Understanding Distributed Denial of Service (DDoS)

Posted on by Bhaskardeep Khaund

What is DoS?

DoS stands for Denial of Service, which is a means of attack on a specific website or service, where an adversary sends a huge number of requests from a machine, thus by overloading the server. An overloaded server is too busy serving the adversary requests and dropping legitimate request from actual customers. In extreme conditions, the web server may not be able to handle the load and crash, leading to an outage of the website. This is an old attack, and people have been exploiting this for decades. As a matter of fact, stopping a DoS attack is not extremely hard, and there are numerous mitigations (e.g. IP filtering, ingress filtering, request throttling etc.) for DoS. So, these days no one talks about DoS, but what they do talk about is DDoS (Distributed Denial of Service).

What is DDoS?

DDoS is a variant of DoS, where the adversary uses a huge number of machines, usually spread across a geographic region to send a request to the web server, unlike the traditional DoS where the attacker uses one machine or network to launch the attack. Each of the machines could send one request, but since a huge number of machines can be used to send requests, it is extremely hard for the web server to perform traditional mitigations like IP filtering, and it’s hard to figure out if a request is from a legitimate customer. This is a very relevant attack, and even after years of study on these, we still see a lot of DDoS attacks on the news very frequently. The recent DDoS are getting more and more sophisticated, often sending data at the rate of multi-terabits per second.

The anatomy of a DDoS Attack

DDoS starts, by the attacker hacking a set of devices or machines and taking it under his control. Once the devices are hacked, the attacker would install malware in these devices which gives the attacker remote control to the device. The device would act as a bot (a slave device, obeying the commands of its master), and thus the attacker creates a network of these devices, called as botnets. The botnet can be a client-server model or a peer-to-peer network. The designated master devices would command the bots, which will be flooding the website with requests. Since all these devices are legitimate internet devices, it is extremely hard for the web server to differentiate the requests from a legitimate customer of the website. The bot could be any devices that are connected to the internet, e.g. other web servers, desktop computer of normal users, specialized servers on the internet (e.g. DNS servers, NTP servers, and LDAP servers) or they could be IoT devices (e.g. smart clocks, smart thermostats, smart refrigerators and washing machines etc.).

Types of DDoS Attacks

The DDoS attacks can be categorized based on, what is the target of attack in the network layer, as defined in the OSI network layer.

Application Layer Attack

This is type of DDoS attack, which targets the application layer (of the OSI model) processes, i.e. the attacker would send a flood of requests to a website feature (e.g. the login form) to bring it down. An example of this is the HTTP Flood attack, where the attacker would send a flood of an HTTP POST or GET requests to the website.

Network Protocol Attack

This DDoS attack targets the weakness of the network protocol layer, of the OSI model. A common example is the SYN Flood attack, where the attacker would send a flood of SYN packets to the web server while performing a TCP three-way handshake. Once the server receives the SYN packets, it would initialize the connection and wait for the ACK, holding memory for the connection. Eventually, it would have no available resources to process further TCP negotiations of legitimate customers of the website. The attacker could also target the resources of the intermediate device like the firewall and load balancers, which also uses TCP connections to redirect traffic to the end web server.

Amplification Attacks

The attacker in this attack attempts to flood the available bandwidth between the web server and its customers. A common example is a DNS amplification, where the attacker sends a request to the DNS server, and the attacker would spoof the packet by replacing the response address to that of its target. The DNS server would respond to the target, thinking the request originated from the target, thus by flooding the target with lots of response. This attack can be modified by changing the intermediate resource protocol, e.g. ping flood attack through an ICMP ping response, or NTP flood attack using an NTP time server, or UDP flood attack by forcing it to send an ICMP destination unreachable packet to the target.

DoS (Denial of Service) can also result from a non-malicious and non-external entity. It can result from misconfiguration and human error. I will discuss a bit about this in a later section.

The relevance of DDoS

Few of the recent and well-known DDoS Attacks were:

  1. Biggest ever DDoS attack on GitHub: On Feb 2018, the popular Git repo website, GitHub was hit by the biggest seen DDoS attack, where the request peaked at 1.35 Tb per second. It was an amplification attack, which used the UDP protocol on port 11211.
  2. The WireX botnet: On 17 August 2017, an attack was commenced with thousands of hacked android mobile devices. These devices were used to create a botnet, and then launch a DDoS attack using them. The mobile devices were hacked through hundreds of innocent looking malware programs in the Google Play store. Akamai who was one of investigating company reported that about 70,000 devices were infected. The unique thing about this attack was, a bunch of security companies teamed up to fight this attack successfully.
  3. Mirai Botnet DDoS attack on Dyn: On November 2016, one of the most unique DDoS attacks was on the DNS company Dyn, which brought down the internet for a significant number of people in Europe and North America. One of the unique things about this attack, as the botnet created by the attacker, was comprised of a huge number of IoT devices (e.g. smart cameras, baby monitors, smart clocks etc.). The malware that infected these devices was named as Mirai. It affected a huge number of websites like Airbnb, Amazon.com, BBC, CNN, HBO, Netflix etc. The traffic generated was estimated to be have peaked to about 1.2 Tb per second.
  4. The Rio Summer Olympics DDoS Attacks: There were numerous DDoS attacks on the servers of the 2016 Summer Olympics in Rio, which peaked to the traffic of 540 Gb per second. Most of the attack was successfully mitigated, without any major impact on the infrastructure.

