Abstract
Distributed
Denial of Service attacks present a real threat to the security and reputation
of industries across the globe. This report looks at why DDoS attacks occur,
who are likely targets of DDoS attacks, types of DDoS and strategies to
mitigate against attacks.
Introduction
The first
Distributed Denial of Service (DDoS) attack tool appeared in June of 1998 labelled
FAPI. FAPI could direct TCP, UDP and ICMP traffic from multiple attack sources causing
a victim to become unresponsive to legitimate requests (Lin & Tseng, 2004). Since FAPI, DDoS tools and techniques have
provided a lucrative avenue for cyber-crime. With more organisations and
businesses connecting critical infrastructure to the internet, the impact of DDoS
strikes is becoming increasingly prevalent.
Why Who and What?
DDoS
attacks can be used for masquerading other attack activity, revenge,
hacktivism and more typically extortion
(Symantec Corporation, 2015). It is common with extortion attacks
where an organisation will be given an ultimatum for money or else its online
presence or internet services will be affected, usually during a critical
time for the business (Mansfield-Devine, 2011).
|
Figure 1 - Size and
Frequency of DDoS attacks
(Akamai Technologies, Inc, 2015)
|
Cyber criminals
use DDoS because botnets are cheap, highly effective and hard to detect. Botnets
can go for as little as $5 per hour, use normal connections and consistently bring down internet services like clockwork (Florian,
2012). DDoS targets are usually broken down into different industries with
over half of all attacks in 2015 directed towards gaming and software and
technology entities (Akamai Technologies, Inc,
2015).
Figure 2 - Attacks by
Industry (Akamai Technologies, Inc, 2015)
DDoS
attacks are growing in frequency and intensity each year, the likelihood of
businesses being targeted is ever increasing. DDoS attack vectors generally
fall into two categories – Layer 3 network or infrastructure floods and Layer 7
application attacks (Mansfield-Devine, 2011).
Infrastructure attacks utilise network protocols such as TCP, UDP, ICMP, NTP,
SSDP, DNS and CHARGEN; these network layer attacks account for over 95% in
frequency and volume of all DDoS traffic in 2015
(Akamai Technologies, Inc, 2015).
Application
layer attacks on the other hand exploit web servers by flooding the service
with a large number of HTTP GET, POST or PUSH requests. These requests aim to
overwhelm the server's resources until the service is rendered unusable or
unavailable (Iyengar, Banerjee, &
Ganapathy, 2014).
|
Figure 3 - Attacks by
Type (Akamai Technologies, Inc, 2015)
|
A trend
towards the use of non-botnet based resources such as open proxies has recently
been observed. This shift may lead to an increase in reflective DDoS attacks
that abuse web application frameworks making DDoS mitigation exceedingly
challenging (Akamai Technologies, Inc, 2015).
Mitigation Strategies
Many
different mitigation strategies exist depending on client base size, content
type, business requirement and funding capital. Four traditional mitigation
tools exist which can be used independently or in conjunction with other
mitigation methods such as white listing and cloud security services.
Mitigation tools include bandwidth defence, rate filtering, signature filtering
and moving target (Hunter, 2003).
Bandwidth
defence aims to mitigate bandwidth attacks. A bandwidth attack involves large
traffic throughput which can be upwards of 10GBp/s as shown in figure one.
This attack aims to overwhelm the connection pipe to the web site to disrupt
service. Bandwidth defences usually involve the use of multiple service
provider internet links and the ability to increase internet throughput on
demand (Mansfield-Devine, 2011). Content Distributed Networks (CDN) such as
Akamai and Sandpiper also assist with bandwidth defences however usually is
expensive. Organisations should
intelligently monitor their infrastructure bandwidth to ensure sufficient
normal capacity and the ability to detect bandwidth attacks when they occur (Hunter, 2003).
Rate filtering looks to counter DDoS attacks through preservation of resources on the victim end. A DDoS SYN flood attack aims to exhaust finite bandwidth, CPU, memory and buffer resources.
|
Figure
4 – Traditional single tier data centre.
Adapted from “Three Tier Network Architecture to mitigate DDoS Attacks on
Hybrid Cloud Environments” by Bhardwaj,
Subrahmanyam, & Sastry, 2015.
|
Each
connection allocates system resources. Once resources are saturated, subsequent
requests are dropped causing service outages. Limiting half-open connections,
packet throughput and monitoring resources can mitigate these types of attacks.
Access control lists (ACL) also preserve system resources through network
packet filtering. Filtering should be placed as close to the network perimeter
as possible to limit device resource allocation. In the event rate filtering is
problematic, distribute the filtering over multiple inline perimeter devices to
share mitigation load (Beitollahi &
Deconinck, 2012).
Vendors
which provide commercial rate filtering devices include Hewlett Packard
Enterprise, Riorey Checkpoint, Juniper, F5, Fortinet and Cisco. Low bandwidth
DDoS and application layer attacks cannot be mitigated by rate filtering, cloud
security services or signature filtering can assist with these types of
attacks.
Signature
filtering relies on recognizing signatures created for typical attack patterns.
These devices are efficient and less likely
to suffer from performance problems, however could block legitimate traffic (Hunter, 2003). Web Application Firewalls
(WAF) and Intrusion Prevention Systems (IPS) are great examples of signature
filtering devices. WAFs and IPS’ execute deep packet inspection on HTTP/S requests
and their payload to identify and prevent attacks. Akamai recommends WAFs which
utilise flexible comprehensive rule sets, situational awareness, black and
white listing, GEO blocking, behavioural controls and origin cloaking (Akamai, 2014).
