Distributed Denial of Service (DDoS) Attack is one of the most wide-spreaded and dangerous network attacks. Attack might cause the partially or even completely unavailable target service to actual visitors or users, networks, systems and other resources. Due to DDoS Attack, servers supporting web site forced to execute the fake requests and web site becomes unavailable for actual user.
Who might suffer from DDoS Attack?
The victims of such attack are commercial and information web sites. Lately hackers use such attacks to extort money for the sake of attack termination.
How DDoS Attack is executed?
The scheme of DDoS Attack is as following: the victim’s server flooded by huge number of fake requests originated from different parts of the worlds. In consequence of attack the server spend all their resources to elaborate these requests and become unavailable to actual users. The users of PCs that distribute fake requests might be even unsuspicious that their machines are under control of attackers. The software installed by attackers on these computers are dubbed as “zombie”. There are variety of ways to transform the PCs into “zombies” – from infiltration into the unprotected networks to use of Trojans. Probably, this preparatory stage is most difficult to attacker.
Inside of DDoS Attack
DDoS attack executed via the infected by special malware large number of PCs – botnet (zombie-network), which in response to a command launched from the server controlled by attacker start to send a significant number of special requests to target computer and thus block the access to it to actual users.
The scheme includes quite many participants: those who implement software for botnet creation and execution, those who make an order for it, administer and rent it and the customer who order the attack. The botnet owners and his customers remain “behind the scene”.
Information security experts distinguish the following types of DDoS Attacks:
· UDP flood –flooding the target system by large number of UDP (User Datagram Protocol) packets. This approach were used in earlier attacks and recently is considered as less dangerous. Software using this type of attack is easily detected, since the data exchange between command control server and agents carried out via not encrypted TCP and UDP protocols.
· TCP flood – flooding the target system by large number of TCP packets so that network resources are taken down.
· TCP SYN flood – sending a large number of request to initialize TCP-connections with the target system, which, as a result, consumes all its resources to track these half-open connections.
· Smurf-атака – ping ICMP (Internet Control Message Protocol) requests with broadcast distribution with spoofed source address that becomes the target of attack.
· ICMP flood – attack is similar to Smurf, but without distribution.
Most dangerous are programs that use several types of aforementioned attacks. In particular, TFN and TFN2K are samples of such attacks and their perpetration requires the high level of preparation.
One of the newest program to DDoS attack perpetration is Stacheldracht that allow execution of different types of attacks and creation of large stream of broadband ping requests with encrypted data transmission between controllers and agents.
However, the range of programs is much more extensive and constantly complemented.
Due to the same reason, the description of generic reliable DDoS protection methods is quite infeasible. The generic methods of protection are not exist; however, the general recommendations to reduce the danger and attack damage are following: proper configuration of anti-spoofing and anti-DoS features on routers and firewalls. These measures limit the number of half-open connections and so prevent overloading of system.
On the level of server, it is desirable to have the server’s console output to other IP-address via other SSH-protocol to remote server restart. Another sufficiently effective method of DDoS attack mitigation is IP-address camouflage.
How to prevent the DDoS Attack?
Combat with this type of attack is quite difficult since the requests are coming from different sides. As a rule, the defense includes such activities as infiltration and black holing, server’s vulnerabilities elimination, resource expansion, decentralization (building distributed and duplicated resources in order to continuous users’ maintenance), deviation (deviation from direct attack from other connected resources, IP-address camouflaging).
Early DDoS Attack detection
If you possess own servers you should have means to detect attack targeted to you. The earlier you detect the availability issues caused by DDoS attack, the earlier you might take measures to repel it.
One possible way of DDoS detection is mechanism of inbound traffic profile. If you know the average volume and dynamic of traffic change on your server, you have better chance to detect anomalous behavior. For majority of DDoS attacks typical the abrupt rise of inbound traffic, at that the profile mechanism signals whether this rise is attack or not.
The effective way is enabling the complementary connection channels, even if the throughput calculations show that they are needless. In this case, you will be able deal without consequences with the abrupt traffic rise, e.g., that are result of advertising campaign, special offers or citation of your company in mass media.
