Mitigating distributed denial of service attacks – a practical approach

Abstract

Distributed Denial of Service attacks present a real threat to the security and reputation of industries across the globe. This report looks at why DDoS attacks occur, who are likely targets of DDoS attacks, types of DDoS and strategies to mitigate against attacks.

Introduction

The first Distributed Denial of Service (DDoS) attack tool appeared in June of 1998 labelled FAPI. FAPI could direct TCP, UDP and ICMP traffic from multiple attack sources causing a victim to become unresponsive to legitimate requests (Lin & Tseng, 2004). Since FAPI, DDoS tools and techniques have provided a lucrative avenue for cyber-crime. With more organisations and businesses connecting critical infrastructure to the internet, the impact of DDoS strikes is becoming increasingly prevalent.

Why Who and What?

DDoS attacks can be used for masquerading other attack activity, revenge, hacktivism and more typically extortion (Symantec Corporation, 2015). It is common with extortion attacks where an organisation will be given an ultimatum for money or else its online presence or internet services will be affected, usually during a critical time for the business (Mansfield-Devine, 2011).

Figure 1 - Size and Frequency of DDoS attacks (Akamai Technologies, Inc, 2015)

Cyber criminals use DDoS because botnets are cheap, highly effective and hard to detect. Botnets can go for as little as $5 per hour, use normal connections and consistently bring down internet services like clockwork (Florian, 2012). DDoS targets are usually broken down into different industries with over half of all attacks in 2015 directed towards gaming and software and technology entities (Akamai Technologies, Inc, 2015).

Figure 2 - Attacks by Industry (Akamai Technologies, Inc, 2015)

DDoS attacks are growing in frequency and intensity each year, the likelihood of businesses being targeted is ever increasing. DDoS attack vectors generally fall into two categories – Layer 3 network or infrastructure floods and Layer 7 application attacks (Mansfield-Devine, 2011). Infrastructure attacks utilise network protocols such as TCP, UDP, ICMP, NTP, SSDP, DNS and CHARGEN; these network layer attacks account for over 95% in frequency and volume of all DDoS traffic in 2015 (Akamai Technologies, Inc, 2015).

Application layer attacks on the other hand exploit web servers by flooding the service with a large number of HTTP GET, POST or PUSH requests. These requests aim to overwhelm the server's resources until the service is rendered unusable or unavailable (Iyengar, Banerjee, & Ganapathy, 2014).

Figure 3 - Attacks by Type (Akamai Technologies, Inc, 2015)

A trend towards the use of non-botnet based resources such as open proxies has recently been observed. This shift may lead to an increase in reflective DDoS attacks that abuse web application frameworks making DDoS mitigation exceedingly challenging (Akamai Technologies, Inc, 2015).

Mitigation Strategies

Many different mitigation strategies exist depending on client base size, content type, business requirement and funding capital. Four traditional mitigation tools exist which can be used independently or in conjunction with other mitigation methods such as white listing and cloud security services. Mitigation tools include bandwidth defence, rate filtering, signature filtering and moving target (Hunter, 2003).

Bandwidth defence aims to mitigate bandwidth attacks. A bandwidth attack involves large traffic throughput which can be upwards of 10GBp/s as shown in figure one. This attack aims to overwhelm the connection pipe to the web site to disrupt service. Bandwidth defences usually involve the use of multiple service provider internet links and the ability to increase internet throughput on demand (Mansfield-Devine, 2011). Content Distributed Networks (CDN) such as Akamai and Sandpiper also assist with bandwidth defences however usually is expensive. Organisations should intelligently monitor their infrastructure bandwidth to ensure sufficient normal capacity and the ability to detect bandwidth attacks when they occur (Hunter, 2003). Rate filtering looks to counter DDoS attacks through preservation of resources on the victim end. A DDoS SYN flood attack aims to exhaust finite bandwidth, CPU, memory and buffer resources.

Figure 4 – Traditional single tier data centre. Adapted from “Three Tier Network Architecture to mitigate DDoS Attacks on Hybrid Cloud Environments” by Bhardwaj, Subrahmanyam, & Sastry, 2015.

Each connection allocates system resources. Once resources are saturated, subsequent requests are dropped causing service outages. Limiting half-open connections, packet throughput and monitoring resources can mitigate these types of attacks. Access control lists (ACL) also preserve system resources through network packet filtering. Filtering should be placed as close to the network perimeter as possible to limit device resource allocation. In the event rate filtering is problematic, distribute the filtering over multiple inline perimeter devices to share mitigation load (Beitollahi & Deconinck, 2012).

Vendors which provide commercial rate filtering devices include Hewlett Packard Enterprise, Riorey Checkpoint, Juniper, F5, Fortinet and Cisco. Low bandwidth DDoS and application layer attacks cannot be mitigated by rate filtering, cloud security services or signature filtering can assist with these types of attacks.

Signature filtering relies on recognizing signatures created for typical attack patterns. These devices are efficient and less likely to suffer from performance problems, however could block legitimate traffic (Hunter, 2003). Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS) are great examples of signature filtering devices. WAFs and IPS’ execute deep packet inspection on HTTP/S requests and their payload to identify and prevent attacks. Akamai recommends WAFs which utilise flexible comprehensive rule sets, situational awareness, black and white listing, GEO blocking, behavioural controls and origin cloaking (Akamai, 2014).

