Cybersecurity is a hot topic on the web as in the last 20 years we have gone through myriad of viruses, worms, malwares, phishings, etc. But most expensive to companies is Distributed Denial of Service (DDOS). DDoS represents malicious attempt to make your online service unavailable temporarily or even disabling your service for a longer period (the longest DDoS attack lasted for almost 3 weeks!). This type of attack occurs when attacker sends a huge (HUGE!) amount of network traffic directly to the target server or network.

Botnet

Most frequently used vehicles for DDoS attacks are botnets. They represent large number of infected computers or so-called "zombies" that can be managed and activated from a single remote location. The attacker then uses botnet to spam and execute attack, so that it seems like attack hasn't originated from a single location. An example tool for testing (and possibly executing DDoS attack) is Low Orbit Ion Cannon (LOIC) and its web version JS LOIC, originally created for network stress testing. Inside the application, attacker simply inserts IP address, port and type of message and the attack has commenced. Another tool for DDoS is Http Unbearable Load King (HULK), also created for research purposes and can bypass cache engines and generate large amount of unique and obscure traffic.

In this age of Internet, anyone can "rent-a-Botnet". Most famous was Ox-booter, where one could for 20-150$ rent a botnet DDoS, plan and execute his or her vengeance on least favored service.

This one was based on Bushido Botnet, which usually uses Mirai and similar exploits to make "zombie babies". One of the most-targeted are IoT devices, which are seldomly updated and usually run on deprecated and unsupported kernels and/or OS and certainly the worst aspect - they are very badly secured.

 

Type of attacks

There is a number of DDoS variations, generally grouped in three categories: Volume Based Attacks, Protocol Attacks and Application Layer Attacks. Similarly, there are two methods of attack: Standard and Reflection. I'm sure we could find more examples, but let's jump right into the list:

  • UDP FloodAn attack that floods the target with UDP packets. The goal is to exhaust server/network bandwidth thus denying server to legitimate users. Usual target are ports on which no application listens, hence forcing the server to send ICMP Destination Unreachable packet type 3 (Port Unreachable) which consumes resources.
  • SYN Flood This attack uses TCP three-way-handshake in which one uses TCP SYN request on which host has to reply with SYN-ACK. The client acknowledgment never arrives, therefore server resources are consumed until they time out.
  • ICMP Flood An attack that overwhelms the server with ICMP Echo Request (ping) packets, sending them mercilessly without waiting for reply. This eventually, with enough hosts committing aforementioned type of attack, saturates the bandwidth to the server.
  • Ping of Death Occurs when an attacker sends multiple malformed or malicious pings to the server. In reality this means that the attacker sends larger than the maximum length of an IP packet (65535 bytes). The first router on the path fragments the packets into regular datagram size and forwards them to the receiving host, the victim in this case, which reassembles them back into original large packet. If the host isn't able to handle such irregular packet size, a memory buffer overflow occurs causing victim computer to crash.
  • Slowloris Version of SYN flood attack, in which an attacker (possibly with Slowloris tool or similar one) attempts to establish multiple TCP connections on a target web server and holds them as long as possible, by sending partial requests.
  • NTP amplifications By having a list of open NTP servers, an attacker sends NTP requests (usually via monlist command) with spoofed sourceIP address of the victim. As a result, a large number of NTP servers respondto the victim. The amplification part is there because you have query-to-response ratio of up to 1:200 or even more. So this attack can have devastating effect on the targeted server very easily.
  • DNS Reflection attack with Amplifications In this attack, an attacker uses DNS system to send overwhelming amount of traffic to the target. Attacker spoofs victim's IP address and sends DNS name lookup requests to the public DNS servers. To maximize amplification, attacker can use the word "ANY" in DNS request, which returns all the known information about DNS zone, bigger amount of data than used by requests initiating the attack.
  • HTTP flood Here an attacker exploits seemingly legitimate HTTP GET or POST requests to attack web server or application causing a lot of open connections, consequently exhausting the server pool of connections or available resources.
  • Less known variations Beside the aforementioned types, there are numerous others like ESSYN/XSYN Flood and PSH Flood, that exploit TCP stack, or SMBLoris, that uses Samba protocol and effectively makes it non-working. As for the reflection attacks, now there is Smurf attack, which is carried out with attacker spoofing one's IP address. The list can go on.

 

Location, location

So far we have covered tools and types of attacks, but what about the distribution of DDoS incidents around the globe? Most DDoS attacks originate from China and USA, while the other countries contribute with 25% combined. When it comes to the targeted countries, China and USA are at the front, with Australia, Brazil and Saudi Arabia following. No one is safe from DDoS attacks and your organization could easily be the next target. As for the duration, one attack can last from several minutes to several hours, even days.

Detection and remediation

In this text we've seen that DDoS is a very complex topic. To detect these attacks one needs a combination of Netflow and Network Monitoring System, as well as firewall rules, vendor patches and even hardware and/or software appliances tailored specifically for DDoS protection.

Let's say one company is under SYN Flood attack. What should they do? Firstly, Raw data need to be inspected in order to identify rising number of TCP SYN packets over short duration of time. Then, strict TCP keepalive needs to be defined along with maximum connection rules on all perimeter devices (for example proxy, firewall,etc). Also, there needs to exist effective partnership with upstream network service provider, which can be extremely helpful in this kind of situations. And finally, as a regular action, alarms should be set on all Netflow and NMS servers, so that alert can arrive before the attack.