What is DDoS and How to Protect Against a DDoS AttackPublisher: Psychz Networks, January 05,2015
DDoS Mitigation and Protection
Despite their prevalence, their potentially devastating effects, and the fact that they are relatively easy to enact, it has been estimated that at least 50% of businesses are unprepared for a DDoS attack. This is highly unfortunate and rather troubling, for both consumers and companies, for a myriad of reasons. Consumers lose access to important information and for companies, the financial consequences can amount to hundreds of thousands of dollars and the damage to their reputation can take a long time to mend. For these reasons, and more, it is integral that companies engage DDoS protection for their servers and remote networks.
What is a DDoS attack?
A DDoS (Distributed Denial-of-Service) attack is an attempt to make network resources or machines unavailable to its users by overwhelming the online service with traffic from numerous sources. The goal is to completely sap a target’s bandwidth, operating system data structures, and/or computing power resources. Virtually any site can be a target for a DDoS attack, with popular choices being those that belong to banks and companies.
How common are DDoS attacks?
DDOS attacks are not rare happenings; indeed, they are rather commonplace, even expected. Recent victims include:
- Sony and Microsoft: Hackers managed to take both the PlayStation Network (PSN) and Xbox Live offline on Christmas Day. Microsoft recovered after 24 hours, but it took the PSN two full days to come back online. Arrests have been made as of mid-January 2015. (This is not the first time Sony has been successfully attacked with DDoS tactics)
- Columbia, Missouri’s city website as well as that of the radio station KOMU-8 were brought down by a man referring to himself as “Bitcoin Baron,” supposedly in retaliation for a 2010 SWAT raid.
- DDoS attacks on North Korea DNS servers effectively shut down the entire country’s internet access. There is speculation that it was done as an answer back to North Korea’s supposed attack on Sony.
- Blizzard Entertainment’s 2014 release of World of Warcraft expansion pack was marred by a DDoS attack.
- Other victims through the years: the CIA, the NHS, the Arizona State Police, 20th Century Fox, News International, and a variety of others.
Gaming companies and services are popular targets due to their visibility, popularity, and how easy they are to disrupt.
In the upcoming year, there is both good news and bad news regarding DDoS attacks. The good news is that the incident rate of DDoS attacks is decreasing; the bad news is that the number of attacks is quite large—the rate may decrease, but it is still incredibly high. In fact, in 2014, one security company mitigated 940,789 cases of DDoS attacks. Additionally, like most criminal enterprises, those that perpetrate these attacks are only growing more sophisticated, working smarter, not harder, to spread their particular brand of cyber mischief.
Different types of DDoS attacks
DDoS attacks are categorized by the OSI layer that they attack; while there are seven layers in total, only three of them are targeted during DDoS attacks—layers 3, 4, and 7.
- Layer 3 attacks: In the OSI model, layer 3 is the network layer, which means that it provides the means of transferring datagrams from one node to another on the same network. A layer 3 attack focuses on saturating the target site’s bandwidth in order to render the site unusable; the magnitude of the attack is measured in bits per second (Bps).
- UDP floods: Bombards random ports on a remote host with a multitude of UDP (User Datagram Protocol) packets, which then causes the host to continuously check for the application listening at that port. Upon not finding an application, the host replies with an ICMP Destination Unreachable packet. UDP floods use up host resources, causing inaccessibility to the site.
- ICMP floods: Also called “ping floods,” an ICMP flood rapidly overloads the target by sending ping (ICMP) packets as quickly as possible without waiting for a reply. Ongoing and outgoing bandwidth is affected by this type of attack, which, naturally, causes an overall slowdown of the system.
- Layer 4 attacks: Layer 4 of the OSI model is concerned with transport protocol; its function is to transfer data sequences from a source to a destination host by traveling through one or more networks. The goal of a layer 4 attack is to consume the actual server resources, or the resources of firewalls and load balancers. It is measured in packets per second.
- SYN flood: A SYN request is sent to the target in order to initiate a TCP connection; when the target host responds with a SYN-ACK response, the attacking computer either does not respond or sends the requests from a spoofed IP address. The targeted system will continue to wait for a response from every request, eventually tying up resources so that no new connections can be forged and service is denied to legitimate users.
- Ping of death: A packet containing more than 65,536 bytes (the limit defined by IP protocol) is split into several different IP packets when it is transferred to the target, which then reassembles them back into the oversized packet, which overflows memory buffers, causing crashes, reboots, and denial of service to legitimate users.
- Reflected attacks: One of the most disastrous types of attack, reflected attacks ping phony data packets to numerous computers (as many as possible). When the computers respond, they do not reply back to the source of the packets, but to the IP address of the victim. This kind of attack can involve thousands of computers all pinging data back to a single target, resulting in massive slowdown and service denial.
