What is DDoS?

A DDoS (Distributed Denial of Service) attack is an attempt to exhaust the resources available to a network, application or service so that genuine users cannot gain access. 

Beginning in 2010, and driven in no small part by the rise of Hacktivism, we’ve seen a renaissance in DDoS attacks that has led to innovation in the areas of tools, targets and techniques.

Today, the definition of a DDoS attack continues to grow more complicated. Cyber criminals utilize a combination of very high volume attacks, along with more subtle and difficult to detect infiltrations that target applications as well as existing network security infrastructure such as firewalls and IPS.

What are the different types of DDoS Attacks?

Distributed Denial of Service attacks vary significantly, and there are thousands of different ways an attack can be carried out (attack vectors), but an attack vector will generally fall into one of three broad categories:

Volumetric Attacks:

Volumetric attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.

TCP State-Exhaustion Attacks:

TCP State-Exhaustion attacks attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves. Even high capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.

Application Layer Attacks:

Application Layer attacks target some aspect of an application or service at Layer-7. These are the deadliest kind of attacks as they can be very effective with as few as one attacking machine generating a low traffic rate (this makes these attacks very difficult to pro-actively detect and mitigate). Application layer attacks have come to prevalence over the past three or four years and simple application layer flood attacks (HTTP GET flood etc.) have been some of the most common denial of service attacks seen in the wild.

Today’s sophisticated attackers are blending volumetric, state exhaustion and application-layer attacks against infrastructure devices all in a single, sustained attack. These cyber attacks are popular because they difficult to defend against and often highly effective.

The problem doesn’t end there. According to Frost & Sullivan, DDoS attacks are “increasingly being utilized as a diversionary tactic for targeted persistent attacks.” Attackers are using DDoS tools to distract the network and security teams while simultaneously trying to inject advanced persistent threats such as malware into the network, with the goal of stealing IP and/or critical customer or financial information.

 

DDoS Attack Glossary

ATTACK TYPETMS PROTECTIONAPS PROTECTIONNotes

LAYER 3 - Network

ICMP Flood

Yes

Yes

 

IP/ICMP Fragmentation

Yes

Yes

 

BGP Hijacking

Yes (SP)

-

Note1

LAYER 4 - Transport

IPSec Flood (IKE/ISAKMP association attempts)

Yes

Yes

Note2

UDP Flood

Yes

Yes

 

SYN Flood

Yes

Yes

 

Other TCP Floods (varying state flags)

Yes

Yes

 

LAYER 5 – Session / LAYER 6 - Presentation

SSL Exhaustion

Yes

Yes

Note3

Long Lived TCP sessions (slow transfer rate)

Yes

Yes

 

Others Connection/Flood/Exhaustion

Yes

Yes

Note4

DNS query/NXDOMAIN floods

Yes

Yes

Note5

LAYER 7 - Application

Slowloris

Yes

Yes

Note6

Slow Post

Yes

Yes

 

Slow Read

Yes

Yes

Note7

HTTP/S Flood

Yes

Yes

Note8

CVE Attack Vectors

-

-

Note9

Various other Layer 7 protocol floods (SMTP, DNS, SNMP, FTP, SIP)

Yes

Yes

Note10

Database Connection Pool Exhaustion

-

-

Note11

Resource Exhaustion

Yes

Yes

Note12

Large Payload POST requests

Yes

Yes

Note13

Mimicked user browsing

-

-

Note14


ICMP Flood

Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim's computer by overwhelming it with ICMP echo requests, also known as pings.

IP/ICMP Fragmentation

IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms.
Understanding the attack starts with understanding the process of IP fragmentation, a communication procedure in which IP datagrams are broken down into small packets, transmitted across a network and then reassembled back into the original datagram.
Fragmentation is necessary for data transmission, as every network has a unique limit for the size of datagrams that it can process. This limit is known as the maximum transmission unit (MTU). If a datagram is being sent that is larger than the receiving server's MTU, it must be fragmented to be transmitted completely

BGP Hijacking

BGP hijacking (sometimes referred to as prefix hijacking, route hijacking or IP hijacking) is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

IPSec Flood (IKE/ISAKMP association attempts)

The Internet Key Exchange (IKE & IKEv2) protocol is used to facilitate secure key exchanges between peer devices in the IPsec protocol suite. It sees wide use and active deployment in multiple secure tunneling applications such as VPN products from major vendors and open source projects. IKE relies on the UDP protocol, which by its very nature offers a reflection opportunity, just like any other UDP-based protocol. Amplification is the measure of what is sent vs. what is received, and this measure is what makes one UDP protocol useless for DDoS, while others see wild popularity and are leveraged in thousands of campaigns around the Internet.

