Your Questions About DDoS Simulation, BGP and Attack Vectors Answered

We’ve received many questions about DNS, DDoS, BGP, and attacks after our recent webinar, “DDoS LIVE: Watch as a DDoS expert performs a live attack,” presented by Andy Shoemaker of NimbusDDOS and Nabeel Saeed of Imperva Incapsula. Here are their responses to your questions.

Watch Andy Shoemaker perform a live DDoS attack in the video below:

  1. How can Incapsula help with DNS DoS, like what we saw demonstrated in the webinar?

Saeed: DNS floods and other volumetric assaults require scrubbing capacity large enough to absorb attack traffic, which can be hundreds of times larger than an organization’s network link. Incapsula protects against these kinds of threats by deploying its multi-terabit network in front of the organization’s DNS authoritative server.

With our Name Server DDoS Protection deployed, Incapsula becomes the destination for all DNS queries. Each is scrubbed on its way to the origin.

  1. What are the drawbacks of BGP protection?

Shoemaker: First, it’s no small undertaking for an organization to use BGP. It’s common (and required) for multi-homed organizations, but less common for single-homed and small entities. Aside from this, the major BGP-based mitigation limitation is that the minimum announcement size is a /24 network (255 IP addresses). So even if a single IP is targeted, mitigation requires routing a larger block of addresses through the scrubbing center. The significance of these drawbacks is organization-specific, and what makes sense for one company may not be a good solution for another.

Saeed: In most configurations, another BGP protection limitation is it doesn’t filter out application layer attack traffic. The protection scheme should be complemented with a proxy-based solution that can inspect encrypted traffic and drop suspicious packets.

Also, since BGP protection, as Andy mentioned, works by placing an entire /24 network on the scrubbing service, added traffic latency is usually a factor. Therefore it’s advisable to use on-demand deployment. This ensures that latency is kept to a minimum by routing traffic through additional hops only when the network is under attack.

But there can be edge cases where the network always-on protection is desired. Where time-to-mitigation simply can’t be put at risk, organizations are willing to accept any latency incurred by an always-on deployment.

  1. Comparing IPv4 and IPv6 attacks, are there differences in technique, effectiveness and the mitigation method?

Shoemaker: Many DDoS fundamentals are common across IPv4 and IPv6. For instance, IPv4 doesn’t significantly change most volumetric, protocol or application layer DDoS attacks. One potential concern with IPv6 is that the target organization (or its mitigation vendor) may have less IPv6 capacity. Additionally, threats against a mixed IPv6/IPv4 environment might place excessive load on NAT translation devices, potentially exacerbating a DDoS assault in those environments.

  1. Regarding layer 7 and BGP infrastructure protection, can attacks be filtered via GRE tunnels, or can a tunnel forward layer 7 to its destination without filtering?

Saeed: We’re developing a technology that’ll let us automatically detect encrypted traffic and forward it to a parallel proxy, all the while scrubbing network layer traffic at the data center.

Since BGP-based protection doesn’t filter layer 7 attack traffic, it should be complemented with a proxy-based solution that inspects encrypted traffic and drops suspicious packets.

  1. Is it possible to protect other applications, like SSH or database ports?

Shoemaker: The best practice is to not make SSH, RDP and database access Internet-accessible. Generally, internal and administrative services like these should be performed on the local LAN, or through secure private connections and VPNs. That said, DDoS scrubbing services can monitor and protect these protocols, provided they support the given protocol. This is likely not possible with proxy-based mitigation, but with a BGP/routed mitigation strategy, the vendor is able to apply similar protection strategies as with other protocols.

Saeed: Where BGP-based deployment isn’t possible, Incapsula IP Protection service lets organizations guard specific IPs from network layer DDoS attacks. IP Protection can protect a full range of assets, such as websites, DNS servers, SMTP servers and any other IP-based application. It works for any equipment that supports GRE tunneling, including routers, firewalls and even Linux servers.

  1. Is an assault that doesn’t randomize its IP blocked by default, or is it necessary to establish iptable rules?

Shoemaker: To block a non-spoofed attack from a Linux host, an administrator needs to manually create iptable rules. With a large botnet this may be unrealistic, and for spoofed traffic it’ll have no effect.

  1. Please explain why a firewall can’t be a mitigation method.

Shoemaker: Volumetric attacks exploit a bottleneck upstream of any firewall. Imagine a network where its firewall has a 1 Gbps connection and can process 10 Gbps of traffic. If a perpetrator runs a 5 Gbps volumetric attack, its traffic tries to fit through the pipeline, but can’t because it’s insufficient. As a result, the ISP discards 4 Gbps of the packets before they reach the firewall.

