Knowledge is Power

Xuhua Bao, Hai Hong, Zhihua Cao, of NSFOCUS, say:

Australian Data Center Micron21 recently detected a sophisticated new DDoS threat that it named Combination Distributed Reflective Denial of Service (CDRDoS). The attack reached speeds of 40+gbits internationally and over 1.2gbits domestically. CDRDoS uses a combination of UDP attack vectors simultaneously, from a single attack tool. The company believes it represents the beginning of what is to be expected in the future of denial of service attacks.

As DDoS attacks increase in number, size and complexity, organizations must let go of false assumptions about them and focus on how to detect and mitigate them. Below is a list of misunderstandings about how these attacks operate, and how damaging they can be, that need to be cleared up.

Misunderstanding #1: Hackers don’t target small websites and businesses for DDoS attacks

Any site can be considered fair game for profit. If you operate a website, even if you derive little income from it or engage in non-profit activities, the following statements are still not correct: “A hacker wouldn’t waste their time on my little website” or “Our operation doesn’t make much money and we are not offending anyone – there’s no reason a hacker would choose to attack us.”

When cybercriminals are choosing extortion targets, they know that attacks on major websites may be more profitable, but at the same time the costs and risks are usually also greater. However, with smaller sites, their defenses are generally weaker and an attack is more likely to succeed. Furthermore, competition is one of the major reasons that spur DDoS attacks. Newcomer businesses may attack established businesses in order to steal away customers, and established businesses may attack newcomers to remove any potential threat they may pose. Malicious retaliatory attacks might not be concerned with size and scale; they may just want to prove a point.

Misunderstanding #2: DDoS attacks are the sole purview of hackers

Thinking that only hackers can launch DDoS attacks is akin to thinking that only mechanics can fix cars. With the help of manuals and online information, enterprising men and women can teach themselves to repair their vehicles. Except for complex computer chips that require special equipment, car repair is within reach of most people who are so inclined.

This analogy carries over with respect to DDoS attacks. Most hackers these days are specialists in a certain field. Some specialize in discovering vulnerabilities, some develop tools, some are responsible for system intrusion and some are adept at processing account information. For DDoS attacks, some hackers create and maintain so-called “attack networks.” Some of them exploit botnets and some take over high-performance servers. After assembling their attack capability, they rent out their resources to a customer. It is not necessary for this hacking customer to have any specialized knowledge of the technology. Hacking services have become very convenient: engage a hacker, enter the address of the attack target and launch a full attack. DDoS attacks can be carried out by cybergangs, the business competitor across the street or a disgruntled employee. With hackers for hire, there are potential attackers everywhere.

Misunderstanding #3: “All DDoS attacks are launched from botnets.”

Not all attacks are carried out by botnets composed of personal computers that have been hijacked by hackers. As technology has advanced, the processing performance and bandwidth of high-performance servers used by service providers have rapidly increased. Correspondingly, the development and use of traditional botnets composed of PCs have slowed. Besides the processing capability factor, PCs normally have very limited bandwidth resources, and their in-use periods fluctuate. Therefore, some hackers have begun to look to high-performance servers; these were used during Operation Ababil’s attacks on U.S. banks. In addition, attacks are not always carried out by commandeering sources; the hacking group Anonymous prefers to launch attacks using large numbers of real participants. We call this a “voluntary botnet.”

Misunderstanding #4: Consumption of network bandwidth resources is a DDoS attack’s goal

By only measuring the size or amount of attack traffic (e.g. number of Gigabits per second), the media leads many people to mistakenly believe that all DDoS attacks are targeting bandwidth resources. In fact, DDoS attacks can also be designed to consume system and application resources as well. Thus, the size of the attack traffic is only one of several aspects that determine the severity of an attack. However, the same amount of attack traffic can produce a greater or lesser impact depending on the method employed. Sometimes, people mistakenly assume that SYN flood attacks are a type of DDoS attack that targets network bandwidth resources. In fact, the primary threat posed by SYN flood attacks is their consumption of connection table resources. Even with exactly the same level of attack traffic, a SYN flood attack is more dangerous than a UDP flood attack.

Misunderstanding #5: All DDoS attacks overwhelm resources quickly

There’s more than one way to overwhelm resources. When they hear the phrase “DDoS attack,” most people think of UDP flood attacks, SYN flood-type attacks, RST flood-type attacks and so on. Therefore, they assume that all DDoS attacks are flood-type attacks. In fact, although flood-type attacks account for a large proportion of DDoS attacks, not all DDoS attacks are flood-type attacks. There are also low-and-slow attack methods. The essential nature of a DDoS attack is an attack that consumes a large number of resources or occupies them for a long period of time in order to deny services to other users. Flood-type attacks are used to quickly consume a large number of resources by rapidly sending a large amount of data and requests to the target.

