DDoS Attacks: A Detailed Guide PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides an overview of Distributed Denial-of-Service (DDoS) attacks, explaining how they function, identify symptoms of an attack, and methods for prevention. It details the different types of DDoS attacks and their characteristics, such as application-layer and volumetric attacks, offering specific examples and methods for mitigation. The document also emphasizes the importance of proactive measures in handling DDoS threats and securing networks.
Full Transcript
What is it? A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing mul...
What is it? A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. How does it work? DDoS attacks are carried out with networks of Internet-connected machines. These networks consist of computers and other devices (such as IoT devices)which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called a botnet. Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot. When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of- service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult. How to identify? The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But since a number of causes — such a legitimate spike in traffic — can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS attack: Suspicious amounts of traffic originating from a single IP address or IP range A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version An unexplained surge in requests to a single page or endpoint Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a spike every 10 minutes) There are other, more specific signs of DDoS attack that can vary depending on the type of attack. Difference A distributed denial-of-service attack is a subcategory of the more general denial-of-service (DoS) attack. In a DoS attack, the attacker uses a single internet connection to barrage a target with fake requests or to try and exploit a cybersecurity vulnerability. DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to fulfill its goal. The sheer volume of the devices used makes DDoS much harder to fight. Prevention Preventing DDoS attacks can be challenging, particularly during high-traffic periods or across a vast and distributed network architecture. A truly proactive DDoS threat defense hinges on several key factors: attack surface reduction, threat monitoring, and scalable DDoS mitigation tools. DDoS prevention methods Attack surface reduction: Limiting attack surface exposure can help minimize the effect of a DDoS attack. Several methods for reducing this exposure include restricting traffic to specific locations, implementing a load balancer, and blocking communication from outdated or unused ports, protocols, and applications. Anycast network diffusion: An Anycast network helps increase the surface area of an organization’s network, so that it can more easily absorb volumetric traffic spikes (and prevent outages) by dispersing traffic across multiple distributed servers. Real-time, adaptive threat monitoring: Log monitoring can help pinpoint potential threats by analyzing network traffic patterns, monitoring traffic spikes or other unusual activity, and adapting to defend against anomalous or malicious requests, protocols, and IP blocks. Caching: A cache stores copies of requested content so that fewer requests are serviced by origin servers. Using a content delivery network (CDN) to cache resources can reduce the strain on an organization’s servers and make it more difficult for them to become overloaded by both legitimate and malicious requests. Rate limiting: Rate limiting restricts the volume of network traffic over a specific time period, essentially preventing web servers from getting overwhelmed by requests from specific IP addresses. Rate limiting can be used to prevent DDoS attacks that use botnets to spam an endpoint with an abnormal amount of requests at once. DDoS prevention tools Web application firewall (WAF): A WAF helps block attacks by using customizable policies to filter, inspect, and block malicious HTTP traffic between web applications and the Internet. With a WAF, organizations can enforce a positive and negative security model that controls incoming traffic from specific locations and IP addresses. Always-on DDoS mitigation: A DDoS mitigation provider can help prevent DDoS attacks by continuously analyzing network traffic, implementing policy changes in response to emerging attack patterns, and providing an expansive and reliable network of data centers. When evaluating cloud- based DDoS mitigation services, look for a provider that offers adaptive, scalable, and always-on threat protection against sophisticated and volumetric attacks. Purpose The purpose of DDoS attacks is to severely slow down or stop legitimate traffic from reaching its intended destination. For example, this could mean stopping a user from accessing a website, buying a product or service, watching a video, or interacting on social media. Additionally, by making resources unavailable or diminishing performance, DDoS can cause business to grind to a halt. This can result in preventing employees from accessing email or web applications, or conducting business as usual. DDoS attacks may be launched for several reasons. Hacktivism. Attackers may direct a DDoS attack against companies or websites with which they have philosophical or ideological disagreements. Cyber warfare. Governments may use cyberthreats like DDoS to impair the critical infrastructure of an enemy state. Extortion. Attackers often use DDoS threats to extort money from companies. Entertainment. Many attacks are launched by hackers who are simply seeking to entertain themselves by wreaking havoc or experimenting with cybercrime. Business competition. A business may launch a DDoS attack on another company to gain a competitive advantage. Types There are many different types of DDoS attacks, and cybercriminals often use more than one type to take down their targets. DDoS attacks typically target one of the seven different layers of a computer network as described in the Open Systems Interconnection (OSI) model. Each layer of the OSI model has a unique purpose, like the floors of an office building where different functions of a business take place on each floor. Attackers target different layers depending on what type of web or internet-facing asset they’d like to disrupt. The four key types of attacks are: Application-layer attacks Protocol attacks DNS amplification/reflection attacks Volumetric attacks Application-layer DDoS attacks Application-layer DDoS attacks (Layer 7 DDoS attacks) target specific vulnerabilities in web applications to prevent the application from performing as intended. These DDoS attacks often target the communication protocols involved in exchanging data between two applications over the internet. While difficult to prevent and mitigate, they are among the easiest DDoS attacks to launch. HTTP floods. HTTP floods exploit the HTTP internet protocol that is used to load web pages or send content over the internet. HTTP floods cause a server, website, or web app to slow down or crash by overwhelming it with a large number of HTTP GET or POST requests. Low and slow attacks. A low and slow attack is a type of denial-of-service (DoS) attack designed to evade detection by sending traffic and HTTP requests that appear to be legitimate