A DDoS attack affects not only the targeted service, but
also legitimate users of that service and all of the systems affected with
malware used to participate in the attack.
We’ve all heard about DDoS attacks in the news, from the
infamous 2016 Mirai botnet attack that took out much of the Eastern United
States, to the recent record-breaking attack against GitHub. In this blog post,
I’ll explain exactly what is a DDoS attack and share some of the ways you can
protect against and mitigate those attacks.
Imagine a busy night club. Someone pulls the fire alarm and
runs around yelling, “FIRE!” Immediately, hundreds of people call 911 all at
once. The phone lines are flooded, and dispatchers race to answer each call.
Simultaneously, there is a legitimate emergency across town, but citizens
reporting that emergency are unable to reach 911 operators, because they are
scrambling to handle the onslaught of fraudulent calls from the night club.
This is similar to a DDoS attack, where legitimate resource
requests are blocked while systems try to handle large amounts of
legitimate-looking but phony traffic.
Any online service can be affected, but often financial,
gaming, and news sites are affected. Typically, the perpetrator is attempting
to send a message, either political or otherwise, by blocking access to
information. Attackers range from individuals, DDoS-for-hire services, and
cyber-vandals to organized crime rings and government agencies. Sometimes, they
are completely accidental due to poor code, outdated systems, or the timing of
events. Motivations vary and include boredom, extortion, rivalry, business
competition, political and social protests, and retaliation.
In the case of the 2016 Mirai botnet attack, the original
motivation was actually online gaming and financial gain, although the Mirai
bot code was likely used for other reasons, which may never be known.
It’s worth noting unless you have a host that is acting as
part of the botnet, typically your data and information is not at risk during a
distributed denial-of-service attack — only your access to it. However, an
attack may overwhelm or distract network and security teams, allowing a window
of opportunity for a criminal to compromise systems in other ways to steal
information. This is a danger, because the more specific or targeted attack
intended to access systems and extract data is hiding behind the DDoS attack
currently being mitigated.
Who are the
players in a DDoS attack?
Attackers or malicious actors: Obviously, there is the
person or people perpetrating the attack, and they are using a device to do the
orchestration. This can be the attacker’s cell phone, laptop, desktop, or any
other connected device. He or she may write the code used to infect the bots
themselves, or use someone else’s code.
Command-and-control server: The attacker must first find a
master system to use as the command-and-control server. This system is usually
vulnerable due to missing patches or weak security. The attacker can infect
this master with malware or use other means to hack into the system. Once they
have control of the system, the attacker can then set up a botnet — a network
of other vulnerable systems that the perpetrator can control from the
command-and-control server.
Botnet and
bots: A botnet is a network of online hosts (often called bots or
zombies) that have been infected by malware, allowing the attacker, via the
command-and-control server, to instruct these hosts to send high volumes of
traffic to the targeted service. The botnet acts as an army commanded by the
command-and-control server and attacker. These bots can be anything from cell
phones, laptops, routers, and servers, to Internet of Things (IoT) devices like
security cameras and home automation devices. Typically, the bots are
distributed around the globe using different service providers. By distributing
the source of the traffic and using real host machines, the traffic generated
looks legitimate, making it very hard to identify and filter malicious traffic
from legitimate traffic. Furthermore, the attacker isn’t actually breaching any
security protocols of the targeted service, since all the traffic is coming in
via legitimate methods.
As a side-note, once a botnet has been created, it can be
used for other purposes like click-bot schemes. Existing botnets can be rented
as well, reducing the time it takes for a perpetrator to stage his or her
attack. By utilizing a botnet, the actual attacker is very difficult to
identify and track down due to the volume of systems participating.
Target:
These are the services, applications, or networks that are being targeted by
the DDoS attack. The attack can cause outages or slow response times, leading
to angry customers, stressed employees, brand damage, and large revenue losses,
along with other problems. Emergency and communication services, the relaying
of news, monetary transactions, and other services are often affected.
The good guys: So,
who are the good guys? Are there any? Well, yes.
There are government agencies, services, and public and
private companies that study attacks and develop protection and mitigation
techniques. There are various ways this is done: forensic computer science,
honeypots (systems designed to appear vulnerable to attackers for
reconnaissance), and normal and abnormal internet traffic monitoring and
intelligence.
What kind
of DDoS attacks are there and how do they work?
Different distributed denial-of-service attack techniques
exhaust or saturate the targeted system in different ways. There are three
common types of attacks: volumetric attacks, protocol attacks, and application
attacks. Each of these can last anywhere from minutes to months and can range
from an unnoticeable amount of traffic to more than the highest throughput on
record, reported at 1.35 terabits per second.
Volumetric
attacks
Volumetric attacks saturate the bandwidth used by the
targeted systems. This technique is the most common and the simplest for
attackers to perform. Often, attackers use amplification techniques to generate
this traffic to avoid needing an extremely large number of resources.
