DDOS ATTACKS (Distributed Denial of Service DDoS)

DDoS (Distributed Denial of Service) attacks refers to one of the classes of DoS (Denial of Service) attacks. A DDoS attack consists in using multiple connected Internet devices, collectively referred to as a botnet, to overload the target website with false traffic.

Unlike other types of cyber attacks, DDoS attacks are not aimed at compromising security. Their task is to prevent regular users from accessing the website and servers. A DDoS attack can also be used as a smoke screen for other malicious activities and can be used to disable security devices to put the ultimate target of the attack at risk.

A successful DDoS attack is a highly visible event that affects all online users. Thus, it is a popular weapon of hackers, Internet vandals, extortionists and anyone else who wants to get the attention of others.

DDoS attacks may occur in short series or continuously, but in any case the impact on the website or business may persist for days, weeks or even months as the organization tries to regain control of the situation. This is why a DDoS attack can be extremely devastating for any Internet organization. DDoS attacks can cause revenue losses, undermine consumer confidence, force enterprises to pay fortunes in damages and lead to long-term reputational damage.

There are significant differences between regular and distributed DoS attacks. In a DoS attack, the perpetrator exploits a software vulnerability or floods the target with false requests. It is usually done in order to exhaust server resources, such as RAM and CPU, with a single Internet connection.

Distributed attacks (DDoS) are carried out from multiple interconnected devices that may be dispersed across multiple Internet locations. The use of multiple individuals and devices makes these attacks usually more difficult to counter. This is mainly due to the sheer number of devices involved in the attacks. Unlike DoS attacks (from a single source), DDoS attacks are usually targeted at the network infrastructure and their aim is to overload it with excessive traffic.

DDoS attacks also differ in the method of carrying them out. In general, DoS attacks use proprietary scripts or DoS tools, whereas DDoS attacks are carried out using botnets. Botnets are large clusters of interconnected devices, such as mobile phones, PCs or routers, that are infected with malware allowing them to be remotely controlled.

Botnet is a collection of hijacked, networked devices that are remotely controlled and used for cyber attacks. Usually, these are computers, mobile phones, unsecured IoT devices, and even resources from public cloud computing services. The attackers use malware and other techniques to hijack a given device and turn it into a kind of “zombie”  that becomes part of a botnet.

Botnets allow for DDoS attacks by combining the power of multiple machines and concealing the traffic source. Such traffic id dispersed, so security tools and teams struggle to detect a DDoS attack.

DoS attacks can be divided into two general categories: application layer attacks and network layer attacks. They differ in both the course and purpose of the attack.

1. Application layer attacks (or layer 7 attacks) can be DoS or DDoS threats. Their goal is to overload the server by sending large amount of requests that are resource-intensive in handling and processing. Other attack vectors in this category include HTTP flood, slow attacks (e.g., Slowloris or RUDY) and DNS query flood.

For example, a PC gaming website might become a victim of a massive DNS flood attack, that at peak times reaches 25 million packets per second.

The scale of application layer attacks is typically measured in terms of requests per second (RPS), with no more than 50-100 RPS are required to paralyze most medium-sized websites.

2. Network layer attacks (also called layer 3–4 attacks) are almost always DDoS attacks carried out to block the “channels” connecting a given network. Attack vectors in this category include UDP flood, SYN flood, NTP amplification, DNS amplification and others.

Each of them can be used to block access to servers, while causing serious operational damage, such as account suspensions and huge fees for exceeding data limits.

DDoS attacks almost every time generate high traffic, which is usually measured in gigabits per second (Gb/s) or packets per second (PPS). The largest attacks in network layer can reach hundreds of Gb/s, but only 20-40 Gb/s is enough to completely shut down most network infrastructures.

“DDoS attack” means the activity of carrying out a DDoS attack. Private individuals, companies and even entire countries may be responsible for this type of attack. All these entities may have their own motives.

Hacker activists

Activists use DoS attacks as means of expressing their criticism of any phenomenon — governments and politicians, “big business” and current events. If hackers do not agree with something, the website associated with that subject might become disabled for a demonstration (“tango down”).

