Duck and Cover: Defending Against DDoS Attacks

Denial-of-service attacks are frequently deployed, yet often organizations fail to prepare themselves against the threat. Ted Kritsonis talks to industry experts about using analytics to prevent and respond to DDoS attacks

Cyberattacks don’t always grab headlines among the mainstream press, but when they do, it’s often a case of distributed denial-of-service (DDoS) attacks that have crippled an enterprise or government website, forcing IT departments to devise methodologies to contain the threats and get back up and running.

This external threat can be debilitating for the sheer fact that a DDoS attack, particularly a DNS flood, starves a system’s available resources using any number of infected computers, rendering moot all access from users or customers. Notwithstanding the lost revenue and reputational black-eye stemming from these attacks, the perpetrators don’t always have a singular purpose in mind. It may be financial in some cases, or a competitor aiming to damage a rival, or perhaps even a politically motivated act known as ‘hacktivism.’

“Regardless of gains, DDoS attacks are getting cheaper and cheaper to launch. It’s simple to find many free tools online capable of bringing down a small to moderate site, and botnets can be rented for as little as $100 an hour”, says Sean Power, security operations manager at DOSarrest, a firm specializing in preventing and managing these attacks. “Only the really big impressive attacks make the headlines, and some people may think they are immune for this reason, but that is not the case.”

Attack Methods

Attack vectors can come in thousands of different ways, but they usually break down into one of three categories. Volumetric attacks cause congestion between the target and the internet through the use of botnets. TCP State-Exhaustion attacks go after infrastructure components like load-balancers, firewalls and the application servers themselves. It’s the third category, however, the Application-Layer attacks that are arguably the most dangerous and ubiquitous because they stealthily target an aspect of an application or service using as little as one machine to generate a low traffic rate.

Despite mitigation attempts from IT specialists, Power believes attackers can be shrewd in responding to them by focusing on other vulnerabilities. One example is a headless browser attack, which uses infected computers to participate in a DDoS attack by running it in the background unbeknownst to the user of the infected computer, and fooling mitigation devices into thinking that it is actually legitimate traffic. Because it appears as a simple web browser, it can be effective at sneaking through capable defenses.

The impact can be devastating if not countered promptly and efficiently. At the time of writing, the largest reported DDoS attack was launched in March 2013 against Spamhaus, an international non-profit that battles spam. It had peaked at 300Gbps, three times the size of the previous largest reported attack, making headlines around the world for its scope.

Hackers also benefit from unique attacks that lay low and propagate over time. DNS spoofing has been cited as a form of industrial espionage or blackmail because a company’s DNS server can be compromised to route email to unauthorized mail servers, potentially revealing sensitive internal information and communications.

Playing Defense

Rakesh Shah, director of product marketing and strategy at Arbor Networks, has dealt with threats of varying sizes, and has witnessed clients feel the pain of an attack.

“We know of one company that suffered 90 minutes of downtime because they were unprepared when in the heat of an attack scenario”, says Shah. “They couldn’t connect with key people internally or at their cloud mitigation provider, so that 90 minutes of confusion cost the firm over $1 million in revenue and angered their customer base greatly.”

Shah wouldn’t name the affected firm, but did say there were two levels of preparation its IT department should have pursued. The first was deploying a DDoS defense requiring multi-layered protection that includes both on-site and cloud-based protection. The second, which he feels is often overlooked, is a standard incident response wherein staff know the processes to follow and people to call to minimize the downtime associated with an attack.

Power agrees, suggesting that IT managers must prepare a ‘playbook’ to follow in case a DDoS attack occurs. This blueprint should include building a capable DDoS response team that can monitor the range of legitimate traffic, outline the network’s topology, create robust remote access and follow the procedural plan with efficacy.
From an analytical perspective, this also includes collecting baseline measurements of all network activity as it relates to public access points – for example, graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in the network.

“It bears repeating, but you have to keep your documentation up to date, monitor the DDoS industry for changes and ensure your technology is on top of the latest threats and test both your DDoS defense strategy and your team”, Power advises. “There are companies whose sole expertise is preparing for and defending against sophisticated and large-scale DDoS attacks, and they come in a range of flavors and prices. Make sure you understand your needs and vendors’ service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation.”


Traditionally, DDoS attacks have been a looming threat for enterprises and businesses for reasons of extortion and fraud, where cyber-attackers seek a ransom or plant the seeds for fraudulent activity under the guise of an attack. But DDoS attacks have gained more publicity when used as a political tool, particularly from the hacktivist group Anonymous.

The tactic was also deployed as part of geopolitical subterfuge, like the Iran-based Izz ad-Din al-Qassam Cyber Fighters, who targeted US banks from September 2012 and into 2013, along with the Syrian Electronic Army, which has targeted sites as varied as eBay, the Associated Press and the US Marine Corps recruitment page. There is no concrete evidence that either group is state-sponsored, but the implication is clear that no one is immune from an attack, regardless of the motivation behind it.

