Last week I presented a webinar demonstrating a live distributed denial of service (DDoS) attack. The presentation walked attendees through the entire process from beginning to end. I showed everyone how an assailant might initiate an attack. And by doing so we were able to see the impact to the target in real time. The presentation concluded with a roadmap to DDoS preparedness. I’ve summarized some of the more critical concepts covered in the webinar in this article. You can also watch the complete webinar recording below.
Attacker motivations and capabilities
Attackers can range in capabilities from a single “lone wolf” on one end of the spectrum to organized crime or even nations at the other end. In the webinar, our attacker was a lone wolf who made money from extorting people with DDoS attacks. To protect himself, he used Bitcoin to hide the transfer of money.
The attacker had fairly modest capabilities with a very small botnet of just 50 nodes. However, with those 50 nodes he was able to launch attacks of up to 5 Gbps and 5M packets per second. To get a sense of scale consider that the BredoLab botnet launched a DDoS attack in 2010 using over 200,000 nodes. According to some DDoS experts, there were 25 attacks that exceeded 100Gbps in the first quarter of 2015.
Quickly identifying DDoS risk areas
Often the first step in DDoS reconnaissance which we do a lot of at my company, NimbusDDOS, is to review the target website looking for high-risk components. Of particular interest to an attacker is any content that is dynamically generated or pulled from a database. By targeting dynamic content, an attack is more likely to pass through a CDN provider to impact the backend servers. Similarly, requests of resources that are likely to be CPU intensive are frequently targeted because it’s more efficient for the attacker. Common HTTP(S) application layer attack targets often include:
- Login functionality
- Search functionality
- Any web form
- Large image or document objects not hosted on a CDN
An attacker will also use port scanners to automatically look for target networks that run susceptible services. A port scanner is simply a tool that lets someone probe a network and get a list of what services are accessible from the internet. There are a variety of these tools available for free (nmap is very good), and are valuable tools for your own security audits. Of particular note is the speed with which a port scanner can probe a network. A modest server can scan a host in under a second, and an entire /16 network in 12 hours. The takeaway message is that hoping an attacker doesn’t find you is foolhardy.
To expand the list of potential targets an attacker invariably investigates ancillary services that are critical to the operation of the target. Although the target may be heavily defending their web server, they may be leaving other less obvious components exposed. In the webinar, the target hostname was hosted on a less heavily fortified DNS server, and it was this weak point that the attacker targeted. When reviewing DDoS defenses it’s always important to be aware of all components of the environment, and take note of any unprotected areas. It’s these weak links that will fail during a DDoS attack.
The impact of DDoS attacks
In the webinar scenario, the target website became unreachable within 10 seconds of the initiation of the DDoS attack traffic. The specific attack used was an application layer UDP DNS request flood targeting the DNS server hosting the target hostname. The degradation lasted for the duration of the DDoS attack traffic, and continued for a brief period after the attack, as the Linux kernel slowly removed pending requests from the overwhelmed connection tracking table. It’s important to note that this DDoS attack required just five minutes of quick investigation of the target network, and only a few seconds to initiate an attack and see its effects. The webinar video emphasizes just how fast this can occur.
The first reaction of most admins is to block a DDoS attack at network ingress points using a firewall or an IDS. The challenge with this approach is that it’s a substantial administrative burden as it requires admins to become experts in DDoS attacks. Additionally, blocking the attack once the traffic has already traversed your internet circuits may not help. The key is to block traffic before it traverses your circuits as far upstream as possible.
Cloud elasticity — If you live in the cloud you may be able to leverage the elasticity of the cloud to handle the DDoS traffic. Amazon recommends this for dealing with DDoS attacks. The challenge is that most cloud scaling strategies are not instantaneous. It may take hours to scale up to meet the traffic demand. In addition, it may not even be possible with some applications, specifically those that use a monolithic database. Eventually this strategy also DDoSes your wallet since the scale-out resources aren’t free.
On-premises protection — Another common approach is to use an on-premises DDoS mitigation device. This approach requires that you have in-house DDoS expertise as well as network capacity sufficient to handle the DDoS attack. As a reminder, blocking a DDoS attack once it has traversed your internet circuit is not terribly effective, you want to do that upstream.
Using a CDN — A clever solution that was used by the example company in the webinar to partial effect, is to hide behind a CDN. Since a CDN acts as a large proxy on a large network you can basically use their resources to protect yourself against most bandwidth and protocol attacks. The big caveat, however, is that it won’t help you against application layer attacks unless the CDN specifically offers some DDoS mitigation service along with their CDN offering.
DDoS scrubbing services
For most organizations, the best approach is to use a dedicated DDoS scrubbing service to filter the traffic on the vendor’s network before it even reaches the organization. These services are usually offered in two flavors:
- Proxy-based that anyone can use
- BGP-based for those using BGP
If the option is available, the BGP solution is much more complete and fully protects the backend servers. The services provided by Incapsula fall into this category, providing dedicated DDoS mitigation on top of a CDN platform.
Building a roadmap to DDoS preparedness
Identify DDoS Risk Areas — To create a DDoS strategy it’s important to first understand the DDoS risks within an environment. You can do this by reviewing the network environment with the mindset of a potential attacker. This isn’t unlike what was done in the webinar by the attacker, but is much more exhaustive covering all IT resources including third parties that provide critical services. This isn’t a vulnerability scan, but serves a similar function with a focus on DDoS.
Simulate DDoS Attacks — Once the risk assessment is complete, the data should be validated with simulated DDoS attacks. These simulations will help determine the exact impact of an attack targeting each of the risk areas. It will also take what may be a hypothetical risk and make it more concrete by collecting performance data and other metrics to quantify impact.
Create a DDoS Strategy — After completing the previous steps, all the data can be consolidated to craft and implement a DDoS mitigation strategy. The data collected can help you make informed choices about which mitigation solution to use and how it may be implemented to most effectively protect the environment. The strategy may go beyond simply selecting a mitigation vendor, and include processes and procedures to be used by an IT organization during a DDoS attack.
Training and Retesting — To be completely protected from DDoS attacks requires a proactive commitment from an organization. As environments and infrastructure change it’s important that DDoS risks be considered just as other areas of information security typically are. Something as simple as a code change may introduce a new DDoS attack vector.
You can check out our full video recording of the webinar for more details. Leave me a comment and I’ll be happy to answer your questions about DDoS.