Distributed Denial of Service (DDoS) Attacks

Security model &threats

Paul Krzyzanowski

April 13, 2024

Introduction

A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a targeted system, making it unavailable to its intended users by overwhelming it with traffic. These attacks can crash the system, make it unresponsive, or significantly slow down its operations.

Characteristics of DoS Attacks

DoS attacks can be particularly challenging to manage because they often exploit vulnerabilities inherent in the system’s setup. Attackers look for asymmetrical situations where the effort required to handle requests is much higher than the effort needed to generate them. For example, a single command from an attacker can force a server to undertake extensive processing, thereby exhausting its resources much more rapidly than the attacker’s resources.

The most common denial of service attack involves denying access to network services. This attack does not require executing code on the target machine. A network-based Denial of Service (DoS) attack disrupts the normal operations of a targeted network or service, rendering it unavailable to its intended users

Common techniques in DoS attacks

An attack to deny network services is achieved by overwhelming the network with an excessive amount of traffic or exploiting vulnerabilities to exhaust system resources. Attackers may use various techniques, including flooding the network with requests, exploiting security loopholes to cause crashes, or utilizing compromised devices to launch coordinated attacks. The impact is typically a severe degradation in service performance or a complete shutdown, leading to operational disruptions and potentially significant economic and reputational damage to the targeted organization. These attacks are often motivated by a range of reasons, from personal vendettas and financial gain to political agendas and demonstrating technical prowess.

Attacks often use a combination of these techniques:

  1. Exploit asymmetries: Attackers search for situations where it takes more effort for a server to handle a request than for the client to issue one. This asymmetry creates an environment where the attacker does not have to have more computing power or ability to send messages than the service.

  2. Fake return addresses: Attackers can send requests with falsified return addresses. This not only makes it difficult to trace the attack back to its source but ensures that the attacker does not have to deal with the return traffic of responses from the service that is being attacked. This is usually done using UDP-based services that require no handshake and no sequence numbers on packets.

  3. Send responses to the target: Rather than simply faking a return address to, say, an unreachable IP address or a random one, an attacker can set the return address to that of the target being attacked while sending a network request to some intermediate service. In this case, the service (which is innocent) ends up, unknowingly, sending the response to the target. This technique makes sense when combined with the next item.

  4. Amplification: Amplification refers to a technique used to maximize the volume of traffic directed at a target system, thereby increasing the attack’s effectiveness. This is achieved by sending small queries to network services that respond with replies much larger in size. The attacker spoofs the source IP address of these requests to that of the target, causing the server to send disproportionately large responses directly to the target system. Commonly exploited services for amplification include DNS, NTP, and memcached servers, which can return responses that are magnitudes larger than the requests. This method not only allows attackers to exponentially increase the traffic volume with minimal resources, but also masks the true source of the attack, complicating defense efforts for the victim..

  5. Botnets: The more the merrier. Attackers may also use a network of compromised computers, known as a botnet, to carry out large-scale attacks. Each compromised device acts as a source of attack traffic, making the attack harder to isolate and mitigate. This turns a Denial of Service (DoS) attack into a Distributed Denial of Service (DDoS) attack.

DDoS

A Distributed Denial of Service (DDoS) attack involves multiple compromised systems, which are often distributed globally, that flood the target with traffic. This method is much more effective than single-source DoS attacks because it generates overwhelming traffic from multiple sources, making defensive efforts significantly more complicated.

Two types of Distributed Denial of Service (DDoS) attacks are volumetric and packet-per-second attacks. Each type has its own method of overwhelming the target:

Volumetric Attacks
These are the most common form of DDoS attacks. They aim to consume the bandwidth of the target network or service. Attackers send a massive amount of data to the target, trying to exceed the bandwidth limit, which results in legitimate traffic being unable to reach the server or slow service responses. Common examples of volumetric attacks include UDP floods, ICMP floods, and other spoofed-packet floods.
Packet-per-Second Attacks
These attacks focus on overwhelming the processing capacity of the target’s networking equipment rather than the bandwidth. The attacker sends a high number of packets per second (pps), which the target’s network devices (like routers and switches) cannot process efficiently due to hardware limitations in handling such high packet rates. This can cause delays, packet loss, or the failure of the equipment, affecting normal network operations.