According to the TrendMicro report, you can buy a week-long DDoS service for about $150. As per the Kaspersky Lab Report, the DDoS attack has been significantly increased in 2018.

There are numerous tools that show the live DDoS attacks globally. Some of the noteworthy are:

  1. The Digital Attack Map from Google Idea and Arbor Networks
  2. IPViking Live from Norse.
  3. Live Cyber Attack Threat Map from Threat Cloud Intelligence.
  4. Cyber Threat Real-time map from Kaspersky Labs.
  5. Real-time Web Monitor from Akamai.

Mitigations and Guidelines to Protect Yourself

Implementing manual mitigation is not usually recommended, as they are hard to sustain, and the attacker would usually circumvent the protections. But generally, the process to mitigate a DDoS attack can be thought as a cycle, that feeds into each other:

  1. Absorption – Irrespective of any network, the network would have to be able to absorb a burst of traffic, without which the network would go down within a very short period, thus by limiting the capability to detect and analyze the attack. This is usually done by increasing the network throughput to handle a large number of requests or data (in terms of multi-Tbps), spread across multiple geographic locations to spread the attack surface. It is also imperative to mention that, this is usually not economically feasible for any mid-size company to stand up and maintain such a network.
  2. Detection – This is the most important part of the process, where any deviation to the traffic flow is detected. This could be done by studying the change of traffic pattern, i.e. by identifying what normal traffic looks like. It is also useful to understand if there is an expected change in traffic, for example during the holiday season, and if so, by the factor. The incoming traffic can also be studied to differentiate it from a human or a human-like bot, by looking at the HTTP headers, IP address, cookies etc. Artificial Intelligence algorithm could play a significant role in this analysis. Additionally, the detection model would have to continuously evolve to be able to detect the new form of attacks, and workarounds used by the attackers.
  3. Traffic Diversion – Once the DDoS attack is detected, the first action one could perform is to divert the traffic for filtering, or it could be diverted to a “black hole” network (aka null routing) where it is fully discarded. Two of the most common diversion techniques are DNS routing, mostly used on always-on monitoring and most effective on application layer attacks; and BGP routing which usually is manually activated and effective with both application and network layer attacks.
  4. Filtering – The un-discarded traffic could then be filtered out to detect the source of DDoS, by analyzing the packets, sources and the signatures. This process is to ensure there is least impact to the customers, and the service is up and running in shortest possible time.
  5. Analysis – Once the DDoS attack is mitigated, the security response team would perform a full RCA (Root Cause Analysis), by going through the logs and evaluating other partners to detect the source and implement newer mitigation steps in place. The outcome of this would be fed into the process of detection, as mentioned in step 1.

In addition to these, one of the major aspects is the network throughput. Having a scalable network to handle multi-Tbps traffic generally proves helpful during the attack. But that comes with cost and maintenance. To cater to this requirement, there are lots of offerings in the market which does a pretty good job at protecting you. Let’s go through some of them.

Downstream and infra services provided by Cloud providers

All the major cloud providers provide out-of-the-box protection for DDoS. You can add additional features to the standard feature to create more robust protection. Here is what is provided by some of the major cloud service providers.

AWS (Amazon Web Service)

AWS Shield is the managed DDoS protection service offered to all AWS customers by default, which provides the standard network and transport layer protection. Customers can buy additional protections like live traffic monitoring with anomaly detections, manage custom rules and filters using the web firewall, advanced heuristics-based routing, and a dedicated response team with an additional cost. The enhanced protection also protects from common application attacks like HTTP floods and DNS query floods. You can configure and use a plethora of AWS services like AWS WAF, AWS CloudFront, Elastic Load Balancing (ELB) or Amazon route 53 with AWS Shield to achieve a comprehensive detection and protection against almost all known DDoS attacks. This link provides you a side by side comparison of the feature sets and pricing model for the standard-free and the paid version of the AWS Shield.

Microsoft Azure

Like AWS, Microsoft Azure also provides a set of services for DDoS protection. It also comes in two flavors, the free-standard version, and the paid version. The offerings are integrated to the VNet features provided by Azure. The free-standard protection is available by default on all public IPv4 and IPv6 addresses, which provides always-on traffic monitoring and automatic mitigation. The monitoring process compares the traffic patterns against a set of defined parameters and thresholds, and if a deviation is found, it automatically initiates the DDoS mitigation measures. It provides protection against the most common DDoS attacks, like DNS flooding. If you opt for the paid service, it provides protection for the network and the application layer attacks deployed in the VNet. It collects comprehensive telemetries for dashboard monitoring, alerting, and provides application layer attack protection using the Application Gateway WAF and custom filtering rules. The overall infrastructure is designed to withstand an attack of over 25 Tbps. Azure also provides service credits for cost incurred during a known DDoS attack, so the customers are insured from exorbitant bills due to these attacks. It also provides integration with external third-party protection services (e.g. Barracuda, F5 networks, Incaptula etc.), through its marketplace.

