We’ve all heard about DDoS Attacks in the news, from the infamous 2016 Mirai botnet attack that took out much of the Eastern United States, to the recent record breaking attack against GitHub. But what is a DDoS attack? In this blog post, I’ll explain Distributed Denial of Service (DDoS) attacks and some of the ways you can protect against and mitigate those attacks.
A DDoS or Distributed Denial-of-Service attack is an attempt to make an online service, network, or application unavailable by overwhelming it with traffic from multiple compromised sources, blocking legitimate traffic from getting through. This affects not only the targeted service, but also legitimate users of that service and all of the systems affected with malware used to participate in the attack.
Imagine a busy night club. Someone pulls the fire alarm and runs around yelling FIRE! Immediately, hundreds of people all call 911 all at once. The phone lines are flooded and dispatchers race to answer each call. Simultaneously, there is a legitimate emergency across town, but citizens reporting that emergency are unable to reach 911 operators because they are scrambling to handle the onslaught of fraudulent calls from the night club.
This is similar to a DDoS attack, where legitimate resource requests are blocked while systems try to handle large amounts of legitimate-looking, phony traffic.
What types of services are affected and why?
Any online service can be affected, but often financial, gaming, and news sites are affected. Typically, the perpetrator is attempting to send a message, either political or otherwise, by blocking access to information. Attackers range from individuals, DDoS-for-hire services, and cyber-vandals… to organized crime rings and government agencies. Sometimes, they are completely accidental due to poor code, outdated systems, or the timing of events. Motivations vary and include boredom, extortion, rivalry, business competition, political and social protests, and retaliation. In the case of the 2016 Mirai botnet attack, the original motivation was actually online gaming and financial gain, although the Mirai bot code was likely used for other reasons which may never be known.
It’s worth noting unless you have a host that is acting as part of the botnet, typically your data and information is not at risk during an attack – only your access to it. However, an attack may overwhelm or distract network and security teams allowing a window of opportunity for a criminal to compromise systems in other ways to steal information. This is a danger, because the more specific or targeted attack intended to access systems and extract data is hiding behind the DDoS attack currently being mitigated.
Who are the players in an attack?
Attackers or Malicious Actors: Obviously, there is the person or people perpetrating the attack, and they are using a device to do the orchestration. This can be the attacker’s cell phone, laptop, desktop, or any other connected device. He or she may write the code used to infect the bots themselves, or use someone else’s code.
Command-and-control server: The attacker must first find a master system to use as the ‘command and control server’. This system is usually vulnerable due to missing patches or weak security. The attacker can infect this master with malware or use other means to hack into the system. Once they have control of the system, the attacker can then set up a botnet – a network of other vulnerable systems that the perpetrator can control from the command-and-control server.
Botnet and bots: A botnet is a network of online hosts (often called bots or zombies) that have been infected by malware allowing the attacker, via the command-and-control server, to instruct these hosts to send high volumes of traffic to the targeted service. The botnet acts as an army commanded by the command-and-control server and attacker. These bots can be anything from cell phones, laptops, routers, and servers, to IoT (“Internet of Things”) devices like security cameras and home automation devices. Typically, the bots are distributed around the globe using different service providers. By distributing the source of the traffic and using real host machines, the traffic generated looks legitimate, making it very hard to identify and filter malicious traffic from legitimate traffic. Furthermore, the attacker isn’t actually breaching any security protocols of the targeted service, since all the traffic is coming in via legitimate methods.
As a side-note, once a botnet has been created, it can be used for other purposes like click-bot schemes. Existing botnets can be rented as well, reducing the time it takes for a perpetrator to stage his or her attack. By utilizing a botnet, the actual attacker is very difficult to identify and track down due to the volume of systems participating.
Target: These are the services, applications, or networks that are being targeted by the attack. The attack can cause outages or slow response times, leading to angry customers, stressed employees, brand damage, and large revenue losses along with other problems. Emergency and communication services, the relaying of news, monetary transactions, and other services are often affected.
The good guys: So, who are the good guys? Are there any? Well, yes.
There are government agencies, services, and public and private companies who study attacks and develop protection and mitigation techniques. There are various ways this is done: forensic computer science, honeypots (systems designed to appear vulnerable to attackers for reconnaissance), and normal and abnormal internet traffic monitoring and intelligence.
What kind of attacks are there and how do they work?
Different attack techniques exhaust or saturate the targeted system in different ways. There are three common types of attacks: Volumetric Attacks, Protocol Attacks, and Application Attacks. Each of these can last anywhere from minutes to months and can range from an unnoticeable amount of traffic to more than the highest throughput on record reported at 1.35 terabits per second.
