Modern DDoS Protection Techniques

sharktech news banner 3

In the good old days, “bad guys” intent on bringing down a website or server only had to launch a DoS (Denial of Service) attack, pinging the target over and over again from their own computer until the target machine was overwhelmed and went down. These forays were relatively easy to fight off, particularly with the declining cost of bandwidth; after all, if the target had enough capacity to absorb the attack until the offending IP was banned or the requests were all blocked, there would be no consequences.

For every measure, there’s usually a countermeasure. In this case, the bad guys moved on to DDoS (Distributed Denial of Service) attacks, first compromising and using large systems like those at universities, and eventually discovering that they could set up covert networks of compromised computers all around the world by distributing and running malware on those machines. That gave them “botnets” which could quickly grow to a size-able to overwhelm any target, no matter how much bandwidth that target had available.

Those were just the first episodes in what has become a continuous cat-and-mouse game between hackers and Internet service providers or large companies running their own server installations. Today, botnets are still widely used but the types of attacks they can launch have expanded greatly – making DDoS protection and mitigation more challenging than ever.

Here’s a look at the different kinds of attacks that have become common, and how the “good guys” implement DDoS protection in order to fight them off.

Volumetric Attacks

As we’ve discussed, ping attacks (also known as ICMP floods) are the simplest type of DDoS attacks and are still the most common type of DDoS; a study done by Arbor Networks reports that 65% of all attacks are volumetric in nature. They’re meant to overwhelm a server’s ability to receive and respond to all of the requests – in other words, the sheer volume is intended to bring down the server, which is why these types of blasts are known as volumetric attacks. A similar and slightly more sophisticated approach is to overwhelm random ports on the server with UDP (User Datagram Protocol) requests and tie up the machine, as it tries to find the requesting computers and then sends out “destination unreachable” responses. Spoofing the IPs that these requests come from, or using amplification techniques to geometrically increase their number, makes it more difficult to fight these types of DDoSs.

The traditional approach to mitigating these attacks is to implement strict firewall rules and use router access control lists, block fragmented ping requests and drop junk packets, use load balancers to spread out traffic floods, and completely block ICMP and UDP if they’re not needed if you don’t need them (and they often aren’t, particularly UDP which is primarily used to serve game data or handle broadcasts). More advanced DDoS protection techniques also help prevent or mitigate the effects of volumetric attacks.

Protocol Attacks

If you think of volumetric attacks as simple brute force, you could describe protocol attacks (often called state exhaustion attacks) as targeted brute force. These blasts still rely on flooding a web server with traffic, but focus their impact on disrupting the normal operation of the server by using up the number of simultaneous connections the server can maintain. Some of the common targets are the connection state tables that are used to control load balancers, firewalls and other crucial functions that safeguard the machine. Arbor reports that about 20% of DDoS blasts are protocol attacks.

The most common is called the Ping of Death where large defragmented ping packets are sent to the target, which must use an enormous amount of resources to reassemble the packets and often crashes because of buffer overloads or attempts to respond to the pings. Another is known as Slowloris, which sends a huge number of partial requests to a server in an attempt to keep as many connections open for as long as possible. The goal is to use up all available connections and deny legitimate clients access to the machine. SYN floods, which exploit the sequence used by the TCP connection process, take a similar approach.

DDoS protection measures against protocol attacks can include quicker time-outs for unfinished requests, using DDoS mitigation appliances to protect vulnerable defenses like firewalls and load balancers, using SYN cookies to track TCP connections and sift out legitimate requests from malicious ones, and using SYN caches while reducing SYN-received timer settings. Again, the more advanced techniques we’ll look at next can also help greatly.

Application-Layer Attacks

The most insidious DDoS attacks seen today target specific server applications such as HTTP and DNS services, with what are known as application-layer or layer-7 attacks. Fewer than 20% of attacks use these methods, but they’re among the most difficult to mitigate because they’re designed to simulate real visitor behavior when making their requests. It also requires less traffic to launch an application-layer attack, so it often takes longer for monitoring systems to recognize that there’s a DDoS attack underway.

The most common of these forays include HTTP floods, in which normal GET and POST requests (that aren’t malformed or spoofed) force the server to use up disproportionate amounts of resources to respond. For example, they may involve concurrent and repeated downloads of website elements. Other types are NTP (network time protocol) amplification attacks that exploit open NTP servers to amplify the effect of a small number of queries, and DNS amplification attacks that take advantage of DNS (domain name system) servers in a similar way.

Application-layer attacks are the most difficult to fight off. Careful monitoring and tracking of web activity by IP and matching it against IP reputation records, bad bot blocking and requiring the execution of javascript functions like CAPCHAs can sometimes help blunt HTTP floods, but layer-7 attacks also call for more advanced DDoS protection measures such as the use of caching servers, and advanced filtering and load balancing techniques. Another effective approach involves technology that divides traffic into “whitelisted,” “blacklisted” and “greylisted” categories, with greylisted traffic shifted to separate, quarantined servers where it can be subjected to additional testing.

However, the cat-and-mouse game will continue for quite some time, particularly with the evolution of DDoS attacks into multi-layered forays involving two or all three of the different types of possible attacks. Volumetric attacks, for instance, can be utilized as diversions to use up a system’s resources and leave it vulnerable to more sophisticated application-level attacks. Top-level providers are constantly refining and testing new DDoS protection and mitigation techniques to stay as far ahead of the bad guys as possible.