WAFs and
IPS’ should be placed inside or outside (or both) of the perimeter network. Inline
open source perimeter IPS devices which support custom signature and the
ability to capture DDoS traffic for analysis include Suricata or Snort.
The
Moving Target Defence involves switching services to a new IP address in the
event of an attack, DDoS attack traffic will then be delivered to the old IP
address mitigating the attack. For added protection the IP addresses can be
changed periodically to provide further defence against attack. This option has
the advantage of reducing the risk of an attack since multiple end points are
possible and the process of changing service IP addressing is frequently
tested. Attackers can circumvent this defence by using DNS requests to identify
the new service IP address. Moving target defence should not just protect
public web addresses; it should also protect DNS servers and core network
infrastructure (Hunter, 2003). Cloud
security services can provide moving target defences since the web services
public address points to the cloud security service. Cloud security edge
servers act as a distributed firewall. Traffic is scrubbed and cleaned before
clean traffic is forwarded to the origin server (Gillman,
Lin, Maggs, & Sitaraman, 2015).
Moving
target defence can be costly due to the number of servers and network addresses
required to keep shifting services, not to mention the attacker can easily
identify current infrastructure addresses. This is where white listing can
improve defence success.
White
listing can be done by a VIP list (user based) or cloud security services white
listing (service based).
Figure 5 - VIP
whitelist overview (Yoon, 2010)
|
Very
important IP addresses (VIPs) are collected IP addresses from previous
successful applications logins to make a whitelist under normal network
conditions.
|
The VIP
or whitelist is installed on a perimeter network device and activated when a
DDoS attack is detected. White listing is similar to GEO protection however
instead of permitting or blocking based on country, the whitelist is permitted
based on previous successful user authentications.
 Figure 6 - CloudFlare
security services
|
Due to
the nature of internet users and public IP allocation, users can often be
assigned a new public address when connecting to the internet. Yoon observes
public IP addresses of client users do not change all that frequently however
when it does, the network address portion remains the same since most service
providers are allocated a static range and use a contiguous block. This can
be exploited to maximize the usefulness of the VIP list by introducing
network subnets to the VIP whitelist. (Yoon,
2010).
|
Figure 7 – Cloud security
services with CloudFlare. Retrieved January 2015, from
https://www.cloudflare.com/overview/overview.png. Copyright 2016 CloudFlare,
Inc.
Leading
cloud security services offer CAPTCHA, IP ACLs, GEO blocking, WAF, DNS
protection and analytics. According to Forrester Wave, cloud security, DNS and
CDN services are best provided by Prolexic (now Akamai technologies), CloudFlare
and CenturyLink (Holland & Ferrara, 2015).
At
minimum a single tier data centre design with VIP white listing should be used
for self mitigating small scale attacks. Multi-tier cloud security services and
CDN is recommended for large scale high attack bandwidth mitigation. DDoS
mitigation should be part of all businesses disaster recovery plans, be
implemented and tested prior to DDoS attacks and include monitoring for ongoing
detection (Florian, 2012).
Summary
Distributed
Denial of Service (DDoS) attacks present a real threat to the security and
reputation of industries across the globe. With more organisations and
businesses connecting critical infrastructure to the internet, the impact of
DDoS strikes is becoming increasingly prevalent. Mitigation strategies include
bandwidth defence, rate filtering, signature filtering, moving target, white
listing and cloud security services. At
minimum a single tier data centre design with VIP white listing should be used
for self mitigating small scale attacks. Multi-tier cloud security services and
CDN is recommended for large scale DNS and high bandwidth attack mitigation.
DDoS mitigation should be part of all businesses disaster recovery plans, be
implemented and tested prior to DDoS attacks and include monitoring for ongoing
detection.
References
Akamai Technologies, Inc. (2015). [state of the internet]
/ security Q3 2015 report. Cambridge, Massachusetts: Akamai Technologies,
Inc.
Akamai. (2014). Threats and Mitigations. A guide to
multi-layered web security. Retrieved from Akamai ebook guide to multi
layered web security: http://www4.akamai.com/dl/akamai/akamai-ebook-guide-to-multi-layered-web-security.pdf
Beitollahi, H., & Deconinck, G. (2012). Analyzing
well-known countermeasures against distributed denial of service attacks. Computer
Communications , 1312-1332.
Bhardwaj, A., Subrahmanyam, G., & Sastry, H. (2015).
Three Tier Network Architecture to mitigate DDoS Attacks on Hybrid Cloud
Environments. arXiv .
Florian, M. (2012). Simple ways to dodge the DDoS bullet. Network
Security , 18-20.
Gillman, D., Lin, Y., Maggs, B., & Sitaraman, R. K.
(2015). Protecting Websites from Attack with Secure Delivery Networks. Computer
, 26-34.
Holland, R., & Ferrara, E. (2015). The Forrester
Wave™: DDoS Services Providers, Q3 2015. Cambridge: Forrester Research,
Inc.
Hunter, P. (2003). Distributed Denial of Service (DDOS)
Mitigation Tools. Network Security , 12-14.
Iyengar, N., Banerjee, A., & Ganapathy, G. (2014). A
Fuzzy Logic based Defense Mechanism against Distributed Denial of Service
Attack in Cloud Computing Environment. International Journal of
Communication Networks and Information Security , 233-245.
Lin, S.-C., & Tseng, S.-S. (2004). Constructing detection
knowledge for DDoS intrusion tolerance. Expert Systems With Applications
, 379-390.
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network
Security , 5-12.
Symantec Corporation. (2015). 2015 Internet Security
Threat Report. California, USA: Symantec Corporation.
Yoon, M. (2010). Using whitelisting to mitigate DDoS attacks
on critical Internet sites. IEEE Communications Magazine , 110-115.