But resources can be overwhelmed slowly as well. Low-and-slow attacks slowly but persistently send requests to the target and thus occupy resources for a long time. This activity eats away at the target’s resources bit by bit. If we view a DDoS attack as an assassination, a flood-type attack is like an assassin that uses a machine gun to take out his target at close range. A low-and-slow attack offers its target death by a thousand cuts.

Misunderstanding #6: Chaos is the only motivation behind DDoS attacks

DDoS attacks take some technical skill and directly result in the destruction of network service availability. This doesn’t seem to benefit hackers, suggesting that popular opinion holds true. However, the current generation of hackers are much more sensitive to benefit calculations than average people. They use destructive power in exchange for profit, they use destructive deterrents to avoid losses to themselves and they use destruction as leverage to shift the playing field to their advantage. Destruction is only one part of DDoS attack motivation; the true goal is almost always profit of some sort.

Misunderstanding #7: Optimizing the system optimization and increasing bandwidth will effectively mitigate DDoS attacks

Increasing the number of Transmission Control Protocol (TCP) connection tables and reducing the timeout for establishing TCP connections is one example of adjusting the core parameters of the system under attack. System optimization can mitigate small-scale DDoS attacks to a certain extent. However, when hackers increase DDoS attack scale and traffic volume exponentially, the effect of system optimization is negligible.

Some organizations will purchase redundant hardware, add servers with better performance and increase bandwidth to mitigate attacks. So long as the resources consumed by a DDoS attack do not exceed the load-bearing capabilities of the current bandwidth, computing and other resources, the attack will be ineffective. However, once the resources consumed by the attack exceed the system’s capabilities, further retreat is needed to make the attack ineffective. In theory, increasing bandwidth and other such retreat strategies should be able to completely resolve the problems posed by DDoS attacks. However, in reality, these measures do not make economic sense. In fact, the costs hackers incur by increasing the scale of DDoS attacks are minimal. However, the investment required to continually increase bandwidth, server quantity and other infrastructure enhancements to mitigate DDoS attacks cannot increase without limit. Therefore, retreat strategies are not effective DDoS attack mitigation methods.

Misunderstanding #8: One DDoS mitigation device is as good as another

Though many attacks are named “DDoS,” they are not all the same. Different attacks may require different mitigation methods. Normally, cloud-based cleaning services mainly use traffic dilution and diversion and are specifically designed for traffic-type DDoS attacks. Local mitigation devices can only handle a relatively small volume of traffic, and it is easier for them to use multiple cleaning techniques in combination. They are suited to defend against system and application resource consumption DDoS attacks. Users should select suitable mitigation solutions based on their own business characteristics and the particular dangers they face.

Misunderstanding #9: DDoS attacks can be mitigated by common security products

The design principles of firewalls do not take DDoS attack mitigation into account. With traditional firewalls, defense is carried out through intense inspection and vigilance to detect attacks. The greater the intensity of the inspection, the higher the computing costs. Massive levels of DDoS attack traffic will significantly reduce a firewall’s performance and make it unable to effectively complete packet forwarding tasks. At the same time, traditional firewalls are generally deployed at network inlet locations. Although, in a sense, they serve to protect internal network resources, they themselves also commonly become DDoS attack targets.

When faced with a DDoS attack, intrusion detection and defense systems generally cannot satisfy user needs – even though they are the tools with the broadest range of applications. Intrusion detection and defense systems generally perform rule-based application layer attack detection. These devices were initially designed to detect application layer attacks based on certain attack characteristics. However, the majority of current DDoS attacks use attack traffic consisting of legal packets. Thus, the intrusion detection and defense systems cannot effectively detect DDoS attack traffic based on its characteristics. At the same time, intrusion detection and defense systems experience the same performance issues as firewalls.

Knowledge is Power

As Micron21 has shown, DDoS attacks are constantly evolving, becoming bigger and more complex. Whether it’s a UDP flood attack, a low-and-slow attack or even a new type like the CDRDoS, organizations need to be prepared to detect and mitigate DDoS attacks as quickly and effectively as possible. This applies to huge name brands as well as websites that are just getting started. Because these attacks come in many shapes and sizes, and because some are more dangerous than others, organizations need to understand how they operate and create an appropriate mitigation strategy.

About the Authors:

Xuhua Bao, Senior Researcher, Strategy Research Department of NSFOCUS, is focused on analysis of information security events, security intelligence, and security trends.

Hai Hong, Researcher, Security Research Department of NSFOCUS, is a member of the NSFOCUS Threat Response and Research (TRR) Team, focusing on research of network security technology such as vulnerability analysis, vulnerability discovery, vulnerability exploitation, network attacks, DDoS attacks and DDoS prevention and mitigation.

Zhihua Cao, Researcher, Security Research Department of NSFOCUS, focuses on DDoS attacks analysis and defense, and Botnet as well as data (packet) analysis. Cao is fond of reverse engineering and a big fan of OD, IDA and wiresharks.