News

DDoS - Smashing the business for fun and profit

The fourth quarter of 2012, and the months of 2013 up to now exhibit high levels of activity from Distributed Denial of Service (DDoS) attackers against many companies and institutions across the globe. Recent press headlines have informed of many attacks against large financial services in the US and Europe. Also our organisation is struggling with DDoS attacks and keeping vital online services operational, and being available for ING’s customers and partners.

(Article by: Maciej Ogorkiewicz, Deputy Director, ING Services Polska)

Not only financial companies are under attack. Recent information and reports indicate that the e-commerce sector and software-as-a-service (SaaS) organisations have been attacked by DDoS during the last few months. The security world is evolving now and advanced persistent threats is a top concern for operators and enterprises now. organisations are more concerned and focused on dealing with botted and compromised machines (by malware), industrial espionage, data exfiltration and malicious insiders. DDoS attacks are seen as one of the most important security threats nowadays.

Why is DDoS so painful for the organisation? There a few answers to this basic question:

  • Even the largest and most powerful organisations in the world are unable to defend themselves on their own (without cooperation with 3rd parties such as service providers, cloud providers and/or Anti-DDoS Services providers) – no one is safe;
  • Perpetrators are well-equipped with DDoS toolkits (i.e. isokandnoproblemobro toolkit aka BroDoS toolkit have been identified recently) and large networks of “botted” workstations and mobile devices – attackers have the means and the tools;
  • DDoS attacks are getting more and more sophisticated and advanced since malware is highly involved in DDoS attacks. Evolution and improvements in the existing toolkits and techniques are observed by Anti-DDoS Service Providers such as Arbor, Prolexic or Akamai. These organisations are reporting more multi-vector DDoS attacks mostly against Web-based services. Multi-vector attacks  employ combinations of volumetric, state-exhaustion and application-layer attack vectors targeting an organisation at the same time. Multi-vector attacks can be challenging to mitigate and generally require layered solutions across the data center and the cloud for successful mitigation—which is why they are an attractive approach for hackers looking to cause the most damage – the DDoS attacks are harder to overcome;
  • The “Bring Your Own Device” (BYOD) trend and an increasing number of mobile devices (increasing LTE technology, more bandwidth available for mobile devices) in relation with a lack of detective and preventive measures at reactive rather than preventive mobile service providers cause a threat to unprotected organisations. Perpetrators have an area to create large botnets ready to launch attacks – anyone can be a victim and a tool in perpetrators' hands.
  • Domain Name Service (DNS) infrastructure is still vulnerable to DDoS and organisations are starting to consider DNS as a problem but still there are a lot of DNS servers allowing anyone to do recursive queries. Also unsecured IPv6 deployments in production environments could expose organisations to the risk. Many organisations are switching from IPv4 to IPv6 due to exhaustion of available IPv4 addresses. Having full IPv6 implementation or so-called “dual stack” (concurrent implementation of IPv4 and IPv6 protocols in the same network) is normal practice nowadays, especially in the operator’s network and DC’s service providers. Unfortunately, many organisations have not endeavoured to have the IPv6 world well-protected and IPv6 security is not perceived as a serious problem by many of them. Although DDoS in IPv6 is possible, attacks are rarely observed. It will change in the coming months and years – there are still unprotected communication channels.
  • Readiness and awareness have increased over the last few years, especially in large organisations concerned by DDoS and other APTs. This is good but law enforcement is not effective. Just over a half of responders surveyed by Arbor Networks still do not refer security incidents to law enforcement. Confidence in the efficiency of law enforcement is low and the reasoning behind that could be refelected by the fact that the real perpetrator usually remains undetected. Many types of DDoS enable the attacker to use spoofing and to be evasive – the real perpetrator could remain undetected and DDoS attacks could be relatively easy to render.

In 2011 Arbor Technologies stated, for the first time, the motivations for DDoS attacks.The top three most common perceived motivations are as follows:

  • Political and/or ideological (i.e., hacktivism)
  • Online gaming (not gambling)
  • Vandalism and/or nihilism

These are largely personally motivated acts done in reaction to real or perceived offenses.

DDoS – What’s going on? The taxonomy of the attack. 

A Distributed Denial of Service attack is, in fact, a keyword describing a set of attacks aiming for the same goal: to make a machine or network resource unavailable to its intended, legitimate users. The main difference between Denial of Service attack and its “distributed” variety is the source of the attack. Usually DoS has one source while DDoS attackers use many, multiple sources of attacks at the same time.

