DDoS is the abbreviation of Distributed Denial of Service. DDoS is a type of cyber-attack where multiple compromised systems will be used to target a single system (Network, Server, Application) causing a Denial of Service provided by the system targeted.
In 2014, the DDoS attack celebrated its 40th birthday. Born as an adventure work of a teenaged “computer geek,” DDoS attacks have grown in quantity and sophistication by now.
We all must remember that recently the Hacktivist Group Anonymous launched volume DDoS attacks on banks across the world which had shut down the official websites of a number of international banks. All the global hackers were invited by this Anonymous hacker group (Ghost Squad Hackers Group and Anonymous Intelligence Group) through their Facebook account to join in this massive DDoS attack launched by them against the Global Banking Sector. (https://www.facebook.com/events/964150270338381/).
The following is the summary of Kaspersky DDoS Intelligence Report for Q2 2016:
Resources in 70 countries were targeted by DDoS attacks in Q2 2016.
4% of targeted resources were located in China.
China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.
In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.
DDoS Attacks Targeting Networks
DDoS attacks targeting networks will attempt to consume the network bandwidth by using a large volume of illegitimate traffic to saturate the company’s Internet pipe. These attacks, called network floods, are simple yet effective. Examples for these attacks are UDP Flood, ICMP Flood, IGMP Flood, Amplification Attacks.
DDoS Attacks Targeting Servers
Attacks that target servers will attempt to exhaust a server’s processing capabilities and memory, resulting in a denial of service condition. The attacker will exploit an existing vulnerability on the target server or a weakness in a communication protocol to cause the target server to become so busy handling illegitimate requests that it no longer has the resources to handle legitimate requests. “Server” most commonly refers to a Website or Web application server, but these DDoS attacks can also target firewalls and intrusion prevention systems.
These attacks exploit the TCP/ IP protocol by exploiting some of its design weaknesses. They mostly will exploit the six control bits (or flags) of the TCP/IP protocol—SYN, ACK, RST, PSH, FIN and URG—in order to disrupt the normal mechanisms of TCP traffic. TCP/IP relies on a three-way handshake mechanism (SYN, SYN-ACK, ACK) where every request creates a half-open connection (SYN), a request for a reply (SYN-ACK), and then an acknowledgment of the reply (ACK).
DDoS Attacks attempting to exploit the TCP/IP protocol will send TCP packets in the wrong order, causing the target server to run out of computing resources as it attempts to understand such abnormal traffic.
SSL-based DDoS attacks take many forms: targeting the SSL handshake mechanism, sending garbage data to the SSL server or abusing certain functions related to the SSL encryption key negotiation process. SSL-based attacks could also simply mean that the DDoS attack is launched over SSL-encrypted traffic, which makes it extremely difficult to identify.
DDoS Attacks Targeting Applications
Much like attacks targeting networks, DDoS attacks targeting applications will come in a variety of flavors, including floods and “low and slow” attacks. Low and slow approaches are particularly prominent, which will exploit the weaknesses in the HTTP protocol, which, as the most widely used application protocol on the Internet, is an attractive target for attackers. HTTP Flood and DNS Flood are the application oriented DDoS attacks.
Let us see below some of the controls to be considered that will help in preventing the occurrence of DDoS attacks:
Delay/ Reject suspected packets
Don’t let dark address packets past perimeter
Block unused protocols and ports
Limit the number of access per second per source IP
Limit numbers of concurrent connections per source IP
Filter foreign TCP packets
Do not forward packets with header anomalies
Keep unwanted guests away
Use specialized DDoS mitigation equipment
Apply software updates and patches in a timely manner to prevent buffer overflows and exploits of software vulnerabilities
Deploy IDS/IPS WHICH can predict and block DDoS attacks based on signature
Place Stateful inspection firewalls
Place Stateful SYN Proxy Mechanisms
Use layered filtering firewalls
Limit the number of SYNs per second per IP
Limit the number of SYNs per second per destination IP
Set ICMP flood SCREEN settings (thresholds) in the firewall
Set UDP flood SCREEN settings (thresholds) in the firewall
Apply rate limit with routers adjacent to the firewall and network perimeter
Remove large files placed in the website that are more vulnerable for DDoS attacks
Review and ensure that Web server isn’t configured for large number of open connections
Protect Domain Name System (DNS) - This is crucial and yet probably the most overlooked of all of the above recommendations. DNS is an extremely common target for DDoS attacks due to how critical the service is for Web availability. If a customer can’t resolve the IP address of our website (which is the job of DNS), that customer is not getting to our site no matter how much we have spent on our hosting. So protecting our DNS is a good DDoS mitigation strategy.
Set Optimal DNS TTLs - Time to live (TTL) is the value determining how long a piece of data is valid. In the DNS world, TTL limits how long our current DNS settings are cached with ISPs. This means that if our website’s TTL is set at three hours, other DNS servers won’t bother checking for a DNS update for our domain over that duration. Shorter TTLs can cause heavier loads on name servers because the DNS records must be updated more frequently, however, they allow for DNS changes to be propagated more rapidly. A low TTL equates to a faster reaction; this is the time it takes to get traffic routed through our solution. For example, if our TTL is set at three hours, then time-to-mitigation is the time it takes you to notice the attack plus three hours for TTL.
Black hole routing - Black hole routing an IP address or a range of IP addresses (i.e., intentionally causing packets coming from a specific IP address to be discarded rather than forwarded) can protect our resources from the ill effects of DDoS attacks.
Run the Least Amount of Services. Running the least amount of services on a machine helps minimize the chance of a successful DDoS attack.
Volume DDoS attacks can be detected by placing an on- premise DDoS protection device at the perimeter
Attacks based on true IPs masked by a CDN can be resolved by an enterprise web application firewall (WAF)
Load Test your web site on a periodic basis
Agree with the ISP on blocking the suspected IPs launching DDoS Attacks
Agree with the ISP on over-provisioning of bandwidth required for mitigating DDoS attacks
If possible, have an alternate ISP in place to support in attack period
About the Author:
Vimal has a progressive experience of 20 years in Banking & Financial Services, ICT, Oil & Gas, Aviation, Retail, Healthcare Sectors. He worked with clients in India, USA, UK, Far East and Middle East. Served four well-known companies - Deloitte, Microsoft, Philips, Accenture and Standard Chartered Bank.
As a subject matter expert in cyber security, Vimal has handled development, implementation and improvement of cyber security Architecture/Strategy/Plans, Cyber Security Governance, Cyber Risk Management, various Cyber Security Practices such as Data & Information Governance, Data Privacy, Information Security, Information Risk Management, Information Assurance, ICT Security Programs, Industrial IT Security (Such as SCADA Security),IOT Security, Healthcare Security Programs, Setting up & Managing Global SOC Operations, Managed Security Operations, Critical Infrastructure Protection, Incident Response, Penetration Testing, Red Teaming, Vulnerability & Threat Analysis, Malware Research, Digital Forensics, Cyber Crime & Digital Fraud Investigations, Vulnerability Management, Business Continuity & Disaster Recovery, Cyber Security Assurance, Cyber Security Solution Evaluations, Cyber Security Analytics, Management of ATMs, CCTVs and other Security Devices, Cyber Security Trainings and Security Transformation Projects focused on addressing variety of Cyber Security Risks