The difficulty of DDoS defense:
· Inherent network vulnerabilities. The lack of vulnerabilities within network explored by attackers. The attack is successful because of practically all computer platforms have some threshold for inbound traffic. PCs, clusters and cloud systems – all of them – have physical limits on number of requests executed in particular period. Successful DDoS attack should simply generate sufficient volume of traffic to exceed this threshold number. In order to eliminate the majority of other attacks, it is sufficient to use special patches, configure security systems or change policies. However, neither of these approaches have the effect to DDoS. Services should be always accessible and consequently they are vulnerable to such attacks.
· Impossible to block the crowd. DDoS is difficult to block since the attack might originate from many different sources. The effective defense from the attack perpetrated from the large number of IP-addresses is difficult. Potentially thousands of IP-addresses should be simultaneously added to blacklist to stop the attack. If the attacker use spoofing, the innocent hosts might fall into blacklist.
· Search of liable side. Here we deal with third issue: it is difficult to distinguish between the users who execute legitimate requests and those who participate in DDoS. Since the computers that got the access to server, create the load to the server, all of them even without their consent participate in attack. There is necessary to provide accurate check to distinguish between “good” and “bad” hosts. It is necessary to make many calculations and make them quickly before making any decisions.
The targets of DDoS Attack
The critical in defense from DDoS attack is delimitation of potential dangers. In respect to attack target there are exist:
· Heavy packets with spoofed source addresses that exhaust the connection channels and make impossible the access to website by legitimate users. The high throughput of connection channels might help to defend from this type of attack.
· If the system resources are subject to attack, the system performance degrades and, as a result, the system works slowly and even crushes. The attackers perfectly know which data packets necessary to send the victim for download.
· Software vulnerabilities used to execute crushing attack that can change configuration and system parameters. Any unauthorized changes should be tracked and eliminated. The custom DDoS defense script is used in every separate case.
Vulnerable elements are server, firewall and Internet channel
· Servers are vulnerable for no other reasons than the attackers often organize their attacks so that they consume more resources than server has.
· Internet channel becomes vulnerable for attacks aimed to exhaust system throughput and got the name “volumetric flooding”. The examples of such attacks that consume channel throughput are UDP-flood or TCP-flood.
· Despite the fact that the firewall is the tool to provide the defense and should not serve as vulnerability used for DoS/DDoS attack perpetration, during execution of the attacks such as SYN-flood, UDP-flood and connection overload, the fraudsters might generate many states that exhausts the resources of firewall and, finally, turn it to the weak chain of infrastructure.
Measures to take in case if you subject to DDoS Attack
· Make sure that the attack executed. Exclude the general causes of operation disruption, including wrong DNS configuration, routing problems and human factor.
· Address to technical specialists. With assistance of technical specialists define which resources are subject to attack.
· Set the priorities of applications importance. Set the priorities of importance to safe most important applications. In case of intensive DDoS attack and limited resources it is necessary to focus on the applications serving as the main revenue sources.
· Defend remote users. Provide the operation of your business and add IP-addresses of trusted remote users, who need access to resources, to white list. Make this list primary. Distribute this list within the network and send it to connection service providers.
· Define the attack class. Which class of attack you faced with: Volumetric? Low-powered or slow? You service provider inform you about whether this attack is extremely volumetric or not.
· Assess the ways to combat with IP addresses of attack sources. In case of comprehensive attack, your service provider unable to determine the number of sources. Block the small lists of attack IP addresses within your firewall. The larger attacks might be blocked on base of geo location data.
· Block the attacks on application level. Determine malicious traffic and check whether it generated by well-known tool. Particular attacks on the level of application on every separate case might be blocked using countermeasures performed by you using in hand means.
· Enhance your demilitarized zone Probably, you faced with asymmetric DDoS attack of Level 7. Focus on the defense on application level: use login system and persons’ recognition system.
· Limit your system resources. If the aforementioned measures have no effect, then you should limit resources – thus, the “bad” as well as “good” traffic will be limited out.
· Manage social connections. If the attack become public, prepare official announce and inform the stuff. If industry policies involve this, approve the fact of attack. If no, reference to technical difficulties and recommend the stuff to address all question to Header of the Department on Public Relation.
In preparation of this article, KZ-CERT used open source information.