UDP Flood

In a UDP Traffic Flood attack, a UDP request with a spoofed source address is broadcast to random ports on a large number of computers. When the computers find no application on the requested ports, they flood the target host with “ICMP destination unreachable” packets.

SYN Flood

A TCP SYN flood attack renders a web server unable to handle new connection requests. It drives all of the target server’s communications ports into a half-open state. It achieves this result by preventing the completion of the TCP three-way handshake between client and server on every port. The handshake must be completed before a communications port between the client and server can be fully open and available.

Other TCP Floods (varying state flags)

Flood victim with various TCP flags packets in high speed packet rate, for example, ACK flood, RST flood, FIN flood, Xmas tree flood.

SSL Exhaustion

The SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption protocols underlie secure services on the internet. Because these protocols are resource intensive, the services that rely on them are particularly vulnerable to resource exhaustion attacks. During these attacks, clients send small requests that force the server to perform a disproportionately large amount of work to set up a secure session.

Long Lived TCP sessions (slow transfer rate)

Flood, TCP SYN, slow HTTP post, and protocol. They can also protect against the exhaustion of TCP connection resources that occur when server connection tables are filled. These problems can be caused by idle TCP connections or user-initiated actions such as bulk content downloads and peer-to-peer file hosting.

DNS query/NXDOMAIN floods

In a DNS Flood, attackers use DNS as a variant of a UDP flood. Attackers send valid but spoofed DNS request packets at a very high packet rate and from a very large group of source IP addresses. Since these appear as valid requests, the victim's DNS servers proceeds to respond to all requests. The DNS server can be overwhelmed by the vast number of requests. This attack consumes large amounts of network resources that exhaust the DNS infrastructure until it goes offline, taking the victim's Internet access (www) down with it.

Slowloris

The Slowloris attack exhausts connection resources by sending small chunks of HTTP request headers to the target web server too slowly. By design, the web server must wait for all the header chunks to arrive or time out the HTTP request. The attack client sends each small HTTP header chunk just before the server’s HTTP request time out expires.
When many malicious hosts launch simultaneous Slowloris attacks from a botnet, all the available connections to a target server are opened at once. As a result, the server is unable to handle legitimate HTTP requests.

Slow Post

In a Slow Read DDoS Attack, attackers send valid TCP-SYN packets and perform TCP three-way handshakes with the victim to establish valid sessions between the attacker and victim. The attacker first establishes a large number of valid sessions and begins to request to download a document or large object from each attacking machine. Once the download begins the attacking machines begin to slow down the acknowledgement of received packets. The attackers will continue to slow down the receipt of packets, which consumes excess resources on the delivering server since all the associated processes appear to be in a very slow receiving network. Slow Read Attacks are always non-spoofed in order to hold sessions open for long periods of time.

Slow Read

In a Slow Read DDoS Attack, attackers send valid TCP-SYN packets and perform TCP three-way handshakes with the victim to establish valid sessions between the attacker and victim. The attacker first establishes a large number of valid sessions and begins to request to download a document or large object from each attacking machine. Once the download begins the attacking machines begin to slow down the acknowledgement of received packets. The attackers will continue to slow down the receipt of packets, which consumes excess resources on the delivering server since all the associated processes appear to be in a very slow receiving network. Slow Read Attacks are always non-spoofed in order to hold sessions open for long periods of time.

HTTP/S Flood

High HTTP/S request per second are imposed on a server from the attackers to make the server busy.

CVE Attack Vectors

An Attack Vector is the 'route' by which an attack was carried out. CVE Attacks vectors using known software vulnerabilities for attacks.

Large Payload POST requests

Attackers uploads large size file or data to hold the connection of the server in order to exhaust TCP or server resources on the server.

Mimicked user browsing

Botnets have become major engines for malicious activities in cyberspace nowadays. To sustain their botnets and disguise their malicious actions, botnet owners are mimicking legitimate cyber behavior to fly under the radar.

Why are DDoS attacks so dangerous?

