A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal operations by stopping the entry of legitimate users. It brings down networks, Web-based applications, or services by overwhelming these resources with a large amount of data or compromising them in some other way.
Download this free ebook and explore best ways to mitigate DDoS Attack.
For more information on DDoS Simulation, write to : info@qos.co.in
2. What is
a DDoS
Attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt
normal operations by stopping the entry of legitimate users. It brings down
networks, Web-based applications, or services by overwhelming these
resources with too much data or compromising them in some other way.
Did you
Know?
According to Radware, DDoS don't require acres of bandwidth to disable your
website. In fact, 76 percent of attacks are less than 1Gbps and 32 percent are
less than 10 Mbps.
3. How
DDoS
works?
Distributed Denial Of Service attacks
occur when a cyberattacker floods the
website and/or Internet facing business
apps with so much traffic that the page is
no longer able to respond.
DDoS mitigation is a set of techniques for
blocking a DDoS attack – it seeks to make
businesses resilient to such attacks. A
DDoS mitigation service is designed to
detect, monitor and block DDoS attacks.
(Case 2)
Web browser's requests can be easily
faked. A system can become entirely
unresponsive without a proper mitigation
system. As Huge floods of traffic, whether
legitimate or not, cripples the server.
(Case 1)
InternetInternetInternet
Traffic
Attack
Traffic
Legitemate
Traffic
Legitemate
Traffic
Anti
DDoS
With DDoS
Mitigation Service
Case 2
Without DDoS
Mitigation Service
Case 1
www.qostechnology.in info@qos.co.in
Attack
Traffic
4. Did you
Know?
Top 3 Attacking Countries account for almost
57% of total DDoS Attacks
9.11% 37.8%
DDoS
Overview Amplifications
Low & Slow
DDoS
Attacker
Notions
DDoS Flood
Attacks
Source: Incapsula.com
5. Amplifications
Ÿ Millions of Sweet Spots (like PCs with Open DNS Resolvers, etc.)
Ÿ Open Market to hire Botnets
Ÿ 14 Prevalent Protocols on Internet areAmplification Prone
he DDOS Attack vector gets more lethal when it is launched by using the protocols that have the characteristics of
TAmplification (The multiplier that amplifies the ingress traffic when rendered on the traffic flow path) and the Reflex
(The attacker "A" spoofs itself to be a legitimate host "B", say www.abcBANK.com webserver & generates the
requests like DNS query, NTP monlist, etc. towards DNS or NTP infrastructure "C" and the responses from "C" flood the
1
host "B"). As per one of the research papers - There are 14 protocols prevalent on Internet that have the characteristics of
Reflex and an Amplification factor of 3 or above. One of the protocols in the Broadband routers has an Amplification factor
of 4080; i.e. DDoS Attacker needs to create a traffic of 1Mbps to launch a DDoS traffic of 4Gbps towards the victim
organization or from the victim organization towards the Internet. In one of the study it has been depicted that most of the
Broadband Routers have enabled DNS Proxy Settings by default, hence serve as sweet spots for the attackers to take the
advantage of DNSAmplification attacks.
In order to keep such attacks live & evade getting blocked by the victim security controls, the attacker keeps changing it's
source IP address and further accelarate the attack by distributing this source IP address changing algorithms to multiple
computing devices. These distributed army of computing power across multiple hosts is called as ‘Botnet’ and is in control
of single individual commander called as C&C. As a DDoS Attacker, one doesn’t need to create its own Botnet, rather hire
the botnet from the grey market where the Botnets are available on Rent.
1- C. R. (n.d.).Amplification Hell: Revisiting Network Protocols for DDoSAbuse.
Retrieved from https://www.internetsociety.org/sites/default/files/01_5.pdf
www.qostechnology.in info@qos.co.in
6. Attacker Notions
Ÿ TargetedAttack
Ÿ PassThroughAttack
Ÿ You’re Victim of Sentiment or Perception againstYour Geo/Industry
here are various momentary objectives (notions) behind the DDoSAttack, if you are a victim of the attack.These are:
T
Ÿ Targeted DDoS: Your organization is a target of interest because you may be a bank, government data center hosting
important citizens data, etc. or your organization might have conducted some business act that had not been liked by the
bad actors (like Pay Pal blocked the funds to WikiLeaks Org & became the victim of DDoS attack by Anonymous group in
Dec 2010)
Ÿ Pass-through DDoS: Your organization may be an ISP or a SaaS/PaaS/IaaS Cloud Services provider and some of your
customer(s) is a victim of Targeted DDoS. As your network serves as a carrier of traffic to this customer, your organization
becomes a victim of PassThrough DDoS. In year 2013, between March 18-26, most of the European carriers experienced a
DDoS attack to the scale of 300Gbps owing to the targeted attack on Spamhaus & Cloudflare.
