DDoS attacks are familiar territory for our team, but they can be frustratingly abstract for many network ops teams. In fact, it’s often difficult to recognize an attack when it’s in progress. And furthermore, few people know what to do when their website is under attack.
Recently we hosted a webinar to show what a real-time DDoS attack looks like from different perspectives: the attacker, the target, and the admin team. The entire presentation is available here: Gain Insights Into a DDoS Attack.
We also received a lot of questions from the audience and wanted to share some of them with you.
Q: You show this attack on one machine. Can it also work on high performance targets?
A: In our demo it took only one bot to bring down a single database. But yes, the more capacity a web application has, the more resources it will take to bring it down. That’s why attackers will make botnets as large as possible.
Customers have shared DDoS threat extortion notes with our support team, stating they have tens of thousands of bots at their command. Botnets for hire is another interesting trend we saw recently. Here, attackers offer cheap DDoS services to whoever pays them.
This creates a snowball effect: DDoS is economical for bot herders, granting them more resources to enhance their botnets and launch attacks capable of higher damage.
Q: Do all attacks actually require a botnet in order to succeed?
A: Not necessarily. There are other kinds of attacks, mostly volumetric ones called amplification attacks. In these situations, the attacker uses the service of legitimate servers instead of botnets by sending a request for information from a server. The source IP of the request is spoofed so that the response is directed to the attack victim. The more the servers respond to a request, the greater the amplification rate and the more effective an attack becomes.
Q: Which mitigation methods can web admins use to protect our sites from DDoS?
A: Incapsula has a comprehensive solution for protecting websites and assets from a wide variety of DDoS attacks. The solution is fully cloud-based and our service can be deployed with a simple configuration change in the DNS server. Once the service is configured, traffic is redirected to our firewall prior to reaching the origin server. Our WAF filters DDoS traffic by using a sophisticated set of rules and challenges to identify whether it is a bad bot or a legitimate client trying to access a web server. You can find a more detailed answer on our website.
Q: Can you explain in more detail why ISP “clean pipes” isn’t good for layer 7 attacks?
A: When mitigating layer 7 attacks, it’s critical that a DDoS mitigation provider examine all the content in the data stream. This can be an issue with ISP clean pipe providers, specifically if you use HTTPS on your website. Since HTTPS encrypts the data, the ISP has limited information to make its mitigation decision unless you also give it the encryption keys. For a CDN or a proxy-based scrubbing service this isn’t an issue because they’ll have appropriate encryption keys for your websites.
Q: Can you explain how a DDoS risk assessment is different than vulnerability scans? They sound the same to me, but I’m not a techie.
A: They are similar in some ways. Both review your resources to detect issues before an attacker finds them. The main difference is that vulnerability scans are looking for areas where an attacker can gain access to your data. Usually this is through software bugs or misconfigurations. In a DDoS risk assessment we look for areas that are likely to be more susceptible to a DDoS attack. For instance, a login form on a website may be very secure, but due to inefficient coding it may be easily attacked and taken offline.
Q: What do you see as the emerging threats?
A: The short answer is that attacks are going to continue to grow in size. Fifteen years ago, a large DDoS was 100 Mbps (megabits per second). Last June we measured a large attack at 470 Gbps (gigabits per second). I suspect we will see our first 1 Tbps attack within the next five years. I also think that DDoS will continue to move from lone wolf-style attacks to more organized attacks by hacktivists and criminal gangs. Finally, I believe the attacks on financial institutions will become more damaging. Right now the objective of these attacks is to embarrass or extort money, but I expect to see targeted DDoS attacks that disrupt financial transaction systems and damage financial markets.
Q. What’s the difference between layer 7 attacks and volumetric attacks?
A. The main difference between the two is that volumetric attacks are directed at IT infrastructure. In most cases, the first victims of such attacks are the network devices where any legitimate traffic is blocked and the total bandwidth consumed very quickly.
Volumetric attacks come in two flavors: bandwidth and packets per second. Bandwidth is measured in traffic to a site. When we talk about PPS or packets per second attacks, the goal is to overwhelm the maximum connections that a network device can hold.
Q. It’s pretty easy to block an attack via Layer 7, just use something like Nginx and set up rules to block user agents and such. And use simple IP rate limiting software, right?
A. This may be true for small and novice attacks. But in reality it proves ineffective against most attacks that we see in our network.
Attackers customize user agents to match any client they want such as web browsers, GoogleBot and mobile Android browser. For example, in our latest Global DDoS Threat Landscape Q1 2016 report, we saw that 30.7 percent of the attacks deployed Internet Explorer user agents.
IP rate limiting may work when there are only a few attackers. When there are a lot of attackers, it will be extremely difficult or ineffective.
There can be attacks that will cause DoS even though they do not cross the thresholds you set because of different reasons including vulnerabilities in web servers, database implementation, and the like.
Lastly, we’ve seen some overwhelming high capacity Layer 7 attacks lately that would probably saturate your resources even on Layer 7.
That’s it from us. Please check out the video recording of our webinar below, Gain Insights Into a DDoS Attack. If you have any other questions for us, please leave us a comment.