High-profile targets such as banks, ecommerce and online storefront vendors, online gaming platforms, governments and educational establishments are generally the unfortunate marks for DDoS exploitation. However, any organization that relies on the Internet to conduct business is a potential target of attack so it is critical to implement DDoS mitigation tactics and incident response plans prior to an event.
Year-over-year attack volume
According to Arbor Networks, whose ATLAS system monitors events from 300+ network operators around the world, 11 DDoS events over 100Gbps were tracked from Q1-Q3 in 2013; whereas, in the same period of 2014, the number increased to 133. There was also significant growth in smaller-scale attacks. ATLAS tracked one and a half times the total number of attacks over 20Gbps in 2013 in just the first quarter of 2014. Arbor Networks’ Nick Race forecasts that “attacks will likely continue to get larger and more frequent, and unfortunately many businesses are still unprepared for an attack.”
DDoS for hire
The recent, highly publicized DDoS attacks on popular online gaming platforms Sony PlayStation and Microsoft Xbox, outraged gamers during the holiday season as both were knocked offline for periods of time. As we continue to see the rise of Cybercrime-as-a-Service, it should not shock anyone that DDoS threat actors are eager to jump on the bandwagon. The “Lizard Squad” claimed responsibility for the online gaming DDoS attacks and later announced it was essentially a “commercial” for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. The cost of attacks range anywhere from $6 to $500; unlimited attacks can be launched for $500. All services are to be paid in the difficult-to-trace cryptocurrency, Bitcoin.
What can a DDoS attack cost you?
DDoS attacks are most often used to extort or damage businesses whose websites or online assets are a major source of revenue, are an indicator of brand value, or are critical to operations. According to Neustar’s 2014 DDoS annual report, 40 percent of companies targeted with a DDoS attack estimated losses of more than a million U.S. dollars per day.
Figure 1. Estimated DDoS attack costs per hour. Source: Neustar 2014 Report.
In addition to direct financial costs of an attack, other, less quantifiable losses include reputation damage, diminished brand value, public perception and compromised customer trust. Additionally, customer service is flooded with inquiries and IT resources are strained during an attack. This unfortunate Internet company went out of business in 2014 after a DDoS extortion attack.
Types of DDoS attacks
The basic “flood” method is the most common form of DDoS attacks; it is designed to use up all bandwidth, input/output (I/O), resources, rendering the website unavailable. Flooding involves sending a large number of packets to the targeted system using a variety of Internet protocols. These include, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Transmission Control Protocol (TCP). A large number of distributed bots or compromised "zombie" computers are often used to flood targets. A tactic called amplification is also used, where the attacker sends a small bit of information to a system resulting in a response with much more data being sent to the target.
SYN floods are an example of these types of DDoS attacks. These abuse the TCP method initiating connections, and they still represent a common and relatively effective attack method because popular services that use TCP, such as web servers, must be exposed to public networks from which DDoS attacks might be launched. In an effort to evade layering controls against DDoS attacks, some modern network-layer attacks fragment or craft packets designed to crash network devices.
Modern tactics will also use protocols associated with Domain Name System (DNS) that translates a domain name to an IP address instead of the webserver, rendering the target unavailable without actually impacting the operation of the website. To an attacker, whether the webserver itself is offline or no one can find it because DNS has failed, the same objective of making it unavailable has been accomplished.
Other types of attacks include resource exhaustion where attackers entice the targeted system to perform operations that consume large amounts of processing power, memory, and storage as well as attacks designed to go slow in order to tie up the targeted system's attention such as requesting a file download and reading it very slowly.
Many types of attacks, including some common amplification attacks, use network services that allow the source IP address of the attack traffic to be spoofed. Some attackers use a large botnet with a vast number of zombie computers to launch attacks. In both cases, basic blocking is often ineffective and building a list of attack sources' IP addresses for such purposes isn't feasible given the number of sources and the typical durations of DDoS attacks.
DDoS and other network attacks are often generally categorized as either:
- Low-layer, attacking the network itself
- High-layer, attacking the services and applications that run on top of the network
This is because the types of security controls and plans of actions designed to mitigate DDoS attacks vary between these two general types of attacks.
Mitigating a DDoS attack
Unfortunately, there is no “silver bullet” to completely protect against DDoS attacks. However, best practices, modern controls, modern network service architectures, and well-planned incident response plans can effectively mitigate large-scale DDoS attacks.
As with cyber security in general, multiple defensive layers offer the best assurance for minimizing the impact of a DDoS attack. Any security layer has limitations to allow for legitimate activity.
Figure 2. Illustration of the common components of a layered DDoS mitigation approach.
Common protection practices include:
- Robust distributed network infrastructure.
- DDoS mitigation subscription services.
- Investment in specialized anti-DDoS network security appliances.
As DDoS defense tactics evolve, cybercriminals will continue to find ways to skirt around defenses. Countermeasures against traditional and new architectures that are more resilient to DDoS attacks are critical when deploying mitigation strategies. Understanding the adversary's tactics, techniques, and procedures (TTP) will help establish a strong security posture and aid in planning an effective response.