DDoS attacks could be differentiated from many angles but there are three main approaches to distinguish them. Accordingly to Arbor technologies, DDOS Attack vectors tend to fall into one of three broad categories:

  1. Volumetric Attacks: These attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.
  2. TCP State Exhaustion Attacks: These attempt to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls and the application servers themselves. Even high-capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.
  3. Application Layer Attacks: These target some aspect of an application or service at Layer 7. They are the most sophisticated, stealthy attacks because they can be very effective with as few as one attacking machine generating a low traffic rate. This makes these attacks very difficult to proactively detect and mitigate.

Another vendor of Anti-DDoS solutions – RioRey proposes a different taxonomy of DDoS attacks:

  • TCP Based Attacks (SYN Flood, SYN-ACK Flood, ACK & PUSH ACK Flood, Fragmented ACK, RST or FIN Flood, Synonymous IP, Fake Session, Session Attack, Misused Application)
  • TCP HTTP Based Attacks (HTTP Fragmentation, Excessive VERB, Excessive VERB Single Session, Multiple VERB Single Request, Recursive GET, Random Recursive GET, Faulty Application)
  • UDP Based (UDP Flood, Fragmentation, DNS Flood, VoIP Flood, Media Data Flood, Non-Spoofed UDP Flood)
  • ICMP Based (ICMP Flood, Fragmentation, Ping Flood)

Prolexic – Anti-DDoS service provider – distinguishes the DDoS Attacks from “layer” perspective referred to IOS/OSI network model. This is a combination of those two from above:

  • Infrastructure - Layer 3 & 4 (ICMP, TCP Fragment, SYN PUSH, DNS, UDP Fragment, ACK, RST, UDP, SYN)
  • Application – Layer 7 (SSL GET, PUSH, HTTP POST, SSL POST, HTTP GET)

Accordingly to “Prolexic Quarterly Global DDoS Attack Report Q4 2012”, throughout Q4 2012, the majority of observed attacks were focused on network infrastructure (75%,05%). 24,95% of the attacks were being led in the application layer. The most common infrastructure (Layer 3) attack types made use of SYN floods and UDP floods. The majority of SYN floods are suspected to have originated from botnets consisting of infected workstations or mobile devices. The UDP floods primarily originated from the use of web server booter shell scripts such as that mentioned previously, the itsoknoproblemobro attack suite (BroDoS). Application Layer 7 attacks, the majority of flood traffic, came in the form of GET floods and POST floods targeted against web services. A combination of both booter shell scripts (malware installed on a server/zombie intended to initiate a DDoS attack) and traditional botnet infrastructures were responsible for the bulk of Layer 7 attack traffic observed by the Prolexic Security Emergency Response Team.

Interesting information could also be found in the “Worldwide Infrastructure Security Report” by Arbor Network, Inc. Arbor’s responders, surveyed for application-layer attacks, see the increasingly common role of application-layer attacks over the past few years (86% of them report application-layer attacks targeting high-profile web services). The proportion of reported application-layer attacks has not changed significantly over the years and the Top Five of them are as follows: HTTP, DNS, HTTPS , SMTP, SIP/VoIP. The role of HTTPS is increasing in this proportion which indicates that e-Banking applications and e-Commerce applications are a target of attacks more than in the past.

Text into Frames

Frame 1:

DDOS attacks at a glance (Y2012):

-                     Bigger – average bit rate in 2012: 1,48 Gb/s (+20% compared to 2011)

-                     Faster – average packet rate in 2012: 1,48 Mpps (+11% compared to 2011)

-                     More Complex – Experienced Multi-Vector Attacks in 2012: 46% (+41% compared to 2011)

Source: Arbor Network 8th Annual Worldwide Infrastructure

Frame 2:

DDoS Attacks Against Data Centers in 2012

-                     60% increase in attacks against data center infrastructure

-                     32% increase in attacks against data center services

-                     35% of data center operators saw firewalls or IDS/IPS systems compromised by a DDoS attack

-                     89% of data center operators suffering DDoS attacks reported operational expenses as a business impact

-                     31% reported customer churn was a consequence!

Source: Arbor Network 8th Annual Worldwide Infrastructure

 Know your enemy

Operators and service providers regularly publish data about sources of DDoS attacks per country or per AS number (AS – autonomous system – unique identifier assigned to operator/provider in the Internet network; AS is being used by Border Gateway Protocol – BGP, to route IP packets between source and destination). The latest “Prolexic Quarterly Global DDoS Attack Report Q4 2012” depicts interesting data regarding the sources of DDoS attacks, presented by country and AS. According to that information, providers from China (over 55%) have taken the lead in the ranking exhibiting the top originators of DDoS attacks against organisations worldwide. This trend has not changed for the last two quarters. It is believed that China is at the top due to a large number of vulnerable servers and workstations that exist in the country. The majority of the remaining attack traffic originated from botnets or machines compromised by malware within Europe and Asia (see: chart).