Ÿ Industry or Peer DDoS Attacks: Your organization may be a victim of multi-targets attack where the attackers launch an
attack against the industry or specific geo in response to some trigger event. For example, the attack on multiple US banks
by the Anonymous group was a response to PayPal blocking the money transfer channels to WikiLeaks organization. In
another example the cyber attacks against some middle east companies led to Cyber cell of Hamas organized series of
attacks against Israel companies including TelAviv Stock Exchange, ElAl (IsraelAirlines) and some Israeli banks.
www.qostechnology.in info@qos.co.in
7. DDoS Floods
Ÿ Technology Barriers (like TCP 3-Way Handshake, UDP is
stateless)
Ÿ Default Configurations (DNS Proxy, NTP Monlist configuration on
Router, etc)
DoS Floods: Typical DDoS flood attacks target organization resources, like network bandwidth or server compute.
DEvery network equipment that comes in the path of the traffic flow is vulnerable to the volume of DDoSAttack owing
to following:
Ÿ Default Configurations: There are variety of configuration attributes, like DNS Proxy feature enabled by default on many
routers & almost all Broadband routers, Monlist configuration feature is enabled by default on many network devices that
are configured for NTP(NetworkTime Protocol), etc.
Ÿ Technology Barriers: Each technology is bound to work in some defined methodology. DDoS Attackers target the very
functioning of these technologies to craft the DDoS Flood Attacks. For example, a TCP communication involves a 3-Way
Handshake to build a connection, i.e. Syn, Syn-Ack & Ack messages/packets. DDoS attackers exploit this by generating a
high rate of SYN packets from a fake IP hosts towards the Target Server (in the victim organization) & the Server opens the
Embryonic TCP connections with the SYN-ACK packets. Subsequently server keeps waiting for at least 2 minutes (default
value) for ACK packet for each of these embryonic connection states. As none of the connections is authentic, the server
compute resources are wasted until it turns unresponsive. Similarly, UDP is a stateless protocol- Therefore, making it a soft
target for the attackers to continue to storm victim resources with the one way traffic.
www.qostechnology.in info@qos.co.in
8. Low & Slow DDoS
Ÿ Encryption serves HackersAdvantage.
Ÿ Apps Weakness (CVE - Poodle, Heartbleed, ShellShock)
Ÿ Internal (Calls betweenApp & dB)
ometimes the DDoS Attackers launch the low & slow DDoS attacks that are sophisticated in technology vis-à-vis
Sflood attacks. These attacks are launched by exploiting some vulnerability in the application(s) in use by the target
server/system. The attacker evades the security controls deployed at the victim location before launching this type of
DDoS Attack & pivot themselves inside the Victim network. The attacker keeps learning about the variety of security
controls & detection techniques deployed at the victim organization; hence the attacker keeps changing the attack vector
and sometimes includes the encryption techniques to stay undetected.
In the final stage of this kind of DDoS attack the multiple database query calls or applications calls are launched to saturate
the Memory of the victim application or server.
Did you
Know?
For financial services industry in the year 2012, per DDoS Attack
caused almost
$17 Million Loss
Source: verisign.com
9. Most
Common
Attacks
On most occasions the DDoS attacks
target the 4 different components from
the IT Infrastructure of the Victim
organization, and these are Business
Applications; SSL Communication
Channels; DNS Infrastructure or
Network as a whole by consuming the
available bandwidth or the network
pipe.
Applications SSL
Network DNS
3 4
1 2
www.qostechnology.in info@qos.co.in
10. Ÿ Indicators of Attack (IOA)
triggers the research.Multiple
Consoles move to Active
Monitoring from Passive
Monitoring and variety of Logs
are surfed.
Ÿ Different Dashboards and
SIEM (if any) are consulted.
Ÿ Sometimes Packet Captures
are also referred
Ÿ Recursion of Attack Research
Steps over a longer period of
time or Retrospect Log
Analysis to Validate the Attack
Occurrence.
Ÿ Correlation across
Dashboard(s)/SIEM or with
inputs from 3rd Party DDoS
Mitigation Partners to Validate
Attack Occurence
Ÿ Every DDoS incident costs
business loss owing to service
unavailability to legitimate
users
Ÿ Prevention is KEY to succeed
hence most attacks to be
prevented by 3rd Parties (like
Cloudflare, F5 Silverline,
Akamai, etc.)