Network architecture and controls
Network architecture is the first stop for protection against DDoS attacks; ensure that best practices and deployment controls have been implemented. To mitigate the effects of flood attacks and some amplification attacks, segment the network for proper placement to enable granular control configurations that enforce policies to allow or reject traffic as appropriate. Be sure to test and evaluate network layer controls such as firewall polices and routing configurations when under specific DDoS conditions such as SYN floods, UDP floods, ICMP backscatter and ping floods. Also evaluate the performance of network devices, applications and services while under DDoS payloads. Transactional integrity for databases and graceful degradation of applications should be part of design requirements.
Implementing DDoS countermeasures depends heavily on how much an organization relies on external providers for internetwork, data center capacity, hosting infrastructure or server co-location. As a result, organizations should discuss DDoS contingencies with service providers including those responsible for peering as well as upstream and downstream transit.
Basic countermeasures include:
- Device controls – most routers and common switches incorporate basic access control (ACLs) and rate-limiting technologies. Some devices even offer anti-DDoS settings.
- SYN cookies – network architectures should allow a “virtual” switch to be flipped to enable SYN cookies which are a chosen sequence of numbers in TCP packets that are checked by the server when establishing a connection. This will mitigate small to moderate SYN floods. Because of minor technical drawbacks, SYN cookies are generally enabled after an attack has been initiated.
- TCP Cookie Transactions (TCPCT) – this mechanism is designed to combat SYN floods while avoiding the drawbacks of SYN cookies. What makes TCPCT less attractive is that it can break standard TCP networking implementations because both endpoints must support TCPCT.
- TCP connection splicing – sometimes referred to as delayed binding, this can also help mitigate SYN flood attacks. Upstream service providers such as “cleaning centers” or “packet scrubbers” may provide proxy or in-the-cloud services that are effective in protecting against SYN flooding in conjunction with specialized network attack mitigation technologies.
- At the application layer, replacing the webpages that rely on databases and other resources to generate dynamic, interactive content with static markup that limits the overhead associated with database queries and other types processing, albeit at the cost of temporarily reduced functionality.
- While blocking based on individual attacks sources is often not the most effective mitigation tactic, temporarily blocking network traffic based on whole network allocations or large scale geolocation criteria such as country of origin (or even hemisphere) can be effective when it doesn't exclude typical users. A balance should struck between the number of legitimate users likely to be denied access versus the number of rogue bots attacking the site that will be rendered useless.
Advanced DDoS countermeasures include:
- Bandwidth management solutions – methods are based on a variety of advanced protocols and algorithms for bandwidth shaping and reservation, rate limiting, scheduling and congestion avoidance. Some are based on quality-of-services (QoS) standards, and others of these offer proprietary protections such as behavioral anomaly detection, limiting based on transactional rates, and alleviating bottlenecks by intentionally introducing latency, for example. Some webservers have built-in rate limiting and filtering or modules available that implement anti-DDoS tactics.
- Intrusion prevention systems (IPS) and web application firewalls (WAFs) offer protections from a number of types of attacks besides DDoS, but can be configured to drop or ignore network traffic when loaded with DDoS attack tool signatures. Threat intelligence and the ability to apply that intelligence if the form of a useful ruleset that is maintained and kept up-to-date is key to the effectiveness. These controls are often designed to "fail closed" and stop passing any network traffic in a precise attack to prevent exploitation and system intrusions, but they may be configured to "fail open" under denial-of-service conditions, so that they are not doing the attacker's job of making services unavailable to legitimate users themselves.
- Technologies used by content delivery networks (CDNs) such as anycasting, a routing technology which constrains DDoS attacks geographically, diluting the impact on service in a particular part of the world. This is used, for example, with caching web proxies that move copies of content closer to those requesting the webpages, so that only the copies closest to attack sources on the network are the most impacted by an attack. Private CDNs can be difficult to manage and costly to maintain so independent application of this technology is generally limited to large organizations, but there many providers that make these capabilities available to other organizations as a service.
- Distributed DNS services – dispersion of DNS services that are essential in locating an organization’s key public network services such as websites and email gateways can help mitigate the global availability impact of attacks.
- Proof-of-work, CAPTCHAs, and other anti-bot technology designed to ensure a webserver is being visited by a real human with an actual web browser rather than by an attacker with some automated attack tool.
With many of these technological controls, configurations that best mitigate DDoS attacks are not optimal for typical loads. Some may come with overhead that is otherwise unnecessary, placing undue load on networking and processing resources during normal use. Others offer reduced functionality, such as the static version of a website lacking the interactive features of a database-driven version. Some services offering CDN technologies, may cost more based on the amount of bandwidth reserved or the number of points-of-presence from which DNS servers respond.
Controls that allow settings to be grouped together in configuration profiles which can be easily switched on or off based on prevailing conditions are often more cost effective. The same is true of services that offer dynamic pricing and can be deployed on-demand and scaled back when attacks relent.
DDoS attacks can cripple an organization resulting in lost revenue, damage to the brand and compromised customer trust. With little hope of reprieve, business owners and stakeholders need to be aware of the consequences of DDoS attacks and build a robust incident response, crisis response, and business continuity plan that encompasses DDoS mitigation.
Read our Intelligent DDoS Protection whitepaper to learn how to detect and respond to DDoS attacks faster and more effectively.