, so you don’t need to send many.

Common types of attacks

The most common type of attacks right now are carried out with HTTP. About 80% of the attack surface is coming through HTTP. A Layer 7 HTTP GET attack requests to send only part of the HTTP GET. As a result, the server assumes you are on an unreliable network and have fragmented packets. It waits for the other half, which ties up resources, freezing all available lines.

All you need is about one packet per second. The R-U-Dead-Yet attack is similar to the HTTP GET attack but uses HTTP POSTS instead of HTTP GETs. It works by sending incomplete HTTP POSTs, which affects IIS servers. IIS is not affected by the SlowLoris attack that sends incomplete HTTP GET. There are other variations called HTTP Keep-Alive DoS. HTTP Keepalives allows 100 requests in a single connection. 

IPv6 DDoS

IPv6 Link-Local DoS

IPv6 Link-Local DoS attack is an IPv6 RA ( Router Advertisement ) attack. With this IPv6 attack, one attacker can bring down a whole network. It only needs a few packets/sec. With IPv4 DHCP, the host looks up and retrieves an IPv4 address, a PULL process. IPv6 is not done this way. IPv6 addresses are provided by IPv6 router advertising, a PUSH process.

The IPv6 router advertises itself to everyone to join its networks. It uses multicast to all node addresses—similar to broadcast: one packet to every node. The problem is that you can send out many RA messages, which causes the target to join ALL networks.

DDoS is a growing problem that gets more sophisticated every year. ISP and user collaboration are essential, but we are not winning the game. Who owns the problem? The end-user doesn’t know they are compromised, and the ISP is just transiting network traffic.

Traffic can quickly go through multiple ISPs, so how do the ISPs trace back and channel to each other? Who do you hold responsible, and in what way are they accountable? Is it fair to personalize an end-user if they don’t know about it? There need to be terms of service for abuse policies. Users should control their computers more and understand that Anti-Virus software is not a complete solution.

DDOS attacks continue to be a persistent threat in the digital world, with potentially devastating consequences for individuals and organizations. By understanding the nature of these attacks and implementing appropriate security measures, we can better protect ourselves and ensure a more secure online environment.