Level 3 Communications

Danny Bradbury

Dissecting DDoS Attacks

Distributed denial of service (DDoS) attacks have been a growing problem ever since the first ones began appearing in the late 1990s. They’re growing in size, with the largest DDoS attacks now measured in terabits of malicious traffic per second, and they’re costing victims dearly. Kaspersky estimates the average DDoS incident costs enterprises $2m.

On the face of it, DDoS attacks seem simple enough. Lots of compromised computers start chattering to a target computer, overwhelming its computing resources and possibly its Internet bandwidth. In practice, not all DDoS attacks are the same. Understanding the differences can help to mitigate risk and protect your company.

We can divide attack types into three main categories:

Volumetric attacks

These are the simplest attacks, relying on brute force to tie up the network connection to the victim’s servers. They generally operate at the lower network and transport layers of the networking stack. Here are some examples of these attacks:

  • ICMP or ping flood attacks swamp the server by sending ICMP Echo Request packets.
  • UDP floods use the User Datagram Protocol to target a server on random ports with ICMP requests. When the server cannot find an application listening on a port, it sends a ‘destination unreachable’ packet. This ties up server resources and network bandwidth.

This is an example of an attack that can also be ‘reflected’ by sending requests to large numbers of servers and spoofing the source address of the requests with a victim’s address. All the responses from servers flood the victim’s network.

Protocol attacks

Protocol attacks exploit the characteristics of protocols at layer three and four of the network stack, forcing a server or firewall to respond and tying up its resources.  There are several types:

  • SYN floods use a TCP SYN request to establish a network connection. The protocol’s standard way of handling these requests forces the server to answer and then listen for an acknowledgement, leaving all of its connections in a half-open state. Ping of death attacks send large network packets to a computer, splitting them into fragments. When the victim reassembles them, they are larger than the allowed packet size, which can cause some hosts to crash.

Application layer attacks

These attacks, which target the topmost layer of the network stack, are where a lot of the action is happening because they can tie up lots of system resources and are difficult to detect. Here are some examples to look out for:

  • HTTP floodsbatter a web server with HTTP GET or POST requests, which tie it up by forcing it to serve meaningless requests. Slowloris is an attack tool that specializes in sending HTTP traffic. This attack comes in various levels of sophistication, including random HTTP floods that avoid hitting the same page every time, and cache-bypass HTTP floods that try to avoid requesting cached web pages.
  • Large payload POST attacks upload a large file via a POST request to tie the server’s resources up still further.
  • Slow POST attacks send the HTTP requests slowly, in pieces. This forces the target to dedicate resources not only to serving the request, but to waiting for it all to arrive.
  • Targeted application attacks use specific application vulnerabilities to tie up online applications, possibly sending them into a crash state by causing buffer overflows or tying up all CPU resources.  

The further up the stack attackers move, the more dangerous the techniques become. In some cases, layer 7 attacks may not need to be very distributed at all because a small number of computers can wreak havoc on a system.

Dark DDoS

Traditionally, all of these attacks focused on knocking a victim’s systems offline. Attackers had various motives, including ideological (attacking an organization they didn’t agree with), economic (extorting money from victims) and egotistical (doing it as a form of sport). More recently, though, another motivation has emerged: DDoS as a distraction mechanism.

In some cases, an attackers’ intent is to disrupt rather than destroy a network by mounting an attack that taxes its resources just enough to cause problems for network administrators. An attack may flood protective systems with enough traffic that they fall into failsafe mode, passing traffic through unfiltered.

These sub-1Gb/sec attacks can also create just enough work for administrators to distract them from another attack on their network that could steal data. When administrators spot these attacks, often called ‘dark DDoS’, or low threshold, sub-saturating attacks, it’s worth taking a close look at the network to see if anything else is happening.

DDoS defense

How can companies protect themselves against DDoS attacks? Installing signature-based firewalls and routers can help to reject known bad traffic and protect servers from overloading. Complement these with load balancers to spread jobs between multiple servers.

Companies should stay in close contact with their hosting and cloud service providers and ISPs to help mitigate these attacks.  A services partner can not only help companies with the above measures, but can also advise on building web site architectures that spread the load across different servers. A multi-cloud arrangement that enables a company to failover between different service providers can also help.

Finally, another defensive measure is a cloud-based anti-DDoS solution. These services, available from multiple providers, can analyze and scrub traffic before it hits the target infrastructure, making it harder for DDoS attackers to do damage.

By taking a defense in depth approach and working closely with infrastructure partners, companies can minimize the likelihood of a successful DDoS attack and mitigate the effects from any that do make it through. With attackers using off-the-shelf tools to mount these assaults at will, it’s time to put those defensive measures in place now.

Learn how CenturyLink can help protect your organization from the next DDoS attack.

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.