G-Core Labs expert opinion: As projects and organizations grow, they acquire new resources and, accordingly, they face new threats. Sometimes even small businesses become victims of cybercrime. The reasons for attacking digital resources can vary from hunting for valuable data and access to intentionally damaging an organization’s reputation and finances. In any case, security should be the top priority.
Types of DDoS attacks
Over the last few years, cloud infrastructure, and especially public clouds, has become very popular. Thousands of companies worldwide, from small businesses to massive giants, rely on cloud services. Cyber threats can harm any online business if appropriate security measures aren’t in place. DDoS attacks (Distributed Denial of Service) are one of the most widespread cyber threats. Its goal is to literally deny service.
Such attacks disrupt the functioning of servers, websites, and web services by flooding them with an excessive amount of requests. Resources that aren’t designed for high loads then stop working, thus becoming unavailable to users. Also, DDoS attacks exploit vulnerabilities at the network protocol and application layers.
The term ‘distributed’, when applied to this type of attack, means that perpetrators covertly use entire networks of infected devices—botnets—as sources of attacks. Device owners often have no clue that attacks are performed from their computers and IP addresses. Devices within the Internet of Things (IoT) are especially suitable for such purposes because the number of them continues to grow while the protection they have remains quite weak.
Even though almost half of DDoS attacks are of a mixed nature, three main categories can be named.
High volume attacks (i.e. flooding). This is the most widespread type. Perpetrators send a large number of requests to the server, and the resulting traffic blocks network bandwidth capacity.
The volume of such attacks can reach several terabits per second. As a result, unprepared infrastructures crash and stop processing requests.
Types of volumetric attacks:
- DNS Amplification. Multiple requests are sent to a public DNS server on behalf of the targeted resource (the target server IP address is indicated in the requests). Such requests require many responses that are redirected to the targeted server.
- DNS Flood. Requests to a DNS server from multiple IP addresses. It’s very difficult to detect malicious packets among all requests received by a server.
- ICMP Flood. ICMP packets don’t require confirmation of receipt, so it is extremely difficult to separate them from malicious traffic.
- SYN Flood. Sending an excessive number of requests to open new sessions in order to make the connection table run out of memory.
These attacks exploit vulnerabilities of such network protocols as TCP, UDP, and ICMP (Layers 3 and 4 of the OSI model). In this case, the purpose is to overload network capacity not with a giant amount of traffic but with pinpoint actions that exploit network defects.
Protocol attack example: POD (Ping of Death). Pinging the server by sending malformed or oversized packets.
These are application-layer attacks (Layer 7 of the OSI model). They are aimed at web servers and applications, such as a website’s CMS. The main purpose is to knock the web resource out of service. This can be done, in particular, by overloading the CPU or RAM.
This can be achieved with an external HTTP request. In response, the system starts processing a large number of internal requests it’s not designed for.
Types of application-layer attacks:
Slowloris. A bot opens many sessions on the server without responding to them, thereby provoking a timeout. As a result, such fake sessions consume server resources, leading to its unavailability.
HTTP Flood. An excessive number of GET and POST requests are sent to the server to get the “heaviest” elements of the website.
The most dangerous DDoS attacks of our time
Due to the high effectiveness of some attacks, they are particularly popular among perpetrators. The most serious incidents of our time are related to DDoS attacks of a special type.
DNS Reflected Amplification
This subtype of Volumetric attacks is a combination of two malicious factors. First, the attacker simulates a request from the targeted server by putting its IP address into the request, ultimately using a public DNS server as a “reflector.” The DNS server receives the request indicating the targeted server and returns a response to it, thus “reflecting” the request.
A lot of data, not just the IP address of the domain, can be requested, which means the response of the DNS server can become many times larger. Finally, traffic can be maximized by querying through a botnet. Thus, it is highly likely that the bandwidth of the targeted server will be overloaded.
The most famous use of DNS Reflected Amplification was the attack on GitHub in February 2018, which is the largest known DDoS attack. It came from thousands of different autonomous systems and tens of thousands of unique endpoints. The attack reached 126.9 million packets per second at peak times. The traffic flow reached 1.35 Tbps, and the gain ratio (amplification ratio) reached 51,000.
Generated UDP Flood
Generated UDP Flood combines the generation of excess traffic and elements of protocol-layer attacks.
The attack sends UDP packets from fake IP addresses to a targeted IP address and server port. With a correctly-selected packet parameter and intensity of sending, it’s possible to simulate legitimate traffic. Identifying junk requests then becomes extremely difficult.