Additionally, on-prem solutions have a limitation in their ability to scale. Today a large DDoS attack might be 100Gbps. To handle it, an organization would need a firewall capable of handling 100 Gbps and internet circuits matching that size. But if the perpetrator increases its capability to 150 Gbps, the organization would need to upgrade its firewalls and circuits once again.

  1. Which strategies work best to thwart DDoS mitigation deficiencies?

Shoemaker: I’m hesitant to say that there is one single DDoS solution; a silver bullet doesn’t exist. But some work better than others—specifically solutions that function upstream of the target. This includes scrubbing services, CDNs, and, to a lesser degree, “clean pipes” providers. An organization’s risk profile and infrastructure determines which is best.

  1. How does Incapsula mitigate layer 7 DDoS attacks, which you state is a CDN deficiency?

Shoemaker: I’ll let Nabeel speak to this; my comment in the webinar was related to traditional CDN suppliers. Vendors who have more advanced layer DDoS mitigation on top of their CDN are well positioned to thwart application layer attacks, for they can see all the traffic filtered by their proxies.

Saeed: Layer 7 threats target applications; they can be more complex and harder to mitigate than network layer attacks. Incapsula CDN is a secure proxy using client classification technology to validate the identity of all traffic sources. It uses a multilayered, security heuristics approach in identifying humans, good bots and bad bots. It includes:

  • Client classification
  • Visitor whitelisting and reputation
  • Web application firewall
  • Progressive challenges
  • Behavioral anomaly detection
  1. What is the strategy to protect against zero-day DDoS attacks?

Shoemaker: I think it’s most important to partner with an organization that provides timely intelligence. For most IT teams, the challenge is that DDoS isn’t their business, so they aren’t up-to-date with current risks and developments in the attack landscape. It’s similar to the vulnerability or exploitation landscape, where it can be a full time job to keep up with emerging threats.

  1. Does the cloud solution provide layer 7 inspection?

Saeed: Effective mitigation entails accurate filtering of malicious DDoS traffic without impacting legitimate visitors. Layer 7 visibility does exactly that by offering granular data to a security solution. It distinguishes legitimate users from bad bots.

Our traffic inspection technology uses behavioral and reputational analysis, rate-based heuristics, and a series of transparent and progressive client interrogation challenges. Together this combination weeds out even the most sophisticated DDoS bots, with no impact to legitimate visitors.

  1. How would you scale scrubbing capacity on your premises, since it isn’t feasible to proxy out custom ports and bigger networks on cloud solutions?

Saeed: It is in fact feasible to protect custom ports and bigger networks via a proxy solution. For example, Incapsula Infrastructure Protection services secures custom ports and large networks, regardless of if they are multiple C-class ranges or individual IPs.

In the event of an attack, traffic is routed through Incapsula scrubbing centers using BGP announcements. From that point on, Incapsula acts as the ISP and advertises all protected IP range announcements. Incoming packets are inspected, with only legitimate traffic being securely forwarded to the enterprise network via GRE tunneling.

  1. Is the NimbusDDOS platform open source or a commercial product? If the latter, what does it cost?

Shoemaker: NimbusDDOS simulates DDoS assaults. It’s a proprietary platform my engineers and I have built that uses public cloud resources to perform DDoS attacks — analogous to a botnet. If any readers would like to discuss DDoS testing, or need help developing a strategy, I invite them to please contact me.

  1. Which recon commands did you use in your attack?

Shoemaker: The commands used to initiate the DDoS attack are proprietary and part of the NimbusDDOS platform.  The reconnaissance portion, however, used the following open source tools:

nmap: an open source port scanner (nmap.org)

dig: a well-known DNS utility, created by the ISC as part of Bind

curl: a common command-line web browser. It’s open source and available for most Unix-like systems.

  1. What is the source for start_attack.sh and stop_attack.sh?

Shoemaker: The scripts aren’t of much interest, and simply are used to send a start command to the NimbusDDOS attack nodes instructing them to initiate an assault. The actual magic happens within the attack platform, with its code being proprietary.

  1. At what speed are the simulated assaults from NimbusDDOS carried out?

Shoemaker: We’ve done attacks over 100 Gbps, but our platform is so flexible that we can perform them down to 100 Mbps. We use this as a tool to answer questions our customers have about the effect of DDoS in their environment.

  1. Is it possible to perform a DDoS attack simulation for a prospect before purchasing?

Shoemaker: NimbusDDOS is pleased to help any organization develop a DDoS strategy and assess their current environment. Reiterating what I said in the presentation, a simulation may be helpful in proving to managers that a problem exists and should be addressed. To that end, our services are complementary to those of Incapsula.

Do you have more questions for us? Please leave us a note in the comments or email us at blog@incapsula.com.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.