(Currently under DDoS attack? We can shut it down. Before reading this article, contact Reblaze first.)
On October 21, 2016, a profusion of bots trained their considerable firepoweron the DNS provider Dyn, resulting in North American and European customers losing access to services. The list included Airbnb, Twitter, the Swedish Government, and Zillow, among others.
The attack on Dyn was the largest DDoS ever seen, but the record that it set lasted only 15 months. In February 2018, an attack on famed code repository Github reached 1.35 Tbps. Just five days after that, an attack targeting a US-based service provider had a magnitude of 1.7 Tbps.
Obviously, DDoS attacks can be very dramatic. But an attack doesn’t need to be record-setting in order to be effective. It merely needs to be just large enough to overwhelm the target’s defenses. Last year, notable attacks included:
- The hits on Dutch banks ABM AMRO, ING, and Rabobank (along with the Dutch Tax Service) between January and May.
- The attacks perpetrated against US-based cardrooms PokerStars and PartyPoker during tournaments in August.
- A massive DDoS attack on the University of Edinburgh in September.
- September’s offensive against Oklahoma City Public School’s Infinite Campus parent portal.
DDoS assaults of various sizes have become very common; around the world, on any given day, there are usually one or more attacks going on. If your organization hasn’t been targeted recently, it probably will be soon.
In this article, we’ll discuss DDoS: the different kinds of attacks, the common mistakes made in DDoS mitigation attempts, and how to protect your organization from them.
DoS vs. DDoS
A denial-of-service (DoS) attack is an attempt to make a resource unavailable to its users by disrupting its services. This is typically done by flooding the target with an overwhelming number of requests, or otherwise consuming the target’s resources so that it cannot respond appropriately to legitimate requests. Targets can be chosen for a variety of motives: as an attempt to profit from extortion, or for political activism, or to attack a competitor within the same industry, or a variety of other motives.
What’s in a “D”? The Distributed Denial-of-Service Attack
Single-source DoS attacks were once considered a significant threat. Today they generally do less damage; most websites are distributed (e.g. via CDNs) and can access far greater bandwidth than a single attacking machine can hope to saturate.
Therefore, attackers today usually distribute their workloads among many nodes, and wage DDoS (distributed denial-of-service) attacks.
From Brute Force to Surgical Precision
DDoS attacks can vary widely in their volume and timing. They can range from continuous brute-force flooding to short intermittent bursts.
The former is the typical approach for DDoS extortion attempts. The attacker tries to take the victim’s web applications completely offline until a ransom is paid. The goal is to cause as much direct revenue loss as possible.
The latter is often seen between competitors within an industry, in order to achieve a specific business goal. For example, an online gaming server might wage a very short DDoS against a competing server. The attack will last just long enough to knock down the target (which kicks off all the players that had been logged in). After this, the attacker waits a few minutes, so that the server can come back up, and the players on that server can log back in. Then another burst of DDoS kicks everyone off again, and the cycle repeats. The attacker’s goal is for the players to become frustrated so that they will switch their accounts to a different server — preferably his.
Some attacks don’t even attempt to make the targeted system unavailable; they merely seek to degrade its performance. For example, a company might wage a low-level DDoS against a competitor to drive up the response time for the targeted system. It’s a well-documented fact that when website response times rise, conversion rates will fall. It can also increase the expenses for the victim. For example, when response times rise above a certain Quality of Service threshold, many web applications will automatically deploy more compute or server resources.
DDoS attacks can vary widely in their scale, persistence, and goals. They can also vary in their intended target: sometimes it will be a server, while at other times it will be an intermediate device such as a router or firewall. Each attack depends on the attacker’s motivation, skillset, and available resources.
Common Attack Methods
Researchers and threat actors have discovered a wide variety of ways to commit DDoS. It can be helpful to organize them into these category:
- Malformed requests that are meant to crash or otherwise adversely affect the targeted system.
- Legitimate requests that are sent for illegitimate purposes.
- Volumetric attacks, designed to flood the target with an overwhelming volume of (seemingly) legitimate requests. This is the most common, and usually the most dramatic, form of DDoS.
Let’s discuss each one.
Malformed requests are based on invalid packets, or segments that are intended to be assembled into invalid requests. A well-known example is the Ping of Death attack, which was able to crash systems using an older implementation of TCP/IP.
Malformed-request attacks do not make up a large portion of DDoS assaults today. To be successful, these attacks rely on the targeted system being unable to correctly process the requests that are sent. (For example, the Ping of Death would cause a buffer overflow.) So, if the targeted system can handle that particular input without throwing an error, then sending a higher volume of those inputs won’t make the attack any more effective.
