Over the past few years distributed denial-of-service (DDoS) attacks have been appearing ever more frequently. The recent Spamhaus attack (the largest DDoS attack to date), Operation Ababil (a sustained DDoS attack campaign targeting the US financial sector) and numerous campaigns from the Anonymous group have raised awareness of the threat to Internet service availability posed by DDoS attacks.
DDoS attacks disrupt the availability of a targeted network, service or application by consuming some or all of the resources assigned to that network, service or application. Given the increasing reliance of many organisations on their Internet connectivity - whether to sell products, offer services or to access cloud based data and applications – a successful DDoS attack can have a significant impact.
We are used to thinking about DDoS attacks targeting gaming or gambling sites and major e-commerce organisations, but the spread of motivations behind attacks has broadened, leading to many more organisations now being at risk of attack.
According to Arbor’s 8th annual Worldwide Infrastructure Security Report (WISR) the number one motivation behind DDoS attacks is now ideological hacktivism. And, the rise of ideological hacktivism has been game changing: organisations can now be targeted for virtually any reason, making assessment of risk much more difficult. DDoS attacks are now also being used as a competitive weapon between rival organisations, or to disguise date-theft or financial fraud.
So, what is a DDoS attack? Traditionally we think of DDoS attacks as big bursts of traffic which cause congestion in networks, preventing genuine customer traffic from getting through. These attacks are still common but they are actually only one of the three main categories of DDoS attacks that occur.
Volumetric attacks are the most common and simplest type of DDoS attack. Volumetric attacks consist of traffic generated at high enough bits per second (BPS) or packets per second (PPS) rate to cause network congestion, denying genuine traffic the ability to reach its destination. The traffic involved in an attack can be anything - it does not have to be valid from and end-to-end perspective, making these attacks relatively easy to generate.
Volumetric attacks sometimes also use reflection and amplification mechanisms to magnify the capability of an attacker. One commonly used mechanism is DNS reflection. This was used to a significant effect in the approx. 300Gb/sec Spamhaus DDoS attack in March 2013. DNS reflection leverages the facts that:
Many service providers have not implemented filters at their customer edge to prevent traffic being sent with a spoofed (fake) source IP address.
Many DNS service providers or server administrators have not locked down their DNS infrastructure so that it only responds to queries from local networks and customers.
Combining these two capabilities, attackers generate small DNS queries, with the source address spoofed to be the target of the DDoS attack, which are sent to open DNS resolvers. These resolvers respond, usually to a query which has been selected to yield a large result, back to the source IP address of the query – the target of the attack. By doing this repeatedly, from multiple machines, usually within a botnet, very significant volumes of attack traffic can be generated.
Volumetric attacks remain a significant threat as attacker capabilities have kept up with the capacities available within the Internet. Average size volumetric DDoS attacks are capable of saturating the Internet connectivity of a significant proportion of organisations and large attacks can have broader impacts, causing congestion within service provider networks and therefore impacting multiple customers and services.
TCP State-Exhaustion attacks
TCP state-exhaustion attacks target the state tables within firewalls, which monitor the state of Internet connections and servers themselves. The connection tables are a finite size: when these tables are full new connections cannot be established; when these tables are approaching full most devices attempt to create space in their tables by aggressively reaping older connections. Attackers know that if they can keep devices in either of these states they can deny, or at least limit, access to the services behind (or offered by) this infrastructure. This can lead to multiple services being impacted by an attack, especially if a firewall is targeted.
Crafted state exhaustion attacks, designed specifically for this purpose have been a reality since the middle of 2007. Arbor’s 8th WISR demonstrates this, with 35% of data-centre service provider respondents who use firewalls seeing those firewalls fail during 2012 due to DDoS attacks.
Application Layer Attacks
Application layer attacks, as their name would suggest, attack services and common applications. These attacks have become increasingly common over the past few years and are the most sophisticated and stealthy category of DDoS attacks. Arbor’s 8th WISR clearly shows how common these attacks have become with 86% of respondents seeing application layer attacks targeting web services on their networks.
Application layer attacks are the most difficult to proactively detect and mitigate as they use traffic which is very difficult to distinguish from that of a genuine user. Often, they are customised to target a particular Web application by making requests that tie up resources deep inside the affected network. This vulnerability could be due to the application itself (or one of its components) or could simply be down to the design of the web property in question i.e. having large files etc., available for repeated download without registration or authentication.
Emerging threat: Multi-Vector Attacks
As mentioned above there are three main categories of DDoS attacks, and each can be damaging in its own right. However, cybercriminals are nothing if not cunning and in the last few years attackers have learned that if they utilise multiple attack categories at the same time their chances of taking sites and services down, and keeping them down, jump considerably.
As such, there has been a rise in multi-vector attacks, which use a combination of attack vectors at the same time, sometimes selected specifically based on reconnaissance activities carried out by an attacker. These multi-vector attacks are the most difficult to mitigate because they target multiple potential service choke-points at the same time.
Arbor’s 8th WISR shows that 46% of respondents had seen multi-vector attacks in 2012, up from 32% the previous year. And, it is likely that this trend will continue in 2013.
However, it is possible for organisations to defend themselves against even the most complex attacks. Multi-layered DDoS protection solutions that combine on-premise and cloud-based DDoS defenses are the answer. These solutions combine the speed of response, available from on-premise solutions, with the ability to deal with high-volume attacks that require service provider or cloud-based intervention. Ideally, the on-premise and cloud components should communicate to work together so that attacks can be dealt with as effectively and efficiently as possible. If the most appropriate services, solutions, people and processes are in place then we can defend our businesses from the DDoS threat.