DDoS Attacks

So, I really want to go into DDoS attacks because they are getting more and more common. To put it into numbers, 33% of business had been hit by DDoS attacks in 2017. Some of the recent high-profile occurences include the Mirai botnet attack (2016) and WireX botnet (2017). Not to mention, as the number of devices that are connected to the internet will increase over time, this increases the number of unprotected devices for attackers to leverage in their attacks. For example, think about self-driving cars, technology that allows us to control more aspects of our lives from our phone, medical devices, etc. Assuming that everyone who will eventually have one of these devices is security conscious, is a big assumption to make. 

DDoS attacks are bound to become more sophisticated. They may still be short, but may persist as powerful and sudden “punctuated” attacks that will last for several hours or several days. With that said, there are 3 types of DDoS attacks, generally speaking, and they are: volumetric attacks, application layer attacks, and protocol attacks. Of course, some attacks are multi-vector and may utilize two or more of these techniques. I will describe each of these types and examples of each. I will go into mitigation methods in another post. 

Volumetric Attacks (layer 3/4)

Measured in: Bps (bits per second), GBps, etc

The goal of a volumetric attack is to saturate the bandwidth of the attacked site. 

Examples: DNS amplification, HTTP flood, (Ping) ICMP flood, SNMP Reflection, UDP flood.

Out of these examples, I will go into detail into ICMP flood, SNMP Reflection, and DNS amplification. 

ICMP flood, AKA a Ping flood, is an attack where the victim's computer is overwhelmed with ICMP echo requests. Because the receiving network will respond to these pings, the attack strains both the incoming and outgoing channels of the network. Assuming the bandwidth cannot keep up, this results in a DDoS attack. ICMP requests, or ping requests, are typically used to measure the RTT (round trip time) between 2 computers. In this type of attack an attacker needs to know the IP address of their target and have more bandwidth than the victims network. Attacks can be targeting a single computer in the local network, a router (which would ultimately affect all computers connected to that router in its routing table), or a blind attack. Attacks can be carried out using scripts, such as hping3 and scapy. Ping commands that can be leveraged include the following: 

  • The –n command, which is used to specify the number of times a request is sent.

  • The –l command, which is used to specify the amount of data sent with each packet.

  • The –t command, which is used to continue pinging until the host times out.

Mitigation for ICMP attacks includes implementing a rule that does not allow ICMP pings that have an external source address. There is no reason for an external source to send ICMP ping. However, this doesn't block internal attacks. You can also implement a size limit on the ping requests and the rate at which pings can be sent or accepted. 

Protocol Attacks (Layer 3/4)

Measured in: Pps (packets per second)

The goal of a protocol attack is to consume the actual server resources or other network infrastructure, such as firewalls, load balancers, routers, etc. 

Examples: SYN flood, Ping of Death (POD), SMURF.

A SYN flood attack, AKA a TCP SYN flood, is a targeted attack on the receiving server. Simply put, the SYN flood attack involves sending a high number of TCP connection requests to the server, to the point in which the server cannot process them and ends up becoming unresponsive. By not responding to the servers SYN+ACK ping, the attack will cause the server to keep opening new connections without closing the previously opened ones. 

Application Layer Attacks (Layer 7)

Measured in: Rps (requests per second) 

The goal of an application layer attack is to exhaust the web server. Layer 7 attacks are especially dangerous because they do not require a response from the target to be an effective method of attack. 

Examples: DNS flood, 

A DNS flood attack is when a DNS server is targeted by an attacker trying bring it down by overwhelming the servers resources. UDP requests are sent, using a script, that is executing from multiple servers. The DNS server receives packets from multiple IPs for requests. This also helps the attacker get pasts common DDoS protection mechanisms that rely on IP filtering to block out malicious packets. A DNS Nxdomain attack is when the DNS server is flooded with requests that are referring to nonexistent records and when the cache is filled with bad requests, it will eventually not have enough bandwidth to handle real requests. 

Other: Fork bombs, IP fragmentation, NTP amplification.

GRE Tunneling vs IPSEC