Volumetric Attacks saturate the bandwidth used by the targeted systems. This technique is the most common and the simplest for attackers to perform. Often, attackers use amplification techniques to generate this traffic to avoid needing an extremely large number of resources.
Amplification Attacks utilize large responses to small requests, amplifying the traffic to flood the target. This is often done by spoofing the source of the packets, known as reflection, or a Reflection Attack. For instance, by spoofing the source IP of a DNS request, an attacker can trick DNS Servers into sending responses to the target instead of the originator. Since the request sent to the DNS server is small, but the response sent to the victim is large, the attacker is using reflection to amplify the volume of traffic sent to the target.
Using the metaphor above,
If there were enough people in the night club to saturate the phone system with their calls, causing legitimate callers to experience lower quality calls or the inability to place a call at all, it would be like a volumetric attack.
Protocol Attacks utilize weaknesses in Layer 3 or Layer 4 of the OSI model, meaning that they use up all of the memory, processor cores, and otherwise overwhelm equipment resources and/or networks between the targeted system and the end user.
In our 911 example above,
This would be analogous to the operators answering each call and putting them on hold as they answer more calls. Eventually, all of the lines are filled with on-hold callers and calls end up being dropped.
Application Layer Attacks are the most effective and can be very difficult to detect and mitigate. These attacks do not necessarily use a large amount of traffic, as compared to the other types of attacks. The target of the attack is an aspect of the server or application. All of the traffic appears to be normal so the application tries to respond to each one and gets overwhelmed.
If the operators in the 911 metaphor above responded the same way to each call, treating the non-emergency and non-legitimate calls the same as emergency calls (i.e. not re-routing them to a non-emergency number), they would be overloaded and legitimate emergency calls would go unanswered.
Other Types of Attacks
More recently, attackers have been employing multiple attack vectors at the same time, making it more difficult to defend. These are called “APDoS” or Advanced Persistent Denial of Service attacks. Furthermore, DDoS attacks evolve as technology evolves, making it hard for defenders to keep up. For example, the adoption of IoT (“Internet of Things”) devices has provided attackers with an increasing number and variety of internet-connected devices to exploit, meaning that even your smart light-bulb or “smart” toothbrush could become part of a botnet.
Additionally, a target’s service provider may be attacked instead of the target themselves, making it harder to pinpoint the cause and even the intended target. This causes a much larger audience to be affected since many unintended systems and services will also be attacked.
In the future, malware code developers will likely use artificial intelligence and machine learning to enable them to dynamically change their attack as it progresses to sidestep mitigation techniques.
Is anyone trying to stop future attacks?
So, you’ve read this far and realized that DDoS attacks cannot be prevented and attacks are continuing to get worse. Is there any hope? Well, yes. There are various internet intelligence companies who collect and share data about DDoS attacks. This data can be used to track down the perpetrators, identify affected hosts and botnets, and understand the evolution of DDoS attacks. In fact, many peers and competitors in the industry have joined forces to understand and combat attacks. For example, last summer’s WireX Botnet was disrupted by the collaboration of researchers from multiple companies (Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and more). This cooperation is a great example of how these companies and others are working towards improving the quality of the internet for everyone.
How can I protect my service from a DDoS attack?
There are a number of ways you can protect your service and prepare for DDoS attacks.
- Review your application architecture, analyze stress points, user capabilities, and failover options.
- Consider using third-party testing tools or services to simulate attacks and gain insight into weak points.
- Monitor relevant normal traffic so you can see when abnormalities occur.
- Observe social media and the news for hints on upcoming attacks or threats, especially if your services relate to controversial topics.
- Prepare a response plan with clear procedures, communication, and customer support plans, and ensure the team is trained to minimize the impact.
- Take advantage of alerting tools to notify the team when there are unexpected traffic patterns, connectivity issues, or application events. Incorporate these into your response plan.
- Evaluate and consider using services offered by your providers or other industry experts to protect against and minimize the impact of DDoS attacks. There are a number of companies skilled in DDoS defense and mitigation including, but not limited to Oracle Dyn, Akamai, Cloudflare, Arbor Networks, Imperva, and F5. These companies provide research and services to protect against and mitigate attacks. By utilizing a variety of solutions, such as DDoS detection, emergency mitigation, vulnerability detection, network penetration and load testing, real time traffic analysis, volume absorption, web application firewalls, distributed content delivery networks, malicious bot detection, and employing artificial intelligence based machine learning algorithms, you can significantly reduce the impact a DDoS attack may have on your service.
While it’s impossible to completely prevent Distributed Denial of Service attacks, there are multiple ways to protect services and to mitigate any attacks that do happen. Learn as much as you can about the area, prepare a clear plan, and utilize protection services to give your services a leg up. While diligence is necessary, also be secure in knowing that many players in the industry are doing everything they can to keep the internet running smoothly.