Examining the Threat of DDoS

Background

Roughly fifteen years ago as broadband internet was beginning to expand throughout North America, I like many other teenagers was reaping the benefits as an avid online gamer.  When latency and ping times steadily began to drop, first person shooter (FPS) games like Quake and Counterstrike developed massive followings.  The subsequent corporate backing of online gaming led to the establishment of professional leagues that featured large cash prizes.  It was through those leagues that I was first introduced to a more sinister evolution in technology: the distributed denial of service (DDoS) attack-which occur when an attacker uses multiple sources to redirect internet traffic towards a single target with the goal of service denial.  Users in high profile matches were often victimized by DDoS attacks resulting in rapid ping (latency) spikes that made the games unplayable.  This malicious technique would continue to evolve over the next 10 years.  In late 2016 the Mirai botnet made global news when it was utilized in a then record breaking (1.3 Tbps) DDoS attack against DYN.  The attack resulted in mass service outages for some of the most prominent websites on the internet (Twitter, Netflix, CNN).  In the aftermath, Centurylink Chief Security Strategist Dale Drew (formerly of Level 3) shocked a congressional panel when he revealed that the attacks perpetrator was not a nation-state or an advanced threat group, but rather a single angry gamer who had rented the Mirai botnet on the darkweb for a mere $7500.  Today, DDoS attacks are easily performed and represent a serious threat to large organizations both public and private.  According to Kaspersky Labs “IT Security Risks Survey 2017”, the number of organizations affected by DDoS nearly doubled from the previous year, with average enterprise protection costs rising to an estimated 2.3 million dollars annually.  Arbor Networks, a well known provider of DDoS mititgation services recently observed the largest attack in history (reported at 1.7 Tbps), stating afterwards that “[they] see thousands of DDoS attacks per day-millions per year.”  As the world becomes increasingly more reliant on both technology and the internet; the scale, frequency, and serverity of DDoS attacks will continue to increase.  Even more troubling is the fact that attackers continue to develop new ways to generate DDoS, further increasing the difficulty of keeping networks and devices safe.

DDoS Attack Types

  • SYN Flood
    • One of the most common attacks.  Consists of sending multiple TCP SYN requests to a target with intention of consuming enough resources to make that target unavailable.
  • UDP Flood
    • Similar to the SYN flood.   Botnets are typically utilized to send a significant amount of traffic to a target server.  The result is an accelerated attack process that seeks to consume all of the targets available bandwidth as opposed to its resources, denying service in the process.  UDP packets are received by the target, who then checks for applications listening on a specific port and then sends an ICMP reply in return.
  • SMBLoris
    • An application-level attack that takes place when a malicious actor opens up multiple SMB connections to a target.  The process by which SMB packets are handled results in the consumption of available memory and denial of service.
  • ICMP Flood
    • Botnets are utilized to send a large number of ICMP packets to a target while attempting to consume all available bandwidth.  Different variables can be utilized when sending requests such as ‘ping’ that increase bandwidth and frequency, resulting in denial of service.
  • HTTP GET Flood
    • The generation of a significant number of HTTP GET requests towards a target allows for the consumption of all available resources.  While the target attempts to respond to each request, the malicious actor will send them continuously until achieving the desired result.
  • Reflection Attacks with Amplification
    • Memcached
      • Lack of authentication requirements with regards to the UDP protocol and manipution of memcached servers allows for significant amplification of server response.  The result of this attack is a massive generation of bandwidth (1.7 Tbps) from relatively few sources directed towards a target, resulting in consumption of bandwidth and denial of service.
    • NTP Attack
      • Manipulation of NTP servers allows for a significant amount of traffic to be redirected towards a specified target, leading to the consumption of all available bandwidth. Specific commands can be  sent to multiple NTP servers, increasing both response size and frequency.
    • DNS Attack
      • Manipulation of DNS system allows for a significant amount of traffic to be redirected towards a specific target, leading to the consumption of all available bandwidth.  Options may be specified by an attacker to increase DNS response size from a large number of servers, facilitating rapid denial of service.

DDoS attacks are most common at layers 3, 4, 6, and 7 of the OSI model.

Mitigation Strategies

  • Awareness of what your service provider offers in terms of DDoS mitigation assistance is crucial.
  • Consider purchasing DDoS mitigation services from an alternate provider (Cloudflare, Arbor Networks, Akamai).
  • Limit the attack surface of your public facing server/device – if users do not have a need to interact with specific resources or ports, ensure those resources are not accessible and that non-critical ports do not accept incoming traffic.
  • Permit firewall logging of accepted and denied traffic to assist in locating the source of an attack.
  • Enforce “TCP keepalive” and “maximum connection” on network perimeter devices (SYN flood).
  • Enforce port and packet size filtering (firewall or ISP level).
  • Monitor traffic patterns for all public facing servers and devices.
  • Ensure up-to-date patches are applied after appropriate testing.
  • Configure firewalls to block inbound traffic coming from reserved IP addresses, loopback, private, and multicast addresses.
  • Implement server side rules that only allow processes to run at the minimum level necessary to faciliate operation.
  • Configure firewall and IDS/IPS alarms to detect unusual traffic patterns.
  • Construct a security policy that specifically outlines what to do in the event of a DDoS attack to include alternative communicative strategies and other critical safeguards.

SOURCES

Arbor Networks, https://www.arbornetworks.com/the-history-of-ddos
Security Week, https://www.securityweek.com/disgruntled-gamer-likely-behind-october-us-hacking-expert
CIS, https://www.cisecurity.org/white-papers/technical-white-paper-guide-to-ddos-attacks/
Amazon, https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
The Hacker News, https://thehackernews.com/2018/03/memcached-ddos-exploit-code.html
WIRED, https://www.wired.com/story/creative-ddos-attacks-still-slip-past-defenses/
Kaspersky Labs, https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-research-shows-ddos-devastation-on-organizations-continues-to-climb
ITPro, http://www.itpro.co.uk/distributed-denial-of-service-ddos/30695/us-firm-fends-off-the-largest-ddos-attack-ever-recorded