Denial of Service (DoS) attacks aim to make services and systems unavailable to legitimate users . If these attacks are performed by multiple sources at the same time and for the same target, they are called Distributed Denial of Service (DDoS) attacks. This talk “Imma Chargin Mah Lazer” describes different types of (D)DoS attacks that are out in the wild and are seen on a daily basis by different corporations. Furthermore, a multi-layered strategy to mitigate such kinds of attacks has been presented within the talk. The speaker is Dr. Oliver Matula, an IT security researcher at ERNW who holds a PHD degree in physics. He presented the topic in a simple way which eases the delivery of information to audience of different technical levels and backgrounds.
Motives of (D)DoS attacks
Corporations are subjected to (D)DoS attacks for several reasons such as hacktivism, hate crime, or blackmailing. An example of blackmailers is a group called DD4BC, which stands for Distributed Denial of Service For Bitcoins. They blackmailed corporations and financial institutes and asked for Bitcoin ransoms, or else they would attack their networks. DD4BC has attacked many financial institutes in USA, Europe and Australia and has made their websites unresponsive. Hacktivist groups also perform DDoS attacks for political or social reasons. In 2010, the famous hacktivist group Anonymous started a series of DDoS attacks on several targets such as Visa, Paypal and Law firms. The attacks were a part of the so-called Operation Payback.
Other DDoS attacks have been performed because of hate or for the sake of revenge, such as the DDoS attack targeted at a non-profit anti-spam organization Spamhaus. The attack was executed after the hosting provider Cyberbunker was added to a blacklist provided by Spamhaus. DoS attacks can also have tactical reasons, such as attacking an initial target in order to distract security teams from protecting or monitoring the main target. On the other hand, there might be no reason behind DDoS attacks, except a bored script kiddie looking for some fun.
Some (D)DoS attacks are easy to perform and several tools have been developed to make them even easier. Low Orbit Ion Cannon (LOIC) is one of these tools, which transforms DDoS attacks into social activities. The target and time of the attack is usually announced on a social community site such as 4chan, and then all participants launch their attacks at the attack time by just a simple click on “IMMA CHARGIN MAH LAZER” button. The consequences of these synchronized clicks might reach financial losses in millions of dollars or loss of trust between the “victim” corporation and its customers.
Types of (D)DoS
DDoS attacks can be classified into three main categories: volume-based, protocol-based and application-based attacks.
Volume-based (D)DoS
Volume-based (D)DoS attacks aim to send a huge volume of traffic to a specific target, which leads to consumption of the bandwidth of the whole network, so that it cannot serve legitimate users. The power of such attacks depends on the bit rate of the flooding traffic, measured in bps. It is considered the easiest type of DDoS attacks and the most dangerous one as well. Therefore, around 65% of DDoS attacks are volume-based DDoS attacks, according to Worldwide Infrastructure Security Report 2016.
There are several ways to generate a huge amount of traffic to a specific target. A botnet may allow an attacker to send huge volume of traffic to a specific target at the same time. This can also be combined with amplification attacks, where the attacker spoofs the source IP address such that the IP packets seem to come from the target, then sends many requests to a server (such as a DNS server), which in turn replies to the target. The key here is the ratio in size between the request and the response (called amplification factor), which can reach a value of 54 for DNS requests and 554 for NTP Monlist requests.
Protocol-based (D)DoS
Protocol-based (D)DoS attacks aim to exploit vulnerabilities of protocol implementations. Ping of death and TCP SYNC flood are famous protocol-based attacks. In the latter attack, the attacker initiates many TCP handshakes with the target by sending SYN packets without sending final ACK packets, thus the handshake is never completed. This leaves the target with a lot of hanging “half-opened” TCP sessions that consume resources on the target. If too much resources are used then the server cannot establish TCP sessions with legitimate users anymore. Several mitigations for TCP SYN attacks have been proposed over the years such as the SYN cache, which saves the TCP connection states in a hash table, and SYN Cookies, which saves the connection state in the exchanged packets.
Application-based (D)DoS
Finally, the third type of (D)DoS attacks is the application-based attacks. It is directly concerned with the applications that run on the targeted server. These attacks exploit certain vulnerability in a specific application running on the target. For example, HTTP- based DoS attacks such as Slowloris and Slow Post open a lot of HTTP sessions with a web server by sending incomplete headers or packets respectively. These attacks consume the maximum number of concurrent HTTP sessions provided by the server, such that it cannot serve other users. These attacks, which affect only the web server, can be mitigated by raising the limit of concurrent sessions and limiting the time span of each HTTP connection. Application-based attacks are considered the most complicated attacks and their magnitude is measured in requests per second.
Multi-layered mitigation strategy
In addition to specific mitigations of each type of DDoS, the talk proposes the following 8 layers of generic mitigations to protect against DDoS:
- Application: All applications should go through a well-defined patching process regular security assessments. In addition, penetration tests of the applications should be performed with DoS in scope.
- Server: Servers should be hardened against protocol vulnerabilities such as HTTP Slow header and post attacks.
- Load balancers: This layer highlights measures that can be implemented with existing load balancers such as distinguishing between bots and human users and SSL offloading.
- Firewall: They are useful to restrict access but they might act as bottle necks in some cases of DDoS attacks.
- (D)DoS Protection Appliances: They are located next to the Edge routers to protect downstream traffic. Defining protection rules and creating black and white lists can effectively block attack traffic.
- Network: IP spoofing prevention and segmentation should be implemented.
- ISP: Some ISPs offer “remotely triggered blackholing filtering” as a last resort, which drops all traffic towards the target under attack of a customer to protect the rest of the customer’s network. The same layer proposes cloud-based scrubbing center, which provides a huge bandwidth (in Tbps) to deal with large attacks. Rerouting of traffic through such networks can be implemented on-demand via BGP, in order to minimize the traffic exposure to third parties.
- Operation: The following operational measures should be implemented:
- Before attacks: such as documentation and incident response plan
- During attacks: acting according to responsibilities and reconfiguration of appliance
- After attacks: including legal consequences and customer notification.
The slides of the talk are available at the following link: Imma Chargin Mah Lazer slides
Thanks,
Ahmad Abolhadid