 

China

55,44

%

Germany

9,07

%

India

8,77

%

Egypt

5,73

%

Pakistan

4,26

%

Indonesia

3,61

%

Turkey

3,58

%

Thailand

3,52

%

France

3,31

%

United States

2,71

%

Figure1: Top Ten Originators of DDoS attacks in Q4 2012 per country.

Q4 2012 was active in comparison to previous quarters. The total number of attacks increased by 27,5%, the total amount of infrastructure attacks increased by 17,4 percent and the total number of application layer attacks increased by 72,2 %. The average attack duration rose by 67 % from 19,2 hours to 32,2 hours. Additionally, the average bandwidth was up 20 percent, rising from 4,9 Gb/s to 5,9 Gb/s this quarter. That data was presented by Prolexic, although other Anti-DDoS Service Providers presented different values (Arbor measured the average DDoS attacks as 1,48 Gb/s) but they claim that there is an increase in DDoS activity in terms of amount of attacks and volumes.

The bandwidth used by DDoS attack perpetrators is a hot topic, especially for Internet Service Providers and DC Operators. The largest observed attacks by Arbor in 2011 and 2012 exceeded 100 Gb/s, but attacks at the level of 60-80 Gb/s are not unusual nowadays. These values are a problem even for large service providers because inter-operator links and backbone networks do not have infinite capacity enabling them to absorb and process such a big amount of traffic. Big players on the service provider market are capable technically to increase the bandwidth on their links but it costs and money spent on that cannot be easily reflected in customer invoices (those investments are not justified by market demand).

Are we defenseless?

The truth is no one can feel safe but there are countermeasures available on the market to defend organisations from DDoS attacks. The potential consequences of DDoS attacks cannot be mitigated by the installation of “yet another magic security box” which prevents DDoS attacks  100%. The only organisations which have Anti-DDoS holistic architectures implemented, processes that work in case of an attack, and tested procedures, can survive DDoS attacks and remain in relatively good condition. The solution lies in the organisation’s IT system or processes. The risk of DDoS cannot be mitigated with good cooperation with well-prepared Internet Service Providers and/or Anti-DDoS Service Providers capable of dealing with the traffic affected by DDoS perpetrators. So, what can organisations do to defend services and customers from attacks? The items listed below are a set of keywords describing several techniques that could be used and/or the concepts that could be considered as a countermeasure in the Anti-DDoS architecture:

  • Sufficient capacity of network links, network devices and IT equipment hosting applications and databases: the links and equipment on the path between the Internet and the application should have the capacity to process the traffic and number of sessions bigger than usually processed in normal conditions. It is worth mentioning that replacing the links toward the Internet or replacing the device in the path with a device of a bigger capacity, will result in a bottle neck somewhere in the path. Usually, equipment such as: firewalls, IPS, application firewalls, have less capacity than the speed of their network interfaces. During the process design of a new architecture the capacity and performance of every element has to be assessed. As previously mentioned, trends indicate that the role of application-layer attacks will increase in the coming years, therefore especially key devices, processing application-layer traffic (i.e. load balancers, SSL accelerators, web servers etc.) need to be evaluated. It is worth mentioning that application-layer DDoS attacks conducted in vital communication channels used by online applications (i.e. HTTP, HTTPS) are the most difficult to mitigate. When attacks happen, analysts try to find a pattern describing the DDoS traffic and with that they recommend actions aiming to eliminate those packets from the bandwidth. The most painful situation is when such a pattern cannot be determined, for instance: the HTTP request is directed to a web application, and those requests originate from many countries (it is difficult to determine which flow is an attack and which is not). Cases and scenarios like that have to be considered during the process design of Anti-DDoS architecture.
  • Sufficient capacity of the service providers: The Internet Service Providers and DC Operators need to be prepared and capable to mitigate the consequences of DDoS attacks directed towards their customers. The selected provider or operator has to have Anti-DDoS measures implemented, processes, knowledgeable personnel and has to be fitted with devices and links of sufficient capacity (please note that the providers’ infrastructure is shared among customers).
  • Anti-DDoS Services / Scrubbing Centers: During a DDoS attack, traffic is redirected to a scrubbing center. Usually it is a cloud-based, high-performance infrastructure  connected to the biggest, global Internet Service Providers’ carriers (i.e. 800 Gb/s capacity). Scrubbing centers are fitted with DDoS filtering techniques, advanced routing, and anti-DoS hardware devices that remove DDoS traffic close to the source of botnet activity. Clean traffic is then routed back to the customer’s network. It is recommended to have more than one scrubbing center available in the providers’ network to switch or double them in case of a very severe and large attack.
  • Blackholing: This technique enables the organisation to trigger remotely the directing of traffic generated by botnets to a non-existing IP address or null interface of the providers’ routers (in practice it means that the traffic is dropped). Two types of blackholing can be distinguished: source based remote triggered blackholing  (S-RTBH) and destination based remote triggered blackholing (D-RTHB). The main difference between these two is that the first type drops traffic described by the source pattern while the second one drops traffic based on its destination. This technique can be used effectively to mitigate the infrastructure-layer attack mostly in the case when a pattern in the traffic can be determined to trigger blackholing. For application-layer attacks the scrubbing centers are more effective (because the scrubbing center is trying to “heal” the traffic) while blackholing means in practice dropping the traffic coming to/from a particular country or provider. Blackholing could be used as an additional mitigating control in the case of the most severe attacks when a scrubbing center is unable to remove DDoS packets from the bandwidth, but this is a “last resort” countermeasure.
  • IT Cloud Services: External IT cloud service providers could be used as an additional mitigating control in designed anti-DDoS architecture. Some parts of applications or web-based services could be installed outside the primary network, in the external cloud. This is relevant mostly to static main web pages, pictures and everything that is not directly related with vital online applications but is related to the organisation's presence on the Internet. In the case of a DDoS attack, requests for the main page, pictures and everything which might adversely affect bandwidth stressed by DDoS (especially in an upstream direction), can be served from the external IT Cloud preserving the resources and the bandwidth for application-related requests and traffic.
  • DNS Protection: As presented, trends indicate DDoS attacks against Domain Name Service infrastructure. This is a vital infrastructural component which ensures that the organisation is visible in the network under the company’s domain name and a brand, and the organisation’s services are visible in the network. Hitting the DNS servers with a DDoS attack could result in the unavailability of online services because clients would be unable to resolve the domain name into an IP address to establish a connection. DNS infrastructure should be protected against DDoS and this protection must be an important element of Anti-DDos architecture. The most common technique used for that is to use the concept of primary and secondary DNS servers hosting domains. The domain should be hosted by the secondary DNS servers residing in the provider’s network outside the network that can be hit by DDoS. This ensures the availability of the DNS services in case of an attack and full saturation of the bandwidth causing the company network to respond slowly or become inaccessible.

Although this paragraph describes DNS protection, it is worth mentioning that other protocols, ensuring the network and systems are working properly, need to be well protected. For example BGP sessions should be preserved and properly maintained in case of a DDoS attack. A broken BGP session would result in the unavailability of the company’s IP address pools in the global Internet network and other anti-DDoS techniques would help. BGP should be operational by secondary network links toward a provider enabling the organisation to advertise its address pools even under attack.

DDoS threats are one of the biggest concerns for organisations and institutions using the Internet to render services for their customers. Based on trend analysis, the main conclusion is that DDoS attacks will increase in the coming years and attacks will be more sophisticated and advanced. organisations willing to have the ability to provide undisrupted online services need to be prepared for DDoS attacks by implementing anti-DDoS measures, crisis procedures and being able to respond to attacks smoothly. That is another battle in the security field that needs to be fought. 

Sources:

  • Prolexic Quarterly Global DDoS Attack Report Q4 2012” (Prolexic)
  • “Worldwide Infrastructure Security Report 2012” (Arbor Networks, Inc.)
  • “Distributed Reflection Denial of Service (DrDoS) Attacks” Prolexic
  • Cisco Systems Documentation
  • “Taxonomy of DDoS Attacks” (RioRey)
  • “DDoS Attacks in 2012” (Arbor Networks, Inc.)
  • “DDoS Attacks Against Data Centers in 2012” (Arbor Networks, Inc.)

Back

Important: this site uses cookie files.

We use information saved in cookie files, among others, in statistical purposes and in order to fit the service to individual needs of the user. In your browser you can change your cookie files settings. Using the site without changing cookie files settings means they will be saved in device memory. More information with tips how to change settings can be found in Cookies policy.

Close