Amplification attacks utilize large responses to small
requests, amplifying the traffic to flood the target. This is often done by
spoofing the source of the packets, known as reflection, or a reflection
attack. For instance, by spoofing the source IP of a DNS request, an attacker
can trick DNS servers into sending responses to the target instead of the
originator. Since the request sent to the DNS server is small, but the response
sent to the victim is large, the attacker is using reflection to amplify the
volume of traffic sent to the target.
Using the metaphor above, if there were enough people in the
night club to saturate the phone system with their calls, causing legitimate
callers to experience lower quality calls or the inability to place a call at
all, it would be like a volumetric attack.
Protocol
attacks
Protocol attacks utilize weaknesses in Layer 3 or Layer 4 of
the OSI model, meaning that they use up all of the memory, processor cores, and
otherwise overwhelm equipment resources and/or networks between the targeted
system and the end user.
In our 911 example above, this would be analogous to the
operators answering each call and putting them on hold as they answer more
calls. Eventually, all of the lines are filled with on-hold callers and calls
end up being dropped.
Application
attacks
Application layer attacks are the most effective and can be
very difficult to detect and mitigate. These attacks do not necessarily use a
large amount of traffic as compared to the other types of attacks. The target
of the DDoS attack is an aspect of the server or application. All of the
traffic appears to be normal, so the application tries to respond to each one
and gets overwhelmed.
If the operators in the 911 metaphor above responded the
same way to each call, treating the non-emergency and non-legitimate calls the
same as emergency calls (i.e. not re-routing them to a non-emergency number),
they would be overloaded and legitimate emergency calls would go unanswered.
Other types
of DDoS attacks
More recently, attackers have been employing multiple attack
vectors at the same time, making it more difficult to defend. These are called
advanced persistent denial-of-service (APDoS) attacks. Furthermore, DDoS
attacks evolve as technology evolves, making it hard for defenders to keep up.
For example, the adoption of IoT devices has provided attackers with an
increasing number and variety of internet-connected devices to exploit, meaning
that even your smart light bulb or smart toothbrush could become part of a
botnet.
Additionally, a target’s service provider may be attacked
instead of the target themselves, making it harder to pinpoint the cause and
even the intended target. This causes a much larger audience to be affected,
since many unintended systems and services will also be attacked.
In the future, malware code developers will likely use
artificial intelligence and machine learning to enable them to dynamically
change their attack as it progresses to sidestep mitigation techniques.
Is anyone
trying to stop future attacks?
So, you’ve read this far and realized that distributed
denial-of-service attacks cannot be prevented and attacks are continuing to get
worse. Is there any hope? Well, yes. There are various internet intelligence
companies that collect and share data about DDoS attacks. This data can be used
to track down the perpetrators, identify affected hosts and botnets, and
understand the evolution of DDoS attacks. In fact, many peers and competitors
in the industry have joined forces to understand and combat attacks. For
example, last summer’s WireX Botnet was disrupted by the collaboration of
researchers from multiple companies (Akamai, Cloudflare, Flashpoint, Google,
Oracle Dyn, RiskIQ, Team Cymru, and more). This cooperation is a great example
of how these companies and others are working towards improving the quality of
the internet for everyone.
How can I
protect my service from a DDoS attack?
There are a number of ways you can protect your service and
prepare for DDoS attacks.
·
Review your application architecture, analyze
stress points, user capabilities, and failover options.
·
Consider using third-party testing tools or
services to simulate attacks and gain insight into weak points.
·
Monitor relevant normal traffic so you can see
when abnormalities occur.
·
Observe social media and the news for hints on
upcoming attacks or threats, especially if your services relate to
controversial topics.
·
Prepare a response plan with clear procedures,
communication, and customer support plans, and ensure the team is trained to
minimize the impact.
·
Take advantage of alerting tools to notify the
team when there are unexpected traffic patterns, connectivity issues, or
application events. Incorporate these into your response plan.
Evaluate and consider using services offered by your providers
or other industry experts to protect against and minimize the impact of DDoS
attacks. There are a number of companies skilled in DDoS defense and mitigation
including, but not limited to Oracle Dyn, Akamai, Cloudflare, Arbor Networks,
Imperva, and F5. These companies provide research and services to protect
against and mitigate attacks. By utilizing a variety of solutions, such as DDoS
detection, emergency mitigation, vulnerability detection, network penetration
and load testing, real time traffic analysis, volume absorption, web
application firewalls, distributed content delivery networks, malicious bot
detection, and employing artificial intelligence based machine learning
algorithms, you can significantly reduce the impact a DDoS attack may have on
your service.
While it’s impossible to completely prevent distributed
denial-of-service attacks, there are multiple ways to protect services and to
mitigate any attacks that do happen. Learn as much as you can about the area,
prepare a clear plan, and utilize protection services to give your services a
leg up. While diligence is necessary, also be secure in knowing that many
players in the industry are doing everything they can to keep the internet
running smoothly.
No comments:
Post a Comment