Ÿ For effective scrubbing it is
important to research correct
attack vectors, & have
seamless co- ordination
Attack
Research
Validate
Attack
Mitigate
Attack
DDoS Atack in Progress
www.qostechnology.in info@qos.co.in
When the DDoS is in progress, the methodology of Mitigation has three different phases:
11. Heat
Map
The next section describes the Heat
Map that plots the degree of business
impact to the organization with respect
to the type of DDoS Attack that is
crafted during the DDoS Simulation
engagement. This reference heat map
is the average of all the DDoS
Simulation Activities conducted by
QOS Technology in last one year when
the 1st engagement was carried out
with 8 different types of DDoS Attack
Vectors.
www.qostechnology.in info@qos.co.in
12. Business Impact
EaseofCrafting
Attack
4
1
2
3
5
6
7
8
CraftedAttackSophistication
Heat Map: Findings
ATTACK SIMULATIONS
1. GET Flood through HTTP Protocol on
Corporate Website
2. CMP Flood on Corporate Website
3. HTTP POST Flood on Corporate Website
4. Application Flood Attack on Portal
5. SYN Flood with SSL Attack on Business App
(Portal)
6. Application Layer Login Page Flood Attack
on Portal App
7. SYN Flood Attack testing intermittent
devices (router, load balancer, FW, etc)
8. Slow POST Application DDoS Attack on
Business App (Portal)
www.qostechnology.in info@qos.co.in
Most common seen scenarios with First DDoS Simlation Engagement:
13. Use of 9 or More
Consoles during DDoS
DDoS
Mitigation Controls
Effectiveness
Performance
Key Issues Observed
The most commonly seen issues during the DDoS Simulations that need to be addressed owing
to their lack of performance or effectiveness or both.
rd
Scattered 3 Parties for
Complete
DDoS Picture
www.qostechnology.in info@qos.co.in
In-House Research
Capability
14. Recommendations
The next section describes two kinds of recommendations, the first one that QOS Technology
suggests to most customers when observes the issues similar to depicted in Heatmap during
DDoS Simulations. However the next page describes the best practices suggested by
networkworld.com.
www.qostechnology.in info@qos.co.in
15. 3rd PARTY INCIDENT
RESPONSETEAM
DDOS SOLUTIONS &
SERVICES’
CONSOLIDATION
PERIODIC DDoS
SIMULATIONS
&
ADVANCEATTACK
SIMULATION
SECURITY
CONSOLIDATION
EXECUTION
STRATEGY
FASTER EXECUTION BUT TACTICAL
In order to strengthen DDoS Mitigation Posture an
organization needs to test more scenarios & repeat
the failed scenarios after gaps are plugged.
Organization should carry on the Advance Attack
Simulations for all the applications that fail the DDoS
Simulation Attacks.
LONG-TERM EXECUTION BUT TRASACTIONAL
Security & Ops teams have been seen using many
consoles to detect different DDoS vectors during
simulation. Performance & Effectiveness suffers when
the team has to research the Vector in moreDDoS
than 4 consoles. Hence, security consolidation is key
to succeed.
FASTER EXECUTION BUT STRATEGIC
In order to enrich the Attack Research and Attack
Forensics Capability of the respective organization to
mitigate or remediate the Real DDoS or Advance Attack,
it should have in-house Incident Response Team (IRT)
rd
or hire 3 Party IRTon demand.
LONG-TERM EXECUTION & STRATEGIC
If the organization has SIEM, should include the
loopback feeds from the DDoS Simulation
engagement results to have a real-time identification
vis-à-vis weakness heat map.
The On-Premise DDoS mitigation Solution should be
taken from the same vendor delivering DDoS
Services.
www.qostechnology.in info@qos.co.in
Recommendations
By QOS
16. How to
Mitigate
DDoS?
Here are the best practices to
Mitigate DDoS Attack.
Source:
http://www.networkworld.com/article/2162683/infrastr
ucture-management/best-practices-to-mitigate-ddos-
attacks.html
www.qostechnology.in info@qos.co.in
1 Don't count on a firewall to prevent or stop a DDoS
attack
2 Bake DDoS into your business continuity and disaster
recovery plan
3 Know the signs of an active attack
4 Know your customers and lock out unexpected
transactions.
5 Measure the financial impact of being offline for a period
of time.
6 If you are the victim of a DDoS attack, look for fraud,
data breaches or other criminal activity.
7 Know who to call to stop an attack