Therefore, if a malformed-request attack works at all, it can usually do so without needing distributed resources, and an attacker will just wage a DoS instead of a DDoS.
Legitimate Requests (sent in small volumes)
Many attacks are based on packets that are not malformed or invalid — the attacker sends legitimate requests, but with malicious intent.
For example, an HTTP POST attack sends a valid HTTP POST header, which includes a large value (perhaps up to 2 GB) for the size of the message’s content. The server will then wait for this large message body to be sent, but the attacker deliberately sends the content extremely slowly (perhaps one byte every 90 seconds). It takes an extremely long time for this to be completed. Meanwhile, the attacker establishes other connections (perhaps hundreds or thousands), each of which does the same thing. Eventually all of the server’s resources for incoming connections are consumed.
This type of attack does not require a saturation of the target’s network resources in order to be effective. Note that in the example above, even though the targeted system could still have plenty of bandwidth and CPU cycles available, the server is still unable to respond to legitimate users.
This is the prototypical DDoS attack — the type of attack that most people think of when DDoS is mentioned. Indeed, the majority of DDoS incidents are volumetric assaults. The goal is to saturate a network device’s resources and/or bandwidth, making it unable to process legitimate requests.
To achieve sufficient volume, the attackers must leverage distributed resources. Typically the requests originate from a network of bots. In the past, this usually meant zombie machines, although with the rise of IoT (Internet of Things) attacks, the definition of “bot” has grown broader.
Volumetric attacks can attempt to overwhelm the target with simple requests: for example, ping floods. Or, they can rely on requests which consume large amounts of resources to process (such as database reads, CPU cycles, etc.) Challenge Collapsar attacks are an example of this.
Often, the target will receive many requests that weren’t sent directly by the originating bots. There are many ways to amplify the traffic that is sent to the target (thus creating an amplification attack).
For example, a request to a DNS server can (depending on the information that’s requested) result in an answer that is up to 179 times as large as the original request. Thus, bandwidth is amplified by a factor of up to 179. If the requestor’s source IP address is spoofed to be the victim’s, then each time a request is submitted, the answer is reflected to the victim rather than the actual source (making this also a reflection attack). This will create incoming traffic to the target that’s far larger than the bandwidth required to wage the attack.
Some reflection attacks rely on misconfigured networks: for example, Smurf attacks use a broadcast IP address to cause multiple devices on a network to “reply” to the target. Other reflection attacks exploit software vulnerabilities, such as the memcached assaults in early 2018 (which allowed attackers to achieve an amplification factor of 50,000).
How Not to Mitigate a DDoS Attack
For many victims, being on the receiving end of a DDoS is bewildering. Many security solutions do not provide full visibility into incoming traffic. Therefore, when a DDoS occurs, the only thing that’s known for sure is that their web applications have become non-responsive to their customers.
The problem is exacerbated when the targeted network relies on an on-premise security appliance. These devices require continual maintenance, patching, and updating to stay current. When a new exploit is seen in the wild, it often takes time for a patch to be issued, and for busy staff members to install it. Meanwhile, the organization’s web applications are vulnerable.
A worse problem is that on-premise security solutions are, by their nature, unable to fully mitigate a modern DDoS. Volumetric attacks can saturate the incoming internet pipe before the attack traffic reaches an on-premise appliance for filtering. This can result in the upstream ISP being overwhelmed and blackholing all incoming traffic, which cuts off the targeted network from the Internet. (Which is exactly the result that the attacker was hoping to achieve.)
Successful DDoS Mitigation
An effective defense against DDoS requires multiple things:
- Traffic scrubbing that occurs upstream from the ISP.
- Dynamic processing (going beyond packet inspection to maintain session context and analyze resource usage over time).
- Comprehensive protection (against all known forms of DoS and DDoS)
- Immediate and automated updates as new forms of attack arise.
- Autoscaling of bandwidth and other resources to absorb even massive volumetric attacks.
- Full visibility into incoming traffic (showing all details for all requests).
- The ability to accurately identify and track individual requestors even as they attempt to evade rate limiting (for example, by switching IP addresses).
- A single-tenant environment, so that each protected network is not affected by DDoS attacks aimed at others.
On-premise solutions cannot fulfill these requirements. Achieving this kind of protection requires a cloud security platform.
Even then, it is difficult to find a cloud solution that can provide all the benefits listed above. One that can is Reblaze. Reblaze offers multi-layer DDoS protection, as part of its comprehensive web security platform.
Or, just contact us directly.