Hacker activists tend to be less tech-savvy than other attackers, so they often use ready-made tools to launch attacks on their targets. Anonymous is probably the most famous group of hacktivists.

They are responsible for the cyberattack against ISIS in February, 2015 following the terrorist attack by that organization on editorial office of the Parisian Charlie Hebdo magazine, and for the attack on the Brazilian government and sponsors of the World Cup in June, 2014.

The most common attack method: DoS and DDoS

Cybervandalism

Cybervandals are often referred to as “script kiddies” due to their attachment to pre-built scripts and tools they use to harm other Internet users. Cybervandals are often bored teens who are looking for an adrenaline rush or want to vent their anger or frustration on an institution, such as school, or the person that they believe has hurt them. Some of them only seek the attention and respect of their peers.

In addition to ready-made tools and scripts, cybervandals also use DDoS services for hire (booters or stressers), which can be purchased online for as little as $19 per piece.

Extortion

Extortion, i.e. situations where cybercriminals demand money in return for stopping (or abandoning) a devastating DDoS attack, is becoming increasingly popular motivation for attackers. Multiple well-known online software enterprises, including MeetUp, Bitly, Vimeo and Basecamp, have received DDoS threats, and services of some of them have shut down after they refused to comply with criminals’ requests.

Just like cybervandalism, this type of attack is possible with stressers and booters.

The most common attack method: DDoS.

Business competition

DDoS attacks are increasingly being used as tools to combat competition. Some of these attacks are designed to prevent competitors from participating in an important event (e.g. Cyber Monday), while others are supposed to completely shut down Internet businesses even for months.

In both of these cases, the aim is to create disruptions which will induce customers to use services of the competition, causing both financial and reputational losses. Cost of a DDoS attack for an organization can be as high as $40,000 per hour.

Business-related attacks are often well-financed and carried out by professional “mercenaries” who deal with early reconnaissance and then use their own tools and resources to conduct exceptionally aggressive and disruptive DDoS attacks.

The most common attack method: DDoS.

Cyber wars

State-sponsored DDoS attacks are used to silence internal opposition and government critics or to disrupt crucial financial, health and infrastructure services of hostile countries.

States themselves are behind these types of attacks, meaning that these attacks are well-funded and well-organized campaigns that are carried out by knowledgeable professionals.

The most common attack method: DDoS.

Personal competition

DoS attacks can also be used to settle personal scores or disrupt online competition between players. This is often the case with online multiplayer games where players launch DDoS attacks on each other or even on the game servers to gain an advantage or avoid imminent failure.

Attacks on players are often DoS attacks conducted using commonly available malware. However, when it comes to game servers, DDoS attacks are probably the most common — they are initiated by stressers and booters.

The most common attack method: DoS, DDoS.

Providers of DDoS services offer to carry out DDoS attacks on behalf of others for a fee. These types of services can be found under various names, such as DDoSer, booter and stresser. Wide availability of DDoS services for hire means that almost anyone can launch a large-scale attack.

One of the reasons why criminals use specific names for their services is to operate under cover of a legitimate business. Stresser services are usually offered as services for testing the resistance of servers to overload. In reality, service providers often do not check who owns the server “being tested”, which would ensure the legality of such activities.

On the other hand, providers of booters and DDoSers most often do not even try to hide the illegal nature of their services.

Example of advertised prices and booter capabilities

DoS attacks cannot be prevented — cybercriminals will continue to carry them out. Some of them will reach their target regardless of the applied defense methods. However, there are a few preventive measures you can take on your own:

• Monitoring traffic to detect anomalies including unexplained spikes in traffic and visits from suspicious IP addresses and geolocation — all of this could indicate that attackers are conducting “dry runs” to test the defense before launching a full attack. Recognizing such events will allow you to prepare for the coming storm;
• Monitoring social media (especially Twitter) and public text storage services (such as Pastebin.com) to find threats, conversations and bragging that may indicate an impending attack;
• Consideration of conducting external DDoS testing (e.g. penetration testing) to simulate an attack on the IT infrastructure, which would allow preparing for future threats. In this case, it is worth to conduct tests for a variety of attacks, not only those that are known to us;
• Development of a response plan and appointment of a rapid response team, i.e. a designated group of people whose task will be to minimize the effects of the attack. During the planning phase there should be procedures that will apply not only to IT staff but also to customer service and communication teams.

