DDoS attacks are on the rise and growing more complex. A majority of respondents in a recent survey from Neustar indicate a service outage would cost their companies $10,000 or more per hour in lost revenues. Follow these tips to mitigate an attack against your organization.
The hactivist group Izz ad-Din al-Qassam Cyber Fighters is several weeks into Operation Ababil 2, and, as promised, is once again directing distributed denial-of-service (DDoS) attacks at U.S. banks. The group has vowed to continue disrupting online and mobile banking sites until all instances of the movie “Innocence of Muslims” are removed from YouTube.
Numerous banks have been attacked in recent weeks, including PNC Bank, Fifth Third, HSBC, JPMorgan Chase, Citibank and others. For the financial institutions, it’s déjà vu all over again, as they were similarly attacked last September and October. The banks have all suffered daylong slowdowns and, at times, complete outages. Security experts say these are the largest cyberattacks they’ve ever seen.
It’s disturbing that this second round of attacks has had even a modicum of success in disrupting banking services. After all, the banks were forewarned that the DDoS attacks would be coming, and thus they had ample time to put preventive measures in place. There are anti-DDoS technologies that can mitigate these types of attacks and lessen the effects on the victim businesses.
Every company with a website and any type of online service should take notice of these attacks; they aren’t exclusive to financial institutions. DDoS attacks can be initiated by anyone with a motivation and a few dollars. In fact, it’s incredibly easy for anyone to get DDoS as a service. There’s a series of advertisements running on YouTube for something called “Gwapo’s Professional DDoS Service.” These ads boldly describe how “Gwapo” will perform a denial of service against any target website for a fee. The cost depends on the strength and duration of the desired attack. Gwapo simply aims a botnet at the target website and fires excessive traffic to achieve the objective of an outage.
Why would someone attack a website? Some people, like Cyber Fighters, use DDoS to make a political statement. Others do it to extort money, holding the website hostage via an outage until a ransom is paid. Unscrupulous people use DDoS to disable a competitor. Some security experts believe that DDoS attacks are often a smokescreen to cover up other illicit activity. While administrators are focused on getting their website functioning again, the perpetrator is planting malware or stealing information. In fact, this proved to be the case in some of the earlier attacks on the U.S. banks.
How can you protect your company’s Web presence? Here are a few tips on what you can do now to head off a potential problem later.
* Don’t count on a firewall to prevent or stop a DDoS attack. The first step is to recognize that your firewall is insufficient protection against the types of DDoS attacks that are increasingly common today. Even a next-generation firewall that claims to have DDoS protection built-in cannot deal with all types of attacks. The best protection against DDoS attacks is a purpose-built device or service that scrutinizes inbound traffic before it can hit your firewall or other components of the IT infrastructure. This type of solution has one mission: to prevent excessive or malicious traffic from making your Web-based applications inaccessible to legitimate customers or users.
* Bake DDoS into your business continuity and disaster recovery plan. Your company probably has a business continuity/disaster recovery (BC/DR) plan that outlines what to do in the event of some sort of business interruption or outage. You need to include procedures for DDoS mitigation in this plan. This will help to minimize any delay in responding to an attack and help assure that your company executives will commit the necessary resources for prevention and mitigation.
* Know the signs of an active attack. Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the United States Computer Emergency Readiness Team (US-CERT) advises that the following symptoms could indicate a DDoS attack:
- Unusually slow network performance (opening files or accessing websites)
- Unavailability of a particular website
- Inability to access any website
- A dramatic increase in the number of spam emails received
* Know your customers and lock out unexpected transactions. Most companies have a limited geography for where they do business — even if that geography is the entire country. If your company isn’t expecting people from, say, Eastern Europe or China to be placing orders via your website, the presence of inbound traffic from those geolocations may indicate trouble. If your anti-DDoS solution has the feature, restrict transactions that originate in locations where you don’t typically do business.
* Measure the financial impact of being offline for a period of time. How much would it cost your company if no Web transactions could take place for four hours? Eight hours? A full day? The cost of an outage varies greatly by company. Calculate what the financial impact would be to your company so that you can justify to executives the expense of DDoS mitigation services.
* If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity. Many security experts believe that DDoS attacks may be smokescreens to hide other cybercrimes, including data breaches or financial fraud. Payloads in the attack traffic could be dropping malware on your servers. If your company does experience a DDoS attack, do a very thorough inspection of all system logs to determine if other malicious activities took place during the attack period. If your website supports credit transactions, be especially mindful of your PCI/credit processing environment. Be sure to deploy defenses at the perimeter of your card holder data environment as required by PCI-DSS.
* Know who to call to stop an attack. If you don’t have an anti-DDoS solution in place, then at least know who to contact immediately if you suspect your company is under attack. It’s prudent to explore the dedicated anti-DDoS solutions on the market and decide which vendor/solution provider to call if the need arises. It’s like choosing your doctor before you get sick so you don’t waste valuable time figuring out what to do in emergencies.
DDoS attacks are on the rise. Every good security plan has to include mitigation in order to minimize the effects of a service outage.