WAFs and IPS’ should be placed inside or outside (or both) of the perimeter network. Inline open source perimeter IPS devices which support custom signature and the ability to capture DDoS traffic for analysis include Suricata or Snort.

The Moving Target Defence involves switching services to a new IP address in the event of an attack, DDoS attack traffic will then be delivered to the old IP address mitigating the attack. For added protection the IP addresses can be changed periodically to provide further defence against attack. This option has the advantage of reducing the risk of an attack since multiple end points are possible and the process of changing service IP addressing is frequently tested. Attackers can circumvent this defence by using DNS requests to identify the new service IP address. Moving target defence should not just protect public web addresses; it should also protect DNS servers and core network infrastructure (Hunter, 2003). Cloud security services can provide moving target defences since the web services public address points to the cloud security service. Cloud security edge servers act as a distributed firewall. Traffic is scrubbed and cleaned before clean traffic is forwarded to the origin server (Gillman, Lin, Maggs, & Sitaraman, 2015).

Moving target defence can be costly due to the number of servers and network addresses required to keep shifting services, not to mention the attacker can easily identify current infrastructure addresses. This is where white listing can improve defence success.

White listing can be done by a VIP list (user based) or cloud security services white listing (service based).

Figure 5 - VIP whitelist overview (Yoon, 2010)

Very important IP addresses (VIPs) are collected IP addresses from previous successful applications logins to make a whitelist under normal network conditions.

The VIP or whitelist is installed on a perimeter network device and activated when a DDoS attack is detected. White listing is similar to GEO protection however instead of permitting or blocking based on country, the whitelist is permitted based on previous successful user authentications.

Figure 6 - CloudFlare security services

Due to the nature of internet users and public IP allocation, users can often be assigned a new public address when connecting to the internet. Yoon observes public IP addresses of client users do not change all that frequently however when it does, the network address portion remains the same since most service providers are allocated a static range and use a contiguous block. This can be exploited to maximize the usefulness of the VIP list by introducing network subnets to the VIP whitelist. (Yoon, 2010).

 

Figure 7 – Cloud security services with CloudFlare. Retrieved January 2015, from https://www.cloudflare.com/overview/overview.png. Copyright 2016 CloudFlare, Inc.

Leading cloud security services offer CAPTCHA, IP ACLs, GEO blocking, WAF, DNS protection and analytics. According to Forrester Wave, cloud security, DNS and CDN services are best provided by Prolexic (now Akamai technologies), CloudFlare and CenturyLink (Holland & Ferrara, 2015).

At minimum a single tier data centre design with VIP white listing should be used for self mitigating small scale attacks. Multi-tier cloud security services and CDN is recommended for large scale high attack bandwidth mitigation. DDoS mitigation should be part of all businesses disaster recovery plans, be implemented and tested prior to DDoS attacks and include monitoring for ongoing detection (Florian, 2012).

Summary

Distributed Denial of Service (DDoS) attacks present a real threat to the security and reputation of industries across the globe. With more organisations and businesses connecting critical infrastructure to the internet, the impact of DDoS strikes is becoming increasingly prevalent. Mitigation strategies include bandwidth defence, rate filtering, signature filtering, moving target, white listing and cloud security services. At minimum a single tier data centre design with VIP white listing should be used for self mitigating small scale attacks. Multi-tier cloud security services and CDN is recommended for large scale DNS and high bandwidth attack mitigation. DDoS mitigation should be part of all businesses disaster recovery plans, be implemented and tested prior to DDoS attacks and include monitoring for ongoing detection.

References

Akamai Technologies, Inc. (2015). [state of the internet] / security Q3 2015 report. Cambridge, Massachusetts: Akamai Technologies, Inc.

Akamai. (2014). Threats and Mitigations. A guide to multi-layered web security. Retrieved from Akamai ebook guide to multi layered web security: http://www4.akamai.com/dl/akamai/akamai-ebook-guide-to-multi-layered-web-security.pdf

Beitollahi, H., & Deconinck, G. (2012). Analyzing well-known countermeasures against distributed denial of service attacks. Computer Communications , 1312-1332.

Bhardwaj, A., Subrahmanyam, G., & Sastry, H. (2015). Three Tier Network Architecture to mitigate DDoS Attacks on Hybrid Cloud Environments. arXiv .

Florian, M. (2012). Simple ways to dodge the DDoS bullet. Network Security , 18-20.

Gillman, D., Lin, Y., Maggs, B., & Sitaraman, R. K. (2015). Protecting Websites from Attack with Secure Delivery Networks. Computer , 26-34.

Holland, R., & Ferrara, E. (2015). The Forrester Wave™: DDoS Services Providers, Q3 2015. Cambridge: Forrester Research, Inc.

Hunter, P. (2003). Distributed Denial of Service (DDOS) Mitigation Tools. Network Security , 12-14.

Iyengar, N., Banerjee, A., & Ganapathy, G. (2014). A Fuzzy Logic based Defense Mechanism against Distributed Denial of Service Attack in Cloud Computing Environment. International Journal of Communication Networks and Information Security , 233-245.

Lin, S.-C., & Tseng, S.-S. (2004). Constructing detection knowledge for DDoS intrusion tolerance. Expert Systems With Applications , 379-390.

Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security , 5-12.

Symantec Corporation. (2015). 2015 Internet Security Threat Report. California, USA: Symantec Corporation.

Yoon, M. (2010). Using whitelisting to mitigate DDoS attacks on critical Internet sites. IEEE Communications Magazine , 110-115.