It is worth using a DDoS mitigation solution to really protect yourself against modern DDoS attacks. Such solutions can be deployed locally, but are more often provided as services by third-party vendors. See the next chapter for more information on DDoS mitigation services.

The first step in selecting a DDoS mitigation solution is risk assessment. This requires answering the following basic questions:

• Which parts of infrastructure require protection?
• What are the sensitive part or single points of failure?
• What will be needed to immobilize them?
• How and when will you find out that you are being targeted? Will it be too late?
• What will be the measurable and non-financial effects of a long service disruption?

Once you have this information, the time will come to set priorities by analyzing various DDoS mitigation options available within your security budget.

It is important to adjust the costs of protecting your resources proportionally to the potential losses.

If you run a commercial website or host online applications (e.g. SaaS applications, online banking, e-commerce), you will likely need uninterrupted and always-on protection. On the other hand, companies such as law firms may be more concerned with protecting their own infrastructure, including e-mail servers, FTP servers and back office platforms rather than the website itself. Such organizations may opt for an on-demand solution.

The next step is to select the protection method. The most common and effective way to implement on-demand DDoS protection for core infrastructure services across the entire subnet is routing with the use of Border Gateway Protocol — BGP). However, BGP only works on demand, which entails the necessity to manually activate the security if an attack occurs.

Therefore, if you need constant DDoS protection of your web application, DNS redirection is a viable option. It will redirect all website traffic (HTTP/HTTPS) through the network of the provider of DDoS protection service. It is usually integrated with a content delivery network (CDN). The advantage of this solution is that most CDNs offer dynamic scalability, allowing them to absorb volumetric attacks while minimizing latency and accelerating content delivery.

Mitigating the effects of network layer attacks

Fighting network layer attacks requires additional scalability beyond what our own network is capable of.

Therefore, in the event of an attack, a Border Gateway Protocol (BGP) message is announced. BGP message is used for routing the entire inbound traffic through a set of so-called scrubbing centers. Each of them is capable to process hundreds of gigabytes of traffic per second. Efficient servers that are located in scrubbing center filter out malicious packets and forward “clean” traffic to the source server via a GRE tunnel.

This method provides protection against direct-to-IP attack types and usually it is compatible with all types communication infrastructures and protocols (e.g. UDP, SMTP, FTP, VoIP).

Protection against NTP amplification attacks: 180 Gb and 50 million packets per second

Mitigating the effects of application layer attacks

Mitigating the effects of application layer attacks relies on traffic profiling solutions which can be scalable on demand while also being capable of distinguishing between malicious bots and regular website users.

Best practices for traffic profiling require signature-based and behavior-based heuristics coupled with IP reputation assessment and gradual implementation of security challenges (e.g. JS files and cookies).

Mitigating the effects of an eight-day HTTP flood attack: 690 million of DDoS requests from 180,000 botnet IP addresses

All of these elements carefully filter out the malicious bot traffic and protect the application layer against attacks without affecting the visitors.

Imperva offers a DDoS attack protection solution that quickly mitigates their large-scale effects without adversely affecting legitimate service users. Imperva provides protection for websites and web applications, networks and subnets, Domain Name Servers (DNS) and individual IP addresses.

Imperva solution detects and mitigates any type of DDoS attack, including TCP SYN+ACK, TCP Fragment, UDP, Slowloris, Spoofing, ICMP, IGMP, HTTP Flood, Brute Force, Connection Flood, DNS Flood, NXDomain, Ping of Death, Smurf, Reflected ICMP and UDP.

Advantages of the Imperva solution:

• Anycast and Unicast support, which enables automatic detection of attacks and vulnerabilities and response to them,
• SLA guarantee — attacks will be blocked in three seconds or less, which will prevent downtime and reduce the time to resume work,
• a high-throughput network capable of analyzing over 65 billion packets per second,
• navigation panels that allow viewing the current status, identifying DDoS attacks and analyzing their parameters.