GCP (Google Cloud Platform)

The Google Cloud Platform offering for DDoS is called as Cloud Armor. It provides standard services to manage DDoS protection for its customers, through its integration with its HTTP(S)/proxy load balancing which enables the infrastructure to mitigate and absorb most network-level attacks, e.g. SYN floods etc. It allows you to whitelist IP, configure policies and create custom rules for traffic filtering. For additional protection, the customers can use CDN to further absorb the increased flow of traffic and to disperse it across other geographic regions during an attack. GCP provides good integration with external third-party vendors (e.g. CloudFlare, Incaptula etc.) to provide more comprehensive DDoS solutions. We will discuss some of these third-party solutions in the below section.

Upstream protection by third-party providers

Besides using the services provided by the cloud providers, customers can buy additional services from third-party providers which can be integrated into the cloud infrastructure or an on-prem infrastructure. Let’s look at some of the popular ones:

Akamai

Akamai is considered to have one of the most robust DDoS protection services. There are essentially two broad offering for DDoS protection, named as Prolexic Solutions (meant for infrastructure DDoS attacks) and Kona Site Defender and Kona DDoS defender (meant for web application DDoS attacks). It provides a set of services to combat DDoS, mainly categorized as – DDoS scrubbing service, cloud-based DNS service, and CDN based web service. The DDoS scrubbing service utilizes BGP to route network traffic through its global scrubbing centers, where it can inspect the traffic, and mitigate any identified DDoS attacks. The cloud-based DNS service provides more than 75% increased response time and can withstand a very large-scale DNS flooding attack. Akamai played a significant role in mitigating the February 2018 GitHub DDoS attack, which is the largest recorded till now.

Cloudflare

Cloudflare also provides a robust set of capabilities to mitigate DDoS, with a network that can absorb traffic of 25Tbps. Cloudflare provides a service by the name of Spectrum, which essentially extends your TCP ports of all kind to provide a mask, which stops direct access to the internet. They also provide a host of services to handle different aspects of DDoS protection. For example, they would mask all TCP ports from your service using Spectrum, to proxy all traffic to its data center, and after filtering and analyzing, will it let it reach your site or data center, through a secure tunnel. It spreads the traffic across 100+ data centers across the globe to spread the attack surface, provides always-on protection for application and network attacks, runs intelligence to detect anomalies and rate limiting the traffic to applications. It also provides a Web Application Firewall (WAF) with custom rules to do fine grain control of the traffic. The pricing model is friendly enough for you to only pay for the “good traffic” and discard the bad traffic. They also provide a DNSSec service, which could stop some network layer attacks like DNS Flood.

Unintentional DoS

Sometimes a service or a website can go to a DoS state, not because of an external attack but due to misconfiguration and human errors. Even though not so frequent, there are numerous situations where a human error has caused major downtimes to sites and services for many people. Here are some the interesting ones:

Accidental DDoS of USA 911 emergency service

On October 2016, a bug bounty hunter from Phoenix, AZ, while testing a bug in iOS created a link and posted in his twitter, just for fun. He has more than 20,000 followers in his account. Clicking on the link would automatically and constantly redial the US emergency service, i.e. 911, all over the United States. This crashed the 911 systems in some states, including Phoenix.

Pakistan Hijacks YouTube

On 24th February 2008, the Pakistan telecom AS 17557, in response to a government order to block YouTube, accidentally started advertising a specific route of /24, which was a route for YouTube network. As a result, all the traffic to YouTube for this slice of the network was redirected to Pakistan, causing “outage” for a huge number of people, for about 2 hours. Even though the YouTube service was perfectly fine and fully operational, from a customer perspective this incident did lead to a DoS.

The Great Chinese Firewall Misconfiguration

The Chinese government has a censorship policy on internet sites. They achieved this by ensuring the DNS resolutions for the sites were not successful. On January 2015, they misconfigured their DNS routing mechanism, which leads to incorrect redirect for all Chinese traffic for some sites like Facebook, WordPress, Twitter, Tumblr, Trip Advisor etc. Few of the companies were getting increased traffic from Chinese internet users, and the requests were meant for the above-mentioned sites. This created quite a havoc, for a lot of companies, who mistook this as a DDoS attack on them.

TTNet In Turkey pretended to be the whole internet

On 24th Dec 2004, the Turkish Telecom Network (TTNet) advertised themselves as the “internet”. The TTNet AS 9121, advertised as the best path to everything on the Internet. Telecom Italia Seabone (AS6762), unfortunately, believed that most of those paths were the best paths and suddenly shifted all of their traffic from where it had previously been going (Amazon, Microsoft, Yahoo, CNN, BBC, etc.) to TTNet. As a result, for many internet users, and a huge chunk of the internet was inaccessible for a couple of hours.

Published by Bhaskardeep Khaund

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s