- Layer 7 attacks: Layer 7 is the application layer and the layer closest to the user. These attacks are more sophisticated, as they mimic human behavior to interact with the user interface. They targets the vulnerabilities of OpenBSD, Windows, Apache, and others by using requests that seem legitimate to crash a web server. The magnitude of application layer attacks is measured in requests per second.
- Slowloris: Allows one server to take out another server without affecting any other ports or services on the targeted network. Slowloris accomplishes this by opening many connections to the target and holding them open by only sending a partial request. The target keeps all of these connections open, which overloads the maximum concurrent connection pool, leading to denial of service.
- NTP amplification: The publicly-accessible NTP (Network Time Protocol) servers are exploited and overwhelmed with UDP traffic. The ratio of query to response can be between 1:20 and 1:200 (and sometimes higher), making NTP amplification an alarmingly easy way to take down targeted sites.
- HTTP flood: HTTP GET or POST requests, which seem legitimate, are exploited in order to attack a server or application. This type of attack requires less bandwidth than its DDoS counterparts.
- Zero-day DDoS Attacks: This is a term that refers to new methods of DDoS attacks that exploit vulnerabilities in new ways.
Preventing DDoS attacks
There is no way to prevent a DDoS attack. However, there are a variety of mitigation and protection techniques that can limit the damage caused by DDoS attacks.
DDoS Mitigation Techniques
There are two broad categories of DDoS techniques—general and filtering.
How do DDoS mitigation and DDoS protection techniques work?
DDoS attacks are, by their very nature, brute force attacks. This means that their method uses an endless barrage of data to constantly pound their target until it crashes and is rendered useless. If DDoS attacks were petty criminals, they would be the type to bust down a door and beat the owner until he gave them what they wanted—not the type that sneak in through windows and creep around the house until they find what they want, and then leave silently. DDoS protection and mitigation tactics, therefore, work by decreasing overall system susceptibility and employing filtering techniques that separate legitimate requests from those that are likely to be harmful.
General DDoS protection techniques.
To use the home invasion analogy from above, general DDoS protection techniques are the walls and reinforced doors and windows that are put in place to stop attacks from reaching the house or, in this case, network. The items listed below are general DDoS protection and mitigation techniques; they should be used in conjunction with more specific DDoS mitigation countermeasures.
- Security patches: Administrators should be sure to routinely check for and install any system updates and patches. Maintaining the basic defenses of a network is critical to its overall safety.
- Firewalls: Firewalls will not save a system, even those that claim to have DDoS protection built in. However, they are useful as a first line of defense, as they can prevent simple flooding attacks from reaching their target, but they grow more useless as the attack’s level of complexity rises.
- IP Hopping: Changing the IP address of the active server can make it harder for hackers to find when they are preparing an attack.
DDoS mitigation techniques
DDoS mitigation techniques are the second line of defense and offer a targeted approach. They are a bit more sophisticated are tailored to combat specific types of attacks. Examples of DDoS mitigation tactics include the following:
- SYN Proxy: SYN Proxy is a way to detect SYN flood attacks. Before allowing connection requests through to the server, SYN Proxy requires all IPs to respond with the ACK, forwarding only legitimate requests to the server.
- Source rate limiting: Source rate limiting is a mitigation technique that is most helpful when the attack originates from a limited number of IP addresses. By performing analyses on IP address behavior, it is possible to identify those that are behaving outside of the norm and then deny them access to excessive amounts of bandwidth.
- Black list/ white list: Allows the administrator to decide which specific IP address to allow and ban from the network.
- Aggressive aging: Idle connections are removed from connection tables in servers and firewalls, which prevents them from tying up network resources.
- Anomaly recognition: Anomaly recognition checks network packets’ header, state, and rate and filters out attack packets that would normally bypass a firewall.
- Dark address prevention: Dark addresses are IP addresses that have not been assigned by IANA. Packets coming from or traveling to a dark address is a sign of spoofing; blocking these addresses enables the user to block spoofed DDoS packets.
How does remote DDoS protection work?
Remote DDoS protection stops DDoS attacks from taking a site offline without making changes to the site’s hosting. When a site activates remote DDoS protection from their provider, the provider changes the site’s DNS to direct incoming site traffic to their IP. This has two key benefits:
- It hides the user’s actual IP address from those with nefarious purposes.
- When the traffic is directed to their IP, it is filtered through their DDoS mitigation system. Legitimate visitors will be forwarded back to the user’s site, while any attack traffic is blocked from entering.
The entire process is extremely simple and, most importantly, very beneficial to the user.
- Benefits of remote DDoS protection
- The most obvious benefit is that which comes directly from utilizing such services—traffic that would otherwise wreak havoc on a server is stopped at the gate, so to speak, while legitimate traffic is allowed to pass through to the site.
- Not having to change the site’s current hosting means that this protection can be set up within minutes.
- Many sites only require DDoS services periodically throughout the year, such as during holiday seasons, when cyber criminals apparently find their holiday joy by ruining the holiday plans of others. Instead of employing costly, full-time DDoS protected hosting, the service can be engaged only when it is needed.