Reflection amplification

Reflection amplification attacks are a type of Distributed Denial of Service (DDoS) attack that uses vulnerable servers or services to amplify the amount of traffic sent to a target, overwhelming its network or system resources. This type of attack exploits the behavior of certain network protocols, where a small request generates a much larger response. By combining this with spoofing the victim’s IP address, attackers direct the amplified responses to the target, causing disruption without revealing their own identity.

How reflection works

In a reflection attack, the attacker sends requests to publicly accessible servers or services, such as DNS, NTP (Network Time Protocol), or Memcached servers, but forges the source IP address to make it appear as though the request originated from the victim. The servers then “reflect” their responses to the victim, overwhelming its bandwidth or system resources. This method allows attackers to remain anonymous while using the power of many servers to amplify the attack.

Amplification factors

The effectiveness of a reflection amplification attack comes from the amplification factor—the ratio of the size of the response to the size of the original request. For example, in a DNS amplification attack, a small query of around 60 bytes can generate a response of over 4,000 bytes, resulting in an amplification factor of more than 60x. Other protocols like NTP or Memcached can have even larger amplification factors, making them ideal tools for attackers.

Commonly exploited protocols

Reflection amplification attacks typically target protocols that:

  1. Operate over UDP, which is connectionless and doesn’t verify the sender’s IP. A request with a spoofed source address will cause a server to send a response to that spoofed address since there’s no need to set up a connection.
  2. Generate larger responses than the original request.

Examples of commonly exploited protocols are:

  • DNS (Domain Name System): Attackers send small DNS queries that generate large responses.
  • NTP (Network Time Protocol): Exploits the monlist command to retrieve a large list of recent clients.
  • Memcached: Leverages improperly configured servers to generate massive responses from small requests.

Defensive measures against DDoS attacks

Defending against DDoS attacks is challenging due to their varied nature and scattered origin.

These attacks involve multiple compromised systems, often globally distributed, which generate massive volumes of traffic simultaneously, overwhelming target systems and making it difficult to distinguish between legitimate and malicious traffic. The sheer scale of these attacks can exhaust bandwidth and cripple infrastructure. Moreover, the use of techniques like IP spoofing obscures the origins of the attack, complicating efforts to block malicious traffic without disrupting normal operations. Additionally, the continuous evolution of DDoS attack methods and tools means that defensive measures must also evolve, requiring constant vigilance and updates to cybersecurity practices and technologies.

There are no assured mechanisms to guard against DDoS attacks but several techniques can be used to make attacking more difficult or to enable administrators to subdue if not stop an attack.

  1. Overprovisioning bandwidth: By having more bandwidth than typically needed, an organization can absorb larger volumes of traffic before its services become overwhelmed. This doesn’t prevent attacks but can reduce their impact.

  2. Disable unnecessary UDP services: Most DDoS attacks are UDP-based. Configuring a firewall to block UDP traffic for unnecessary services will block that data from the internal network. Turn off or secure services like monlist on NTP servers or limit access to Memcached servers.

  3. Bandwidth management (rate limiting): Implementing rate limits on network devices and servers can help prevent any single source from consuming too much bandwidth or system resources, potentially mitigating the effects of an attack. However, with DDoS attacks, requests will often come from a huge number of sources, making it difficult to implement rate limiting. If rate limiting is configured for the system being attacked then there is the likelihood that legitimate requests will be denied, which fulfills the purpose of a denial of service attack. Rate limiting can also be applied to outbound traffic, sometimes at an ISP, to block bots that are originating an attack.

  4. Blackhole Routing: Divert and drop traffic that is identified as malicious. This can be configured in real time during an attack, for example to block requests to a DNS server that’s used in a reflection attack.

  5. Network Redundancy: Deploy multiple networks to ensure availability even if one is compromised.

Last modified November 27, 2024.
recycled pixels