DDoS is derived from the English definition of distributed denial of service, which can also be translated as Distributed denial of access. This is one of the many methods used to block websites or internet links.
What are the types of DDoS attacks?
There are 2 basic types of DDoS attacks:
- Volumetric attack – an attack consisting of mass sending of unwanted data to a designated IP address. The quantity of the incoming data is so large that the link (or links) are not able to accept it all.
- Application attack – An attack consisting of exhausting the IT resources of a web application, such as computing power or memory; Sometimes attacks of this type are called slow attacks.
- Application attack in SSL tunnel – SSL tunnel is a variant of an application attack. The method consists of exchanging data, where the information is encrypted before sending it, and when it is sent to its destination. It is decoded into data packets. In practice, this means that sent data during the entire transmission is encrypted. Therefore, the interception of such data does not allow to check what type of information is in the transferred packages. In web browsers, such encrypted web sessions can be identified by their web address appearing as https: // instead of http: //. This secure transmission of information also has negative sides, as it can be used as a hacking attack on the application. Full confidentiality of transmitted data requires that data to be decoded in the application. Therefore, firewall systems do not have the technical ability to verify what is being sent and verify that such encrypted web sessions are not hackers. At present, the number of DDoS attacks is growing rapidly every year.
Other types of attacks include:
- TCP State-Exhaustion attacks
- Application Layer attacks
- ICMP Flood
- IP/ICMP Fragmentation
- BGP hijacking
- IPSec Flood (IKE/ISAKMP association attempts)
- UDP Flood
- SYN Flood
- Other TCP Floods (varying state flags)
- SSL Exhaustion
- Long Lived TCP sessions (slow transfer rate)
- DNS query/NXDOMAIN floods
- Slow Post
- Slow Read
- HTTP/S Flood
- CVE Attack Vectors
- Large Payload POST requests
- Mimicked user browsing
As in the previous quarter, the number of SYN DDoS attacks continued to grow, rising from 53.26% to 60.43% in Q3 2017. At the same time, the percentage of TCP DDoS attacks plummeted from 18.18% to 11.19%, which did not affect second position in the rating for this type of attack. Both UDP and ICMP attacks became quite rare: their share dropped from 11.91% to 10.15% and from 9.38% to 7.08% respectively. Meanwhile, the popularity of HTTP attacks increased from 7.27% to 11.6%, which placed them in third.
The number of long-term attacks remained almost unchanged from the previous quarter: 0.02% of attacks lasted more than 150 hours (vs 0.01%). The longest attack lasted for 215 hours, 62 hours shorter than the record in Q2. At the same time, the share of attacks that lasted 4 hours or less dropped from 85.93% in Q2 to 76.09% in Q3. Thus, the percentage of attacks lasting from 5 to 49 and from 50 to 99 hours increased, accounting for 23.55% and 0.3% of all attacks respectively.
What could be the target of a DDoS attack?
DDoS attacks can be a few places in computer networks. Below is a diagram showing the most commonly attacked systems.
Internet-based attacks use volumetric DDoS attacks (there are many types). The principle of an effective DDoS attack is to send so much data that will not be able to be received by the attacked Internet connection. The average internet connection in Europe, for example, is 50-100Mb / s. Volumetric DDoS attacks start at 6-10Mb / s (the smallest), for 200-500Mbps. The largest detected and repulsed attack in the world was at over 400Gb / s.
The number of DDoS attacks targeting computer network security appliances, commonly called firewalls in on increase as well.
Firewall systems are responsible for inspecting each web session that is being pooled between the protected network and the Internet. The main purpose of firewalls is to block custom attempts of an attack or other behaviors that may be an attempt to break into protected resources.
Practically only the most expensive firewall solutions are prepared to mitigate DDoS attacks (including application attacks). Other systems can not handle DDoS attacks. Why? Most DDoS attacks are being undertaken on the port 80 that is being used to browse web pages. From a firewall standpoint, it is an open port used for communication with the Internet, so every web session that is compiled with this port is registered in a special registry. The problem is that each firewall has a limited number of monitored sessions, ( eg. 100,000). DDoS attacks cause the opening of one million or more sessions, which contributes to the overflow of the registry and disrupts the normal operation of the firewall. As a consequence, the firewall does not allow you to open another web session that it is unable to monitor, and thus the actual user of the protected Internet site will not be able to connect to this site (eg, an online store or portal site). Some of the firewalls have a special function, which means, for example, antiDDoS. Most often this feature has nothing to do with protecting against DDoS attacks, but only protects the firewall itself from overwriting the registry and suspending the protection system.