Distributed Denial of Service Attack (DDoS) Definition
DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.
Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.
“And that concludes our DDoS party: Escapist Magazine, Eve Online, Minecraft, League of Legends + 8 phone requests.”
Tweeted by LulzSec – June 14, 2011, 11:07PM
DDoS attacks can be broadly divided into three types:
Specific DDoS Attacks Types
Some specific and particularly popular and dangerous types of DDoS attacks include:
UDP FloodThis DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility.
ICMP (Ping) FloodSimilar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.
SYN FloodA SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
Ping of DeathA ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.
SlowlorisSlowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
NTP AmplificationIn NTP Amplification attacks the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. In an NTP amplification attack, the query-to-response ratio is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.
HTTP FloodIn HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each single request.
Zero-day DDoS Attacks“Zero-day” are simply unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading Zero-day vulnerabilities has become a popular activity.
Sources of DDoS Attacks
DDoS attacks are quickly becoming the most prevalent types of attacks, growing rapidly in the past year in both number and volume, according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume, and the overall number of attacks reported has grown markedly, as well.
During the Q4-2011, one survey found 45% more DDoS attacks compared to the parallel period of 2010, and over double the number of attacks observed during Q3-2011. The average attack bandwidth observed during this period was 5.2G bps, which is 148% higher than the previous quarter.
Another survey of DDoS attacks found that more than 40% of respondents experienced attacks that exceeded 1Gbps in bandwidth in 2013, and 13% were targeted by at least one attack that exceeded 10G bps.
From a motivational perspective, recent research found that ideologically motivated DDoS attacks are on the rise. The research also mentioned financial reasons (e.g., competitive feuds) as another common reason for such attacks.
There’s a great variety of attacks and hacks that black hats can perpetrate on your network. Fortunately, you can prevent most of them using an assortment of security measures.
However, a distributed denial-of-service attack (DDoS) is an entirely different story. You can’t thwart a DDoS attack — they attack an IP address or service that’s available to the Internet.
If you can’t prevent such an attack, what can you do to protect your organization? You need to better understand it by learning the three phases of a DDoS attack and learn how to quickly mitigate the attack’s effects.
Understand the attack
A DDoS attack usually entails three different phases. Target acquisition is the first phase: A black hat scouts or recons a network and picks a target IP address. The target can be a Web server, DNS server, Internet gateway, etc. The reason for selection could be financial (someone is paying the attacker), or it could be just for malicious fun.
The next phase is the groundwork phase. During this phase, the attacker compromises a large number of unsecured machines (typically home user machines with DSL or cable connections). He or she then installs software on each machine that the attacker will later use to target your network.
The final phase is the actual attack. The attacker sends a command to each of the compromised hosts (i.e., zombies) and commands them to flood the target with packets, overwhelming the service or choking the bandwidth to a crawl.
A really smart black hat will also command the zombies to forge the source address of their attack packets and insert the target’s IP address as the source — known as a reflector attack. Servers and routers that see these packets will forward (or reflect) replies directly to the source address of the packet (i.e., straight to the target).
Again, you can’t prevent a DDoS attack, but understanding it better will help you mitigate the effects once one begins.
Mitigate the effects
Ingress filtering is a simple strategy that all networks (I hope ISPs are listening) should employ. At the border of your network (i.e., every router that directly connects to an outside network), there should be a routing statement that directs all inbound traffic with a source IP address owned by that network to null. While ingress filtering won’t prevent a DDoS attack, it can prevent a DDoS reflector attack from overwhelming a machine or network.
However, large ISPs seem to be reluctant to implement ingress filtering for some reason. Because of that, you’ll need an alternative to help mitigate DDoS attacks. The current best strategy is the backscatter traceback method.
The first step to this strategy is to recognize that the problem is an external DDoS attack — not an internal network or routing problem. Next, configure all of the external interfaces on your routers to reject all traffic with a destination of the target for the DDoS attack.
In addition, you should already have configured your external router interface to route to null all inbound packets with an unallocated source address. For example:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
Each router configured to reject the packets will send an Internet Control Message Protocol (ICMP) “destination unreachable” error message packet back to the source IP address contained in the rejected packet.
Next, start sampling your router logs to determine which of your external routers is routing the most DDoS traffic. You also want to identify which IP blocks are your biggest offenders. On those routers, adjust the routing statements to “black-hole” the IP blocks, and adjust the network masks to isolate only the offending IP addresses.
Look up who owns that network block. Contact your ISP and the owner’s ISP to inform them of what’s going on and ask for assistance. They might help or they might not, but it only costs a phone call.
Network service should be available but congested for legitimate traffic. You can remove all of your router reject statements except the ones on the border routers facing the attacking networks. If your ISP and the upstream ISP from the attacking network put up any network blocks, your inbound traffic should normalize quickly.
DDoS attacks may be nasty and unpreventable, but you can diminish their effects. You just need to act quickly and methodically to find the offending traffic and send it to the bit bucket.