How to mitigate DDoS Attack?

How toMitigate

DDoS?

Brought to you by

Your Key to Internet Security

What is a DDoSAttack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal operations by stopping the entry of legitimate users. It brings down networks, Web-based applications, or services by overwhelming these resources with too much data or compromising them in some other way.

Did you

Know?

According to Radware, DDoS don't require acres of bandwidth to disable your website. In fact, 76 percent of attacks are less than 1Gbps and 32 percent are less than 10 Mbps.

HowDDoSworks?Distributed Denial Of Service attacks occur when a cyberattacker floods the website and/or Internet facing business apps with so much traffic that the page is no longer able to respond.

DDoS mitigation is a set of techniques for blocking a DDoS attack – it seeks to make businesses resilient to such attacks. A DDoS mitigation service is designed to detect, monitor and block DDoS attacks. (Case 2)

Web browser's requests can be easily faked. A system can become entirely unresponsive without a proper mitigation system. As Huge floods of traffic, whether legitimate or not, cripples the server. (Case 1)

InternetInternetInternet

Traffic

AttackTraffic

LegitemateTraffic

LegitemateTraffic

AntiDDoS

With DDoS Mitigation Service

Case 2

Without DDoS Mitigation Service

Case 1

www.qostechnology.in [email protected]

AttackTraffic

Did you

Know?

Top 3 Attacking Countries account for almost

57% of total DDoS Attacks

9.11% 37.8%

DDoSOverview Amplifications

Low & SlowDDoS

AttackerNotions

DDoS FloodAttacks

Source: Incapsula.com

AmplificationsŸ Millions of Sweet Spots (like PCs with Open DNS Resolvers, etc.)Ÿ Open Market to hire BotnetsŸ 14 Prevalent Protocols on Internet are Amplification Prone

he DDOS Attack vector gets more lethal when it is launched by using the protocols that have the characteristics of

TAmplification (The multiplier that amplifies the ingress traffic when rendered on the traffic flow path) and the Reflex

(The attacker "A" spoofs itself to be a legitimate host "B", say www.abcBANK.com webserver & generates the

requests like DNS query, NTP monlist, etc. towards DNS or NTP infrastructure "C" and the responses from "C" flood the 1host "B"). As per one of the research papers - There are 14 protocols prevalent on Internet that have the characteristics of

Reflex and an Amplification factor of 3 or above. One of the protocols in the Broadband routers has an Amplification factor

of 4080; i.e. DDoS Attacker needs to create a traffic of 1Mbps to launch a DDoS traffic of 4Gbps towards the victim

organization or from the victim organization towards the Internet. In one of the study it has been depicted that most of the

Broadband Routers have enabled DNS Proxy Settings by default, hence serve as sweet spots for the attackers to take the

advantage of DNS Amplification attacks.

In order to keep such attacks live & evade getting blocked by the victim security controls, the attacker keeps changing it's

source IP address and further accelarate the attack by distributing this source IP address changing algorithms to multiple

computing devices. These distributed army of computing power across multiple hosts is called as ‘Botnet’ and is in control

of single individual commander called as C&C. As a DDoS Attacker, one doesn’t need to create its own Botnet, rather hire

the botnet from the grey market where the Botnets are available on Rent.

1- C. R. (n.d.). Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Retrieved from https://www.internetsociety.org/sites/default/files/01_5.pdf


Attacker NotionsŸ Targeted AttackŸ Pass Through AttackŸ You’re Victim of Sentiment or Perception against Your Geo/Industry

here are various momentary objectives (notions) behind the DDoS Attack, if you are a victim of the attack. These are:TŸ Targeted DDoS: Your organization is a target of interest because you may be a bank, government data center hosting important citizens data, etc. or your organization might have conducted some business act that had not been liked by the bad actors (like Pay Pal blocked the funds to WikiLeaks Org & became the victim of DDoS attack by Anonymous group in Dec 2010)

Ÿ Pass-through DDoS: Your organization may be an ISP or a SaaS/PaaS/IaaS Cloud Services provider and some of your customer(s) is a victim of Targeted DDoS. As your network serves as a carrier of traffic to this customer, your organization becomes a victim of PassThrough DDoS. In year 2013, between March 18-26, most of the European carriers experienced a DDoS attack to the scale of 300Gbps owing to the targeted attack on Spamhaus & Cloudflare.

Ÿ Industry or Peer DDoS Attacks: Your organization may be a victim of multi-targets attack where the attackers launch an attack against the industry or specific geo in response to some trigger event. For example, the attack on multiple US banks by the Anonymous group was a response to PayPal blocking the money transfer channels to WikiLeaks organization. In another example the cyber attacks against some middle east companies led to Cyber cell of Hamas organized series of attacks against Israel companies including Tel Aviv Stock Exchange, El Al (Israel Airlines) and some Israeli banks.


DDoS FloodsŸ Technology Barriers (like TCP 3-Way Handshake, UDP is stateless)Ÿ Default Configurations (DNS Proxy, NTP Monlist configuration on Router, etc)

DoS Floods: Typical DDoS flood attacks target organization resources, like network bandwidth or server compute.

DEvery network equipment that comes in the path of the traffic flow is vulnerable to the volume of DDoS Attack owing to following:

Ÿ Default Configurations: There are variety of configuration attributes, like DNS Proxy feature enabled by default on many routers & almost all Broadband routers, Monlist configuration feature is enabled by default on many network devices that are configured for NTP (Network Time Protocol), etc.

Ÿ Technology Barriers: Each technology is bound to work in some defined methodology. DDoS Attackers target the very functioning of these technologies to craft the DDoS Flood Attacks. For example, a TCP communication involves a 3-Way Handshake to build a connection, i.e. Syn, Syn-Ack & Ack messages/packets. DDoS attackers exploit this by generating a high rate of SYN packets from a fake IP hosts towards the Target Server (in the victim organization) & the Server opens the Embryonic TCP connections with the SYN-ACK packets. Subsequently server keeps waiting for at least 2 minutes (default value) for ACK packet for each of these embryonic connection states. As none of the connections is authentic, the server compute resources are wasted until it turns unresponsive. Similarly, UDP is a stateless protocol- Therefore, making it a soft target for the attackers to continue to storm victim resources with the one way traffic.


Low & Slow DDoSŸ Encryption serves Hackers Advantage.Ÿ Apps Weakness (CVE - Poodle, Heartbleed, ShellShock)Ÿ Internal (Calls between App & dB)

ometimes the DDoS Attackers launch the low & slow DDoS attacks that are sophisticated in technology vis-à-vis

Sflood attacks. These attacks are launched by exploiting some vulnerability in the application(s) in use by the target server/system. The attacker evades the security controls deployed at the victim location before launching this type of

DDoS Attack & pivot themselves inside the Victim network. The attacker keeps learning about the variety of security controls & detection techniques deployed at the victim organization; hence the attacker keeps changing the attack vector and sometimes includes the encryption techniques to stay undetected.

In the final stage of this kind of DDoS attack the multiple database query calls or applications calls are launched to saturate the Memory of the victim application or server.

Did you

Know?

For financial services industry in the year 2012, per DDoS Attack caused almost

$17 Million LossSource: verisign.com

MostCommonAttacksOn most occasions the DDoS attacks target the 4 different components from the IT Infrastructure of the Victim organization, and these are Business Applications; SSL Communication Channels; DNS Infrastructure or Network as a whole by consuming the available bandwidth or the network pipe.

Applications SSL

Network DNS

3 4

1 2


Ÿ Indicators of Attack (IOA) triggers the research.Multiple Consoles move to Active Monitoring from Passive Monitoring and variety of Logs are surfed.

Ÿ Different Dashboards and SIEM (if any) are consulted.

Ÿ Sometimes Packet Captures are also referred

Ÿ Recursion of Attack Research Steps over a longer period of time or Retrospect Log Analysis to Validate the Attack Occurrence.

Ÿ Correlation across Dashboard(s)/SIEM or with inputs from 3rd Party DDoS Mitigation Partners to Validate Attack Occurence

Ÿ Every DDoS incident costs business loss owing to service unavailability to legitimate users

Ÿ Prevention is KEY to succeed hence most attacks to be prevented by 3rd Parties (like Cloudflare, F5 Silverline, Akamai, etc.)

