DDoS Attacks and Defense Mechanisms
In a Denial of Service (DoS) attack, an adversary prevents internet users from getting access to some service or information. DoS attacks began in Internet Relay Chat (IRC) channels. Back then, attackers used them to knock users off an IRC channel. DoS tools have evolved a great deal in the past few years, and evolved into distributed denial of service attacks (DDoS) by using multiple agents, from multiple locations. The attack mechanisms have pretty much stayed the same, which usually fall into one of the following two categories:
- vulnerability attacks
- flooding attacks
In this blog post we will take a look at DoS and DDoS attacks and Instart Logic’s defense mechanisms against them.
In vulnerability attacks, adversaries take advantage of a vulnerability in the software to crash it and deny service to legitimate users. Vulnerability attacks have been common for quite a while. For example, in the 90s attackers exploited vulnerabilities in Windows’ TCP/IP stack by crafting and sending packets that would make the system run out of memory. Their goal in launching these attacks was simply to knock IRC users off the channel by crashing their systems.
Even though software gets continually patched and updated, new vulnerabilities are discovered every day. However, the difficulty of finding vulnerabilities and crafting the packets to launch the attack have made flooding attacks a more popular alternative.
The idea behind a flooding attack is quite simple : attackers send many requests to a target service, which attempts to track each of the requests as a transaction. As the flood of packets keeps coming in, the targeted resources get depleted and can no longer respond to legitimate traffic. Flooding attacks are divided into two categories:
- volumetric or Layer 3/4 attacks that target the network infrastructure
- application layer or Layer 7 attacks that target the web server
Flooding attacks have been the most successful and prevalent type of attacks in past few years. The distributed nature of the attacks, along with the sheer quantity of agent machines, make it impossible for any defense mechanism to discern a specific attacker. Employing IP Spoofing techniques makes flood traffic look as if it's coming from various different sources and makes it very hard to block.
These attacks sometimes target bandwidth, and other times target routers, load balancers and firewalls. They get measured as bits per second or packets per second. Some specific volumetric attacks are:
- DNS reflection attack – the attacker sends DNS requests to third-party DNS servers, while spoofing the source IP address and pretending that the requests came from the victim. The requests that the victim sends usually involve amplification – meaning the requests will result in a much larger response. An example is a DNS ANY request, which ask the DNS server for all information that it currently knows about the domain – where the mail servers are (MX records), what the IP addresses are (A records), and so on. This maximizes the size of the response sent to the victim. When the DNS servers send their disproportionately large response to the spoofed source, it results in a huge amount of traffic flooding the victim.
- SYN flood attack – the attacker sends a flood of SYN packets to the victim’s server while spoofing the source IP address, pretending to be sent from someone else. The victim’s server sends back the SYN-ACK message to the sender and never receives an ACK message. The half-open connections created on the server eventually cause the server to run out of resources, making it unable to respond to any requests, including legitimate requests.
- Smurf attack – the attacker uses specially-crafted packets with the victim’s IP as the source IP and sets the destination to the broadcast address of a large network. All of the responses from all of the hosts on that network get sent back to the victim, overwhelming their network and servers.
Application Layer DDoS Attacks
Application layer attacks happen with the goal of disrupting transactions or accessing a database by sending a lot of seemingly legitimate requests on Layer 7. The attack traffic looks very similar to legitimate traffic and it makes it extremely difficult to mitigate these attacks.
AppShield from Instart Logic
AppShield Security Suite offers defense mechanisms against all kinds of DDoS attacks.
Leveraging Anycast technology, our global network of datacenters can mitigate against large volumetric attacks. The global network inherently defuses large DDoS attacks that are commonly seen, especially during holiday shopping seasons. During the 2015 Black Friday shopping season we successfully mitigated a 110Gbps attack without any problems. We have also partnered with Verisign, one of the world’s largest scrubbing centers, which can scale on demand to provide customers with an extra level of protection.
AppShield helps customers mitigate Layer 7 attacks both through our partnership with Verisign and also using a variety of defense mechanisms such as:
- Web Application Firewall rules enable customers to block attack traffic and protects against server-side vulnerabilities
- Managed Security Service provides customers with security operations center that monitors their web application 24/7 and identifies and blocks all security threats
- IP/User Agent/Geo location blocking and throttling enables customers to block or throttle traffic from any IP addresses, User Agents or geographical locations they have identified as malicious
- IP Reputation Feed allows our customers to use IP Reputation data to block/throttle traffic from low-reputation sources
- Bot or Not identifies traffic originating from non-legitimate clients and blocks or throttles it. Bot or Not is powered by our Nanovisor technology which gives us intelligence about the browser, device and application behavior.