at a very slow rate. Low and slow attacks require little bandwidth and may be launched from a single computer or with a botnet. Traffic in a low and slow attack is difficult to detect because it appears to be legitimate Layer 7 traffic and is not sent at a rate that triggers security alerts. Slowloris. A Slowloris DDoS attack is designed to overwhelm a web server by opening and maintaining many simultaneous HTTP connections to a target server. Slowloris uses up server resources with requests that seem slower than usual but otherwise appear to be standard traffic. Attackers take advantage of a feature unique to the HTTP protocol: the ability for clients to split GET or POST requests into several packets. A Slowloris attack compromises a targeted web server by opening multiple connections and keeping them open as long as possible. This is accomplished by sending partial HTTP requests that are never completed. Protocol DDoS attacks Protocol attacks target weaknesses and vulnerabilities in internet communications protocols in Layer 3 and Layer 4 of the OSI model. These attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls by sending malicious connection requests that exploit Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP) protocols. SYN flood. One of the main ways people connect to internet applications is through the TCP. This connection requires a three-way handshake from a TCP service — like a web server — and involves sending a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, which is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake. During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections. Eventually, the server runs out of capacity to accept new connections for services that track connection states. If we were to use the rideshare analogy here, think of it as a situation where thousands or even hundreds of thousands of bogus requests are made to a rideshare company. The cabs wait for passengers to get in and start the journey, but that never happens, ultimately exhausting all available cabs and rendering the service unavailable to legitimate rides. Smurf DDoS attack. The name of this DDoS attack is based on the concept that numerous tiny attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake. In a Smurf DDoS attack, large numbers of ICMP packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic. DNS amplification/reflection DDoS attacks Domain Name System or DNS amplification/reflection attacks are a specific type of volumetric DDoS attack vector where hackers spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination. To explain this type of attack using the rideshare analogy, imagine if hundreds or thousands of rideshare requests were placed to send cabs to a victim’s address. These rideshare cabs now clog up the streets leading up to the victim’s house, preventing legitimate visitors from reaching the individual’s address. This analogy can also be extended to explain volumetric DDoS attacks in the next section. Volumetric DDoS attacks Volume-based DDoS attacks are directed at OSI Layers 3 and 4, overwhelming a target with a flood of traffic from multiple sources and eventually consuming all of the target’s available bandwidth, causing it to slow down or crash. Volumetric attacks are often used to divert attention away from other types of DDoS attacks or more dangerous cyberattacks. UDP floods. UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users. ICMP floods. Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol (TCP) packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth. Mitigation service In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection, a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly. DDoS mitigation providers filter out attack traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a CDN-based web protection service, a DDoS scrubbing service, or a cloud-based DNS service. CDN-based DDoS defenses. A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks. DDoS cloud scrubbing. DDoS scrubbing can keep your online service or business up and running, even during an attack. A cloud-based scrubbing service can quickly mitigate attacks that target non- web assets, like network infrastructure, at scale. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. Organizations direct their network traffic to the mitigation provider’s scrubbing infrastructure in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME). Traffic is monitored and inspected for malicious activity, and mitigation is applied when DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response. Web application firewalls. For application-layer–specific defenses, organizations should deploy a web application firewall (WAF) to combat advanced attacks, including certain types of DDoS attacks like http requests, HTTP GET, and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model. On-premises (on-prem) DDoS protection. On-prem or on-network DDoS protection involves physical and/or virtualized appliances that reside in a company’s data center and integrate with their edge routers to stop malicious DDoS attacks at the edge of their network. This is particularly helpful when cybercriminals utilize “low and slow” or “small and fast” attacks designed to avoid detection. Additionally, on-prem DDoS protection helps companies avoid operational costs related to rerouting traffic to a cloud scrubbing center when they are not targeted with volumetric attacks. On-prem DDoS protection also serves companies that require ultra-low latency with their network traffic. Examples of such use cases include companies that provide voice and video conferencing platforms, multimedia services, and gaming platforms, or other services that have near-real-time latency requirements. Hybrid DDoS protection. A hybrid DDoS protection solution combines the capabilities and benefits of both on-premises as well as cloud DDoS protection. A hybrid DDoS solution protects a customer’s network infrastructure from the vast majority of small attacks with on-prem or on-network appliances but utilizes the scale and the capacity of a cloud scrubbing center as a backup for large volumetric attacks. Cloud Signaling. Cloud signaling is an industry term indicating that on-prem appliances automatically transfer attack footprint, signature, and other relevant information to the cloud scrubbing centers when such a redirection becomes necessary to optimally protect a customer’s network assets and infrastructure from a DDoS attack. Benefits of mitigation services During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service attack. As modern attacks become more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner. Through DDoS attack protection services, organizations can: Reduce the attack surface and business risk associated with DDoS attacks Prevent business-impacting downtime Guard against web pages going offline Increase speed to respond to a DDoS event and optimize incident response resources Shorten the time to understand and investigate a service disruption Prevent loss of employee productivity More quickly deploy countermeasures to defend against a DDoS attack Prevent damage to brand reputation and bottom line Maintain application uptime and performance across digital estates Minimize costs associated with web security Defend against extortion, ransomware, and other new evolving threats