IPS / IDS
Intrusion Detection Systems. These are specialized web analytics algorithms designed to detect such activities that lead to unauthorized access to protected networks or IT resources. Some IPS / IDS systems stop working properly due to too many web sessions being analyzed.
Load balancer / ADC
The system of uniform distribution of load of information systems (memory, processor power). The purpose of such a system is to prevent the overload of a single server. In the case of poorly configured Load Balancer, the DDoS attack may result in the loss of access to the application.
This is the main target of hacker attacks, including DDoS attacks. Their goal is to exhaust the IT resources dedicated to the functionality of the website or application. Very often attacks on Internet applications are targeting the database, which guarantees the correct operation of the web application.
Why are DDoS attacks so hard to detect?
DDoS attacks are becoming more sophisticated and the price of attacks has been decreasing for many years.
There are some key issues with detecting DDoS attacks:
- DDoS attacks are most commonly used on ports and protocols used by web browsers, which makes it very difficult to filter specific Internet sessions or packet traffic to specific ports.
- Frequently DDoS attack is being run in the form of packet streams that are being sent from thousands of virus-infected computers. In this case, the users of these computers (and even smartphones) are not aware that they participate in the DDoS attack. This type of “malware” uses a computer source web queries to attack the website of the victim.
- There are many methods of multiplying the volume of IP packets traffic that are being sent to the victim’s Internet connection. The most effective methods can increase the IP stream even 4000 times. Theoretically, this means that you only need to send 100kb / s from a single source (for a YouTube video stream, it needs approximately 13,000kb / s) so that after multiplying it, the DDoS attack victim will receive a data stream of 400kb / s. In practice, it is not so easy to generate such a big DDoS attack, although it does not require particularly high hacking skills.
- DDoS attacks performed using encryption (SSL tunnels) are particularly difficult to detect and mitigate because they require a very sophisticated technical solution.
- DDoS Volumetric Attack repel is very difficult because sending large amounts of data packets to a restricted Internet connection will block this particular link. Analysis of incoming IP traffic and verification of the packets and whether the ports are open for such data stream happens only at the end of this link. Therefore, rejecting unwanted data is at the end of a limited “web pipe”, which means that the data blocks the link first, and then security systems (such as the firewall) analyze what was successfully implemented in the restricted Internet link. The data packets that do not fit into the internet bandwidth are irretrievably lost.
Geography of attacks
DDoS attacks were registered in 98 countries in Q3, where the largest number of the attacks were aimed at China (63.30% of all attacks), which is 5.3 p.p. higher than the previous quarter. South Korea’s share fell from 14.17% to 8.70%, moving it to third place. The US came second despite the percentage of attacks originating from this country falling from 14.03% to 12.98%.
The top 10 accounted for 93.56% of all attacks. Germany (1.24%) re-entered the top 10, replacing Italy out of the rating. Hong Kong (1.31%) dropped from 4th to 7th, having lost 1.07 p.p. Russia (1.58%) gained 0.35 p.p. and was once again in fourth place. The UK remained fifth while the Netherlands saw its share go up from 0.84% to 1.31%, moving it to sixth.
91.27% of all attacks were aimed at targets in the countries of the top 10 in Q3 2017.
What are your DDoS Protection Options?
Given the high profile nature of DDoS attacks and their potentially devastating consequences, many security vendors have suddenly started offering DDoS protection solutions. With so much riding on your decision, it is critical to understand the strengths, and weaknesses, of your options.
DDoS response planning
The first thing every organization should do when suspecting a DDoS attack is confirm it. Once you’ve discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.
What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.
Then contact your ISP, but don’t be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Prioritise, sacrifice and survive
Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low value traffic to keep high value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren’t being taken on the fly and under time pressure. There’s no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It’s all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
It’s worth considering investing in DDoS mitigation services if you’re particularly likely to be a target of a DDoS attack (for example, if you’re a large organisation) or at least knowing about what’s out there, just in case.
One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.
Cloudflare isn’t the only game in town, though and many network and application delivery optimisation firms offer DDoS mitigation services.
Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.
Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.
If you’re already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it’s worth seeing if it offers DDoS protection and how much is would cost. As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it’s worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.
The truth is a CDN addresses the symptoms of a DDoS attack but simply absorbing these large volumes of data. It lets all the information in and through. All are welcome. There are three caveats here. The first is that there must be bandwidth available to absorb this high-volume traffic, and some of these volumetric-based attacks are exceeding 300 Gbps, and there is a price for all the capacity capability. Second, there are ways around the CDN. Not every webpage or asset will utilize the CDN. Third, a CDN cannot protect from an Application-based attack. So let the CDN do what it was intended to.