Ÿ For effective scrubbing it is important to research correct attack vectors, & have seamless co- ordination

Attack Research

ValidateAttack

MitigateAttack

DDoS Atack in Progress


When the DDoS is in progress, the methodology of Mitigation has three different phases:

Heat Map

The next section describes the Heat Map that plots the degree of business impact to the organization with respect to the type of DDoS Attack that is crafted during the DDoS Simulation engagement. This reference heat map is the average of all the DDoS Simulation Activities conducted by QOS Technology in last one year when the 1st engagement was carried out with 8 different types of DDoS Attack Vectors.


Business Impact

Ea

se o

f C

raftin

g

Attack

4

1

2

3

5

6

7

8

Crafted Attack Sophistication

Heat Map: Findings

ATTACK SIMULATIONS

1. GET Flood through HTTP Protocol on Corporate Website

2. CMP Flood on Corporate Website

3. HTTP POST Flood on Corporate Website

4. Application Flood Attack on Portal

5. SYN Flood with SSL Attack on Business App (Portal)

6. Application Layer Login Page Flood Attack on Portal App

7. SYN Flood Attack testing intermittent devices (router, load balancer, FW, etc)

8. Slow POST Application DDoS Attack on Business App (Portal)


Most common seen scenarios with First DDoS Simlation Engagement:

Use of 9 or More

Consoles during DDoS

DDoS

Mitigation Controls

Effective

ness

Performance

Key Issues ObservedThe most commonly seen issues during the DDoS Simulations that need to be addressed owing to their lack of performance or effectiveness or both.

rdScattered 3 Parties for Complete

DDoS Picture


In-House Research Capability

RecommendationsThe next section describes two kinds of recommendations, the first one that QOS Technology suggests to most customers when observes the issues similar to depicted in Heatmap during DDoS Simulations. However the next page describes the best practices suggested by networkworld.com.


3rd PARTY INCIDENT RESPONSE TEAM

DDOS SOLUTIONS & SERVICES’

CONSOLIDATION

PERIODIC DDoS SIMULATIONS

& ADVANCE ATTACK

SIMULATION

SECURITY CONSOLIDATION

EXECUTION

STR

ATEG

Y

FASTER EXECUTION BUT TACTICALIn order to strengthen DDoS Mitigation Posture an organization needs to test more scenarios & repeat the failed scenarios after gaps are plugged.

Organization should carry on the Advance Attack Simulations for all the applications that fail the DDoS Simulation Attacks.

LONG-TERM EXECUTION BUT TRASACTIONALSecurity & Ops teams have been seen using many consoles to detect different DDoS vectors during simulation. Performance & Effectiveness suffers when the team has to research the Vector in more DDoS than 4 consoles. Hence, security consolidation is key to succeed.

FASTER EXECUTION BUT STRATEGICIn order to enrich the Attack Research and Attack Forensics Capability of the respective organization to mitigate or remediate the Real DDoS or Advance Attack, it should have in-house Incident Response Team (IRT)

rdor hire 3 Party IRT on demand.

LONG-TERM EXECUTION & STRATEGICIf the organization has SIEM, should include the loopback feeds from the DDoS Simulation engagement results to have a real-time identification vis-à-vis weakness heat map.

The On-Premise DDoS mitigation Solution should be taken from the same vendor delivering DDoS Services.


RecommendationsBy QOS

How toMitigateDDoS?Here are the best practices to Mitigate DDoS Attack.

Source: http://www.networkworld.com/article/2162683/infrastructure-management/best-practices-to-mitigate-ddos-attacks.html


1 Don't count on a firewall to prevent or stop a DDoS attack

2 Bake DDoS into your business continuity and disaster recovery plan

3 Know the signs of an active attack

4 Know your customers and lock out unexpected transactions.

5 Measure the financial impact of being offline for a period of time.

6 If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity.

7 Know who to call to stop an attack


Winner ofRevolutionAward

APAC Partnerof the Year 2014

Contact Us

Your Key toInternet Security