Securosis

Research

Defending Against DDoS: Attacks

As we discussed in our Introduction to Defending Against Network-based Distributed Denial of Service Attacks, DDoS is a blunt force instrument for many adversaries. So organizations need to remain vigilant against these attacks. There is not much elegance in a volumetric attack – adversaries impact network availability by consuming all the bandwidth into a site and/or by knocking down network and security devices, overwhelming their ability to handle the traffic onslaught. Today’s traditional network and security devices (routers, firewalls, IPS, etc.) were not designed to handle these attacks. Nor were network architectures built to easily decipher attack traffic and keep legitimate traffic flowing. So an additional layer of products and services has emerged to protect networks from DDoS attacks. But first things first. Before we dig into ways to deal with these attacks let’s understand the types of attacks and how attackers assemble resources to blast networks to virtual oblivion. The Attacks The first category of DDoS attacks is the straightforward flood. Attackers use tools that send requests using specific protocols or packets (SYN, ICMP, UDP, and NTP are the most popular) but don’t acknowledge the responses. If enough attack computers send requests to a site, its bandwidth can quickly be exhausted. Even if bandwidth is sufficient, on-site network and security devices need to maintain session state while continuing to handle additional (legitimate) inbound session requests. Despite the simplicity of the problem floods continue to be a very effective tactic for overwhelming targets. Increasingly we see the DNS infrastructure targeted by DDoS attacks. This prevents the network from successfully routing traffic from point A to point B, because the map is gone. As with floods, attackers can overwhelm the DNS by blasting it with traffic, especially because DNS infrastructure has not scaled to keep pace with overall Internet traffic growth. DNS has other frailties which make it an easy target for DDoS. Like the shopping cart and search attacks we highlighted for Application DoS, legitimate DNS queries can also overwhelm the DNS service and knock down a site. The attacks target weaknesses in the DNS system, where a single request for resolution can trigger 4-5 additional DNS requests. This leverage can overwhelm domain name servers. We will dig into magnification tactics later in this series. Similarly, attackers may request addresses for hosts that do not exist, causing the targeted servers to waste resources passing on the requests and polluting caches with garbage to further impair performance. Finally, HTTP continues to be a popular target for floods and other application-oriented attacks, taking advantage of the inherent protocol weaknesses. We discussed slow HTTP attacks in our discussion of Application Denial of Service, so we won’t rehash the details here, but any remediations for volumetric attacks should alleviate slow HTTP attacks as well. Assembling the Army To launch a volumetric attack an adversary needs devices across the Internet to pound the victim with traffic. Where do these devices come from? If you were playing Jeopardy the correct response would be “What is a bot network, Alex?” Consumer devices continue to be compromised and monetized at an increasing rate, driving by increasingly sophisticated malware and the lack of innovation in consumer endpoint protection. These compromised devices generate the bulk of DDoS traffic. Of course attackers need to careful – Internet Service Providers are increasingly sensitive to consumer devices streaming huge amounts of traffic at arbitrary sites, and take devices off the network when they find violations of their terms of service. Bot masters use increasingly sophisticated algorithms to control their compromised devices, to protect them from detection and remediation. Another limitation of consumer devices is their limited bandwidth, particularly upstream. Bandwidth continues to grow around the world, but DDoS attackers hit capacity constraints. DDoS attackers like to work around these limitations of consumer devices by instead compromising servers to blast targets. Given the millions of businesses with vulnerable Internet-facing devices, it tends to be unfortunately trivial for attackers to compromise some. Servers tend to have much higher upstream bandwidth so they are better at serving up malware, commanding and controlling bot nodes, and launching direct attacks. Attackers are currently moving a step beyond conventional servers, capitalizing on cloud services to change their economics. Cloud servers – particularly Infrastructure as a Service (IaaS) servers are inherently Internet-facing and often poorly configured. And of course cloud servers have substantial bandwidth. For network attacks, a cloud server is like a conventional server on steroids – DDoS attackers see major gains in both efficiency and leverage. To be fair, the better-established cloud providers take great pains to identify compromised devices and notify customers when they notice something remiss. You can check out Rich’s story for how Amazon proactively notified us of a different kind of issue, but they do watch for traffic patterns that indicate misuse. Unfortunately by the time misuse is detected by a cloud provider, server owner, or other server host, it may be too late. It doesn’t take long to knock a site offline. And attackers without the resources or desire to assemble and manage botnets can just rent them. Yes, a number of folks offer DDoS as a service (DDoSaaS, for the acronym hounds), so it couldn’t be easier for attackers to harness the resources to knock down a victim. And it’s not expensive according to McAfee, which recorded DDoS costs from $2/hour for short attacks, up to $1,000 to take a site down for a month. It is a bit scary to think you could knock down someone’s site for 4 hours for less than a cup of coffee. But when you take a step back and consider the easy availability of compromised devices, servers, and cloud servers, DDoS is a very easy service to add to an attacker’s arsenal. Our next post will discuss tactics for magnifying the impact of a DDoS attack – including encryption and reflection – to make attacks an order of magnitude more effective. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.