DDoS Attacks: A Brief Overview
DDoS stands for distributed denial of service. A DDoS attack is when requests from multiple hosts are sent to a machine, effectively disrupting its standard operation.
DDoS attacks are usually carried out by botnets. These are networks of computers that malware has been installed on (via a process called zombification).
A standard orchestrated botnet attack is visualized below:
Some attacks can be carried out without a botnet (such as UDP floods).
DDoS attacks can be divided into the following groups:
- Attacks to overload bandwidth. These attacks include the aforementioned UDP flood, ICMP flood (which is a ping flood), and others where massive amounts of unrequested packets are sent. The strength of these attacks is measured in gigabits per second. This ratio is constantly growing and now can even reach beyond 100 gigabits per second.
- Attacks at the protocol level. Just as the name implies, these attacks take advantage of the limitations and vulnerabilities of various network protocols. They “bombard” the server with extraneous packets, rendering it unable to process legitimate users’ requests. Examples include SYN flood, teardrop, and other attacks that disrupt the normal flow of packets at different stages within a protocol.
- Attacks on the application level interrupt a system by taking advantage of an application’s and operating system’s vulnerabilities and weak points.
We won’t go into more detail on DDoS attack classifications; those interested can easily find a plethora of reading material on the Internet. For us, what’s much more interesting is our method for mitigating DDoS attacks. Let’s take a look at this.
DDoS Mitigation Methods
We can divide our DDoS mitigation methods into two major groups: preventive measures and reactive measures.
Hardware-based methods for protecting a network’s perimeter are usually used to prevent DDoS attacks, like firewalls with intrusion detection systems (IDS). However, these don’t offer protection in the strictest sense of the word.
It’s entirely possible to launch a DDoS attack using firewall-approved packets. What the IDS usually does is perform signature and statistical analysis, comparing incoming packets to existing traffic templates. If an attack is carried out by sending standard network packets, which are harmless on their own, then not every IDS will be able to identify them.
Moreover, both firewalls and IDS usually use control sessions, which is why they can become victims of attacks themselves.
An effective means of minimizing failure during DDoS attacks is having multiple backups available: organizing server clusters in different data centers with connections to different communications channels. If a component in this kind of system becomes unavailable, the client will be redirected to a working server. This method has only one setback: building a geographically distributed cluster with multiple backups can be quite expensive.
Reactive measures are taken when an attack has already started and needs to be stopped (or at least its impact minimized).
If the target is a single machine, then we can simply replace its IP address. The new address can then be entered on the DNS server and given to only trusted external users. This solution can hardly be considered ideal, but it’s effective.
Filtering methods can help in some situations. After analyzing malicious traffic, we can identify specific signatures. Based on the results of the analysis, we can set up an ACL router or firewall rules.
Additionally, a large portion of malicious traffic often comes from a specific provider or backbone router. In this situation, a possible solution would be to block the pathway of the questionable incoming traffic (however, it’s worth keeping in mind that in this case, legitimate traffic will also be blocked).
If none of these methods help and you’re all out of options, then “black holing” is an option. This is when all traffic is redirected to a non-existent interface (a “black hole”). More times than not, this means the server being attacked will be inaccessible from external networks for a period of time. Because of this, black holing can’t really be called an adequate security measure: it only helps the attackers reach their goal — disabling their target–more quickly.
Hardware/software DDoS protection solutions have gained widespread use over the past few years. Their main advantage is that they can stop malicious traffic without creating access problems for legitimate users. Hardware/software DDoS protection solutions have appeared on the market from Cisco, Arbor Networks, F5, Juniper, and others.
Our DDoS Mitigation System
Our DDoS mitigation system incorporates several software and hardware components, including solutions from Arbor Pravail and F5. Using these tools, traffic is filtered and analyzed directly on the network.
Our system protects against the following kinds of attacks:
- TCP floods;
- SYN floods;
- illegal TCP flag combinations;
- attacks on window size (sockstress);
- TCP session attacks like TCP Idle, Slow TCP, etc.;
- HTTP session attacks (Slowloris, Pyloris, etc.);
- SSL alarm attacks;
- HTTP floods;
- DNS floods;
- DNS Cache Poisoning;
- UDP floods;
- ICMP floods;
- IP, TCP, and UDP fragment attacks;
- VoIP and SIP attacks.
The following countermeasures can be taken in the event of an attack:
- Invalid Packet List — filter packets that aren’t RFC compliant;
- Black and white IPv4 and IPv6 address lists;
- GeoIP Filter Lists — filter traffic by country (block traffic from countries where the most DDoS attacks are launched from);
- GeoIP Policing — policing traffic by country (monitor incoming traffic and limit traffic from countries where the most DDoS attacks are launched from);
- Flexible Zombie Detection — detect zombies and create legitimate traffic profiles;
- TCP SYN Authentication — counter TCP floods using client authentication;
- DNS Authentication — counter DNS floods using client authentication;
- DNS Scoping — validate DNS requests using regular expressions;
- DNS Malformed — check DNS requests for RFC compliance;
- DNS Rate Limiting — limit the number of DNS requests from one IP address (useful for resources with low attendance: providers in our country often use NAT. It’s fairly common when a “grey” /16 subnet accesses the Internet from one IP and all DNS requests come from one address);
- DNS NXDomain Rate Limiting — validate DNS responses. This countermeasure is for attacks where the DNS cache is flooded; for tracking requests with false DNS names;
- DNS Regular Expression — filter DNS requests by regular expressions;
- TCP Connection Reset — prevent excessively long TCP connections;
- Payload Regular Expression — filter traffic using regular expressions applied to Payload packets;
- HTTP Malformed — block HTTP traffic that is not RFC compliant;
- HTTP Rate Limiting — limit the number of HTTP requests from one IP address;
- HTTP Scoping — validate HTTP requests with regular expressions;
- SSL Negotiation — block SSL traffic that is not RFC compliant;
- AIF and HTTP/URL Regular Expression — apply an AIF signature to traffic to be analyzed;
- SIP Malformed — block SIP traffic that is not RFC compliant;
- SIP Request Limiting — limit the number of SIP requests from one IP address.
How It Works
Clients who order our Anti DDoS service are provided protected IP addresses (one is included in the base fee; additional addresses can be ordered from the control panel) as well as special bandwidth for protected traffic. Incoming Internet traffic passes onto the protected addresses via our partner’s network, where filtering occurs.
All illegitimate traffic is dumped from the network; only clean traffic actually makes it to the client.
The following graph illustrates the flow of network traffic: