Read Time:9 Minute, 30 Second

Understanding Distributed Denial of Service (DDoS)

What is DoS?

DoS stands for Denial of Service, which is a means of attack on a specific website or service, where an adversary sends a huge number of requests from a machine, thus by overloading the server. An overloaded server is too busy serving the adversary requests and dropping legitimate request from actual customers. In extreme conditions, the web server may not be able to handle the load and crash, leading to an outage of the website. This is an old attack, and people have been exploiting this for decades. As a matter of fact, stopping a DoS attack is not extremely hard, and there are numerous mitigations (e.g. IP filtering, ingress filtering, request throttling etc.) for DoS. So, these days no one talks about DoS, but what they do talk about is DDoS (Distributed Denial of Service).

What is DDoS?

DDoS is a variant of DoS, where the adversary uses a huge number of machines, usually spread across a geographic region to send a request to the web server, unlike the traditional DoS where the attacker uses one machine or network to launch the attack. Each of the machines could send one request, but since a huge number of machines can be used to send requests, it is extremely hard for the web server to perform traditional mitigations like IP filtering, and it’s hard to figure out if a request is from a legitimate customer. This is a very relevant attack, and even after years of study on these, we still see a lot of DDoS attacks on the news very frequently. The recent DDoS are getting more and more sophisticated, often sending data at the rate of multi-terabits per second.

The anatomy of a DDoS Attack

DDoS starts, by the attacker hacking a set of devices or machines and taking it under his control. Once the devices are hacked, the attacker would install malware in these devices which gives the attacker remote control to the device. The device would act as a bot (a slave device, obeying the commands of its master), and thus the attacker creates a network of these devices, called as botnets. The botnet can be a client-server model or a peer-to-peer network. The designated master devices would command the bots, which will be flooding the website with requests. Since all these devices are legitimate internet devices, it is extremely hard for the web server to differentiate the requests from a legitimate customer of the website. The bot could be any devices that are connected to the internet, e.g. other web servers, desktop computer of normal users, specialized servers on the internet (e.g. DNS servers, NTP servers, and LDAP servers) or they could be IoT devices (e.g. smart clocks, smart thermostats, smart refrigerators and washing machines etc.).

Types of DDoS Attacks

The DDoS attacks can be categorized based on, what is the target of attack in the network layer, as defined in the OSI network layer.

Application Layer Attack

This is type of DDoS attack, which targets the application layer (of the OSI model) processes, i.e. the attacker would send a flood of requests to a website feature (e.g. the login form) to bring it down. An example of this is the HTTP Flood attack, where the attacker would send a flood of an HTTP POST or GET requests to the website.

Network Protocol Attack

This DDoS attack targets the weakness of the network protocol layer, of the OSI model. A common example is the SYN Flood attack, where the attacker would send a flood of SYN packets to the web server while performing a TCP three-way handshake. Once the server receives the SYN packets, it would initialize the connection and wait for the ACK, holding memory for the connection. Eventually, it would have no available resources to process further TCP negotiations of legitimate customers of the website. The attacker could also target the resources of the intermediate device like the firewall and load balancers, which also uses TCP connections to redirect traffic to the end web server.

Amplification Attacks

The attacker in this attack attempts to flood the available bandwidth between the web server and its customers. A common example is a DNS amplification, where the attacker sends a request to the DNS server, and the attacker would spoof the packet by replacing the response address to that of its target. The DNS server would respond to the target, thinking the request originated from the target, thus by flooding the target with lots of response. This attack can be modified by changing the intermediate resource protocol, e.g. ping flood attack through an ICMP ping response, or NTP flood attack using an NTP time server, or UDP flood attack by forcing it to send an ICMP destination unreachable packet to the target.

DoS (Denial of Service) can also result from a non-malicious and non-external entity. It can result from misconfiguration and human error. I will discuss a bit about this in a later section.

Alleviations and Guidelines to Protect Yourself

Implementing manual mitigation is not usually recommended, as they are hard to sustain, and the attacker would usually circumvent the protections. But generally, the process to mitigate a DDoS attack can be thought as a cycle, that feeds into each other:

  1. Absorption – Irrespective of any network, the network would have to be able to absorb a burst of traffic, without which the network would go down within a very short period, thus by limiting the capability to detect and analyze the attack. This is usually done by increasing the network throughput to handle a large number of requests or data (in terms of multi-Tbps), spread across multiple geographic locations to spread the attack surface. It is also imperative to mention that, this is usually not economically feasible for any mid-size company to stand up and maintain such a network.
  2. Detection – This is the most important part of the process, where any deviation to the traffic flow is detected. This could be done by studying the change of traffic pattern, i.e. by identifying what normal traffic looks like. It is also useful to understand if there is an expected change in traffic, for example during the holiday season, and if so, by the factor. The incoming traffic can also be studied to differentiate it from a human or a human-like bot, by looking at the HTTP headers, IP address, cookies etc. Artificial Intelligence algorithm could play a significant role in this analysis. Additionally, the detection model would have to continuously evolve to be able to detect the new form of attacks, and workarounds used by the attackers.
  3. Traffic Diversion – Once the DDoS attack is detected, the first action one could perform is to divert the traffic for filtering, or it could be diverted to a “black hole” network (aka null routing) where it is fully discarded. Two of the most common diversion techniques are DNS routing, mostly used on always-on monitoring and most effective on application layer attacks; and BGP routing which usually is manually activated and effective with both application and network layer attacks.
  4. Filtering – The un-discarded traffic could then be filtered out to detect the source of DDoS, by analyzing the packets, sources and the signatures. This process is to ensure there is least impact to the customers, and the service is up and running in shortest possible time.
  5. Analysis – Once the DDoS attack is mitigated, the security response team would perform a full RCA (Root Cause Analysis), by going through the logs and evaluating other partners to detect the source and implement newer mitigation steps in place. The outcome of this would be fed into the process of detection, as mentioned in step 1.

In addition to these, one of the major aspects is the network throughput. Having a scalable network to handle multi-Tbps traffic generally proves helpful during the attack. But that comes with cost and maintenance. To cater to this requirement, there are lots of offerings in the market which does a pretty good job at protecting you. Let’s go through some of them.

Infra services and downstream provided by Cloud providers

All the major cloud providers provide out-of-the-box protection for DDoS. You can add additional features to the standard feature to create more robust protection. Here is what is provided by some of the major cloud service providers.

AWS (Amazon Web Service)

AWS Shield is the managed DDoS protection service offered to all AWS customers by default, which provides the standard network and transport layer protection. Customers can buy additional protections like live traffic monitoring with anomaly detections, manage custom rules and filters using the web firewall, advanced heuristics-based routing, and a dedicated response team with an additional cost. The enhanced protection also protects from common application attacks like HTTP floods and DNS query floods. You can configure and use a plethora of AWS services like AWS WAF, AWS CloudFront, Elastic Load Balancing (ELB) or Amazon route 53 with AWS Shield to achieve a comprehensive detection and protection against almost all known DDoS attacks. This link provides you a side by side comparison of the feature sets and pricing model for the standard-free and the paid version of the AWS Shield.

Microsoft Azure

Like AWS, Microsoft Azure also provides a set of services for DDoS protection. It also comes in two flavors, the free-standard version, and the paid version. The offerings are integrated to the VNet features provided by Azure. The free-standard protection is available by default on all public IPv4 and IPv6 addresses, which provides always-on traffic monitoring and automatic mitigation. The monitoring process compares the traffic patterns against a set of defined parameters and thresholds, and if a deviation is found, it automatically initiates the DDoS mitigation measures. It provides protection against the most common DDoS attacks, like DNS flooding. If you opt for the paid service, it provides protection for the network and the application layer attacks deployed in the VNet. It collects comprehensive telemetries for dashboard monitoring, alerting, and provides application layer attack protection using the Application Gateway WAF and custom filtering rules. The overall infrastructure is designed to withstand an attack of over 25 Tbps. Azure also provides service credits for cost incurred during a known DDoS attack, so the customers are insured from exorbitant bills due to these attacks. It also provides integration with external third-party protection services (e.g. Barracuda, F5 networks, Incaptula etc.), through its marketplace.

GCP (Google Cloud Platform)

The Google Cloud Platform offering for DDoS is called as Cloud Armor. It provides standard services to manage DDoS protection for its customers, through its integration with its HTTP(S)/proxy load balancing which enables the infrastructure to mitigate and absorb most network-level attacks, e.g. SYN floods etc. It allows you to whitelist IP, configure policies and create custom rules for traffic filtering. For additional protection, the customers can use CDN to further absorb the increased flow of traffic and to disperse it across other geographic regions during an attack. GCP provides good integration with external third-party vendors (e.g. CloudFlare, Incaptula etc.) to provide more comprehensive DDoS solutions. We will discuss some of these third-party solutions in the below section.

About Post Author

Indian Cyber Troops

Indian Cyber Work For Nation's Wellness And Nation's Security We Share new and unique things with you Jai Hind Jai Shri Ram