DDoS represents a significant threat to business continuity. As organizations have grown more dependent on the Internet and web-based applications and services, availability has become as essential as electricity.

DDoS is not only a threat to retailers, financial services and gaming companies with an obvious need for availability. DDoS attacks also target the mission critical business applications that your organization relies on to manage daily operations, such as email, salesforce automation, CRM and many others. Additionally, other industries, such as manufacturing, pharma and healthcare, have internal web properties that the supply chain and other business partners rely on for daily business operations. All of these are targets for today’s sophisticated cyber attackers.

What are the consequences of a successful DDoS attack?

When a public facing website or application is unavailable, that can lead to angry customers, lost revenue and brand damage. When business critical applications become unavailable, operations and productivity grind to a halt. Internal websites that partners rely on means supply chain and production disruption.

A successful DDoS campaign also means that your organization has invited more attacks. You can expect attacks to continue until more robust DDoS defenses are deployed.

What are your DDoS Protection Options?

Given the high profile nature of DDoS attacks, and their potentially devastating consequences, many security vendors have suddenly started offering DDoS protection solutions. With so much riding on your decision, it is critical to understand the strengths, and weaknesses, of your options.

Existing Infrastructure Solutions

(Firewalls, Intrusion Detection/Protection Systems, Application Delivery Controllers / Load Balancers)

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks—”network availability.” What’s more, IPS devices and firewalls are stateful, inline solutions, which means they are vulnerable to DDoS attacks and often become the targets themselves.

Similar to IDS/IPS and firewalls, ADCs and load balancers have no broader network traffic visibility nor integrated threat intelligence and they are also stateful devices vulnerable state-exhausting attacks. The increase in state-exhausting volumetric threats and blended application-level attacks, makes ADC’s and load balancers a limited and partial solution for customers requiring best-of‐breed DDoS protection.

Content Delivery Networks (CDN)

The truth is a CDN addresses the symptoms of a DDoS attack but simply absorbing these large volumes of data. It lets all the information in and through. All are welcome. There are three caveats here. The first is that there must be bandwidth available to absorb this high-volume traffic, and some of these volumetric-based attacks are exceeding 300 Gbps, and there is a price for all the capacity capability. Second, there are ways around the CDN. Not every webpage or asset will utilize the CDN. Third, a CDN cannot protect from an Application-based attack. So let the CDN do what it was intended to.

What is Arbor’s approach to DDoS protection?

Arbor has been protecting the world’s largest and most demanding networks from DDoS attacks for more than a decade. Arbor strongly believes that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

You need protection in the Cloud to stop today’s high volume attacks, which are exceeding 300GB/sec. You also need on-premise protection against stealthy application-layer attacks, and attacks against existing stateful infrastructure devices, such as firewall, IPS and ADCs.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor customers enjoy a considerable competitive advantage by giving them both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via our ATLAS threat intelligence infrastructure and DDoS Attack Map.  This is a powerful combination of network security intelligence that is unrivaled today. From this unique vantage point, Arbor’s security research team is ideally positioned to deliver intelligence about DDoS, malware and botnets that threaten Internet infrastructure and network availability.

                 

Notes:

  1. SP can alert BGP Hijacking attack but not mitigation. APS do not operate in BGP environment.
  2. Mitigation possible via Filter-List countermeasure with the condition that the customer does NOT use IPSec and the legitimate source and destination are not being camouflage.
  3. TMS & APS can mitigate against SSL Exhaustion attack during the SSL negotiation phase.
  4. TMS and APS have countermeasures to protection against TCP based Connection / Flood / Exhaustion attacks
  5. NXDomain protection requires server response visibility by TMS or APS.
  6. Protection via AIF (Atlas Intelligent Feed) signatures.
  7. Regular Expression (REGEX) countermeasure can be used to do part of protection.
  8. TMS and APS can protection countermeasure against HTTP flood but not HTTPS
  9. TMS and APS do not have specific countermeasure for CVE Attack Vectors. However, Regular Expression (REGEX) countermeasure may be possible if CVE attack vector signature is known.
  10. TMS and APS has specific countermeasures for DNS/SNMP/SIP protection. Other Layer 7 flood such as SMTP/FTP may be possible to be protected via TCP connection flood countermeasure.
  11. TMS and APS do not have specific countermeasure for Database connection pool exhaustion attack. However, TCP connection flood countermeasure may be possible to mitigate database connection exhaustion attack.

Back to Table.