Such an attack was carried out against the Albion Online MMORPG server. As a solution to eliminate the threat, a G-Core Labs software package combining various methods was selected:
- Rate Limiting. Limitation on traffic
- Regexp Filtering. Filtering packets that coincide with regexp in payload
- Adding authorized player IP addresses to a whitelist
- Adding unauthorized player IP addresses to a blacklist
- IP Geolocation Filter. Blocking IP addresses based on geolocation
- G‑Core Labs Challenge Response (CR). A unique protocol that is integrated on the client’s side and that allows IP address validation
HTTP GET/POST Flood
This is a web application layer attack. In this case, a continuous stream of GET and POST requests is sent to the server, and at first glance, they seem legitimate. The problem is that the attacker does not wait for responses but instead sends requests constantly. As a result, server resources are exhausted in the course of processing them.
According to open sources, the websites of several large Russian banks suffered from such attacks in November 2016.
HTTP Flood was used at the very beginning to accurately determine the frequency of requests and the amount of traffic needed for denial of service. This method was used as an auxiliary one, and others were employed afterwards.
Hit-and-run is a subtype of volumetric attacks, but it works differently from the majority of other attacks. These are short bursts of traffic with a volume of hundreds of gigabits per second, sometimes lasting 20 to 60 minutes or even less than a minute. They are repeated many times over a long period—sometimes days or even weeks—at intervals averaging 1 to 2 days.
Such attacks gained popularity because they’re cheap. They are effective against protection solutions that are activated manually. The danger of Hit-and-run is that constant protection requires continuous monitoring and availability of response systems.
The main targets of hit-and-run attacks are online game servers and service providers.
This is another example of a volumetric attack. A standard connection to the server via TCP is made by using the three “handshakes” method.
At the first stage, the client sends a packet with an SYN flag for synchronization. The server responds with an SYN-ACK packet notifying the client of the receipt of the first packet before offering to send a final, third packet to confirm the connection. The client doesn’t respond with the ACK packet, which allows the flood to continue and thereby overload server resources.
Some of the largest companies became targets of SYN Flood and similar types of attacks at different times, such as Amazon, SoftLayer (IBM), Korea Telecom, and others. One serious incident was the disabling of the Eurobet Italia SRL sports betting website in October 2019. Later that month, several financial and telecommunication companies in Italy, South Korea, and Turkey fell victim to TCP SYN-ACK Reflection.
This is an application layer DDoS attack subtype. Slowloris (or session attack) aims to “exhaust” the targeted server. The perpetrator opens many connections and keeps each one open for as long as possible until a timeout occurs.
Such attacks aren’t easy to detect since the TCP connection is already established and the HTTP requests look legitimate. After some time, this tactic allows the attacker to take over all connections, thus blocking real users from accessing the server.
Slowloris became widely known during the Iran presidential election when attackers attempted to disable government websites.
How to set up reliable protection : 3 main steps
Cybersecurity is a narrow competency that can hardly be covered as easily as HR or accounting, no matter how advanced the company is. It’s important to ensure that your service and infrastructure providers are deeply immersed in cybersecurity issues and have established themselves as true professionals.
3 main steps for reliable protection:
- Use a tried and tested solution for continuous DDoS protection.
- Develop an action plan in case of an attack.
- Regularly run system health checks and eliminate application vulnerabilities.
A proven solution for continuous DDoS protection
When we consider cloud infrastructure security, special attention is required.
A server is one of the foundations for any web service, application, or site. If an attack leads to a loss of user access to resources, the consequences can be disastrous. There are financial and reputational risks, the potential compromising of confidential information, the destruction of valuable resources, and legal risks.
To keep your assets safe, it’s important to use proven online protection.
Protection should include the following elements:
- Tools for continuous traffic monitoring and detection of suspicious activity
- Adding IP addresses to blacklists and whitelists
- Threat notification system
- Attack neutralizing system
It’s especially important not to block user traffic along with malicious traffic when eliminating the threat.
A good example of effective fine-tuning is G-Core Labs’ DDoS Protection Service. This service is useful for any online business: media resources, game developers and publishers, telecom companies, insurance business, banks, and online stores.
Intelligent traffic filtering based on the analysis of statistical, signature, technical, and behavioral factors makes it possible to block even single malicious requests without affecting ordinary users.
An action plan in case of an attack
A response plan aims to limit the damage caused by a DDoS attack. It’s a clear sequence of actions and measures to be taken immediately as soon as a threat occurs.
A detailed action plan should include the following:
Elimination of application vulnerabilities
To prevent a surprise DDoS attack and keep damage to a minimum, the protection mechanisms should be constantly improved. This rule applies not only to the tools designed to repel attacks but also to the protected infrastructure and application.
Here’s a list of potential threats:
- Authentication stage vulnerabilities
- Malicious code insertions
- Cross-site scripting
- Encryption vulnerabilities
- Logical errors, imperfect data structure
Scanning systems for vulnerabilities and constantly updating application code will help keep company resources resilient to most known cyber threats.