Remote DDoS protection is not recommended for companies who require top-notch performance as well as constant protection, such as banks and other financial institutions, government websites, and, given the frequency at which they are hacked, gaming companies.
Questions to ask a DDoS mitigation provider
Not every DDoS mitigation provider is created equally; if a company is going to engage such services, they will only benefit from it if the provider is competent. Discerning this is relatively easy, if the right questions are asked.
- How long has the provider been offering DDoS protection and mitigation services?
- Is there an agreement that guarantees mitigation within a certain period of time after attack?
- What is the provider’s response time?
- What is the rate of false positives and what steps does the provider take in order to ensure that legitimate traffic is not blocked?
- Are attack reports available?
- What level of protection does the provider offer and where do they fit in within the market?
- How does the provider protect against more complex DDoS attacks and how do they respond to the constantly evolving tactics of hackers’ DDoS attack techniques?
- Are routers monitored for volumetric attacks?
- Is real-time analysis provided? If so, is it detailed and sophisticated enough to be able to determine the type of attack being used?
DDoS protection for servers and networks should be a priority for companies wishing to remain online and available. The consequences of not doing so can have long-lasting financial and reputational effects; therefore, care should be taken to fully understand DDoS attacks and the techniques used against them.
Dotson, Kyt (2014) Black Lotus Report: DDoS volume decreasing but attackers becoming more sophisticated. Available from: http://siliconangle.com/blog/2014/11/18/black-lotus-report-ddos-volume-decreasing-but-attackers-becoming-more-sophisticated/.
Dotson, Kyt (2014) Predicting DDoS into 2015: Distributed attacks will only get badder maybe not bigger. Available from: http://siliconangle.com/blog/2014/12/24/predicting-ddos-into-2015-distributed-attacks-will-only-get-badder-maybe-not-bigger/
Dunn, John E. (2014) Pea-shooter DDoS attack brings down North Korean Internet. Available from: http://www.techworld.com/news/security/pea-shooter-ddos-attack-brings-downs-north-korean-internet-3591997/.
Globaldots.com. DDoS Mitigation. Available from: http://www.globaldots.com/knowledge-base/ddos-mitigation/.
Incapsula.com. DDoS Attacks. Available from: http://www.incapsula.com/ddos/ddos-attacks/.
Kaspersky.com (2014) Half of Companies Put Themselves at Risk by Undervaluing DDoS Countermeasures. Available from: http://www.kaspersky.com/about/news/business/2014/Half-of-Companies-Put-Themselves-at-Risk-by-Undervaluing-DDoS-Countermeasures.
Level3.com (2013) DDoS Fundamentals – Understanding the most common types of DDoS attacks. Available from: http://blog.level3.com/security/ddos-fundamentals-understanding-the-most-common-types-of-ddos-attacks/.
Miller, Anthony (2013) How Does Remote DDoS Protection Work? Available from: http://ddosattackprotection.org/blog/remote-ddos-protection/.
Miller, Anthony (2013) What Is A Layer 7 DDoS Attack? Available from: http://ddosattackprotection.org/blog/layer-7-ddos-attack/.
Miller, Anthony (2013) What You Should Ask Your DDoS Mitigation Provider. Available from: http://ddosattackprotection.org/blog/ask-ddos-mitigation-provider/.
Mohan, Ram (2010) How to Defend Against DDoS Attacks. Available from: http://www.securityweek.com/content/how-defend-against-ddos-attacks.
Ongoingoperations.com. How do DDoS Mitigation Services Work? Available from: http://ongoingoperations.com/blog/2013/02/ddos-mitigation-services-work/.
Procell, Carlie (2014) ‘Bitcoin Baron’ claims credit for City of Columbia, KOMU DDoS attacks. Available from: http://www.themaneater.com/stories/2014/12/29/bitcoin-baron-claims-credit-city-columbia-komu-ddo/.
Prweb.com. 12 Questions to Ask a DDoS Mitigation Provider. Available from: http://ww1.prweb.com/prfiles/2012/07/24/9732027/12 Questions to Ask a DDoS Mitigation Provider - Technical Series - Prolexic White Paper_071212-1.pd.pdf.
Reagor, Todd (2013) 12 Types of DDoS Attacks Used By Hackers. Available from: https://www.rivalhost.com/blog/12-types-of-ddos-attacks-used-by-hackers/.
Sawer, Paul (2015) PlayStation Network and Xbox Live DDoS arrest: U.K. authorities grab an 18-year-old man. Available from: http://venturebeat.com/2015/01/16/18-year-old-arrested-over-playstation-and-xbox-ddos-attacks/.
Suri, Isha (2012) LulzSec Hackers Admit DDoS Attacks on High Profile Sites, including CIA, NHS, and Sony. Available from: http://siliconangle.com/blog/2012/06/26/lulzsec-hackers-admit-ddos-attacks-on-high-profile-sites-including-cia-nhs-and-sony/.