This has been noted in Arbor Networks’ ninth annual ‘Worldwide Infrastructure Security Report’, which highlighted “dramatic growth in high-volume DDoS attacks” and that 71% of data center operators reported a DDoS attack in 2013, compared to 45% from the year before. Moreover, 36% of those attacks exceeded the total available bandwidth, almost doubling the mark set the year before. But perhaps even more damaging, targets reported a cumulative 35% customer churn rate and 27% revenue loss as consequences of those attacks.

The gloomy stats cast a light on the problem’s pervasiveness, given that Arbor Networks had a mix of 220 service providers and network operators from various industries and categories weighing in. Google collaborated with Arbor Networks by using the latter’s ATLAS global threat monitoring system to build the Digital Attack Map, which reports and visualizes daily attacks and their origins worldwide.

“One of the clear targets that emerged in Europe when reviewing our own data was media and entertainment, specifically news organizations, accounting for 15% of all attacks in North America, and nearly 25% of all attacks in Europe”, notes Martin McKeay, senior security advocate at Akamai. “News organizations aren’t the most heavily secured and protected environments, often lacking in controls that an online merchant or bank might employ, since the cost of downtime for a news organization is much less.”

McKeay adds that the amount of data traveling across Akamai’s networks doubles every 18 months. The increase of broadband and computing power in emerging markets could lead to more intense attacks, although DDoS sizes have yet to grow at the same rate as broadband adoption. Even so, compromised systems tend to originate from the developing world, with China, Indonesia and India leading the charge. Since virtual attacks usually cross real-life borders, litigation is of little recourse.

“The lack of laws concerning different forms of computer abuse in many markets make it harder for the target of the attack to defend themselves legally, and make it nearly impossible for law enforcement agencies to follow up and enforce any such laws that do exist”, he says.

This puts more of the onus on organizations to protect themselves with the right plans and tools in place. Shah says knowledge and preparedness varies from industry to industry and then from company to company within that industry. Low and slow application-layer attacks can be dealt with on-site, including protecting infrastructure like firewalls and IPS, while cloud-based protection is necessary against large-volume attacks.

Attacker Adaptation

Not surprisingly, cyber-attackers are innovating their techniques to deal with emerging defensive methods. Although still a recent trend, malware used for attacks are implementing anti-DDoS capabilities to evade purpose-built DDoS defenses, thereby tying up resources and opening up holes that they can exploit.

“Some think it won’t happen to them, while others think they are protected if they subscribe to a cloud-based DDoS managed service. An organization is not protected from the full spectrum of DDoS attacks unless they have a multi-layered defense in place”, says Shah.

“The hottest trend in DDoS today is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a sustained attack that dynamically changes. These attacks are popular because they’re often highly effective and difficult to defend against”, Shah concludes.


Leave a Comment

Hijacked anti-DDoS servers used to carry out massive DDoS attack

A massive distributed denial-of-service (DDoS) was carried out earlier this month using very servers designed to prevent the classic type of attack.

In early May, website security company Incapsula was able to help fend off a powerful DDoS attack that was launched using high-capacity servers hijacked from two separate DDoS protection services providers.

The attack, which occurred on May 1 against an unnamed online gaming website, went on for about seven hours and remained at a steady 25 million packets per second (mpps) throughout its duration, Igal Zeifman, product evangelist with Incapsula, told in a Monday email correspondence.

The perpetrators hijacked and leveraged the power of two separate high-capacity servers belonging to unnamed DDoS protection services providers, Zeifman said. He explained that this type of strong network infrastructure, built to defend against volumetric attacks, offers attackers a way to “fight fire with fire.”

Because many of the DNS queries held non-spoofed IP data, Incapsula was able to determine that the compromised DDoS protection services providers were located in Canada and China, Zeifman said, adding that the companies confirmed to Incapsula that its servers were used in the attacks.

“Because mitigation is all about filtering of incoming requests, ongoing traffic tends to be overlooked,” Zeifman said. “In this case, we actually had to notify the DDoS protection providers, for them to notice the outgoing floods from their servers.”


Leave a Comment

Another DNS Provider Targeted in DDoS Attack

PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider.

A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many of those same customers took to social media complaining about downtime and unavailability of their own websites and services. According to its website, PointDNS services more than 220,000 domains worldwide.

Earlier today, a post from parent company said services were “back to normal.”

This was the second large attack against a DNS provider in the last two weeks. On April 30, UltraDNA mitigated a DDoS attack that kept most of its customers offline for the better part of a day.

The SANS Institute’s Internet Storm Center said the attack peaked at 100 Gbps against one of UltraDNS’ customers. The attack resulted in latency issues for other UltraDNS customers.

Last week, Incapsula, a cloud-based application delivery company that also sells security services, said it fought back a 25 million packets per second DDoS attack and that many of the DNS queries held non-spoofed IP data. This stands in contrast to many other massive DDoS attacks of late, in particular reflection or amplification attacks, that rely on spoofed addresses to send massive quantities of bad traffic at a target.

The Incapsula-mitigated attack was traced back to IP addresses belonging to a pair of DDoS protection services, which are designed for high-capacity traffic management, Incapsula said. Hackers can take advantage of this to pull off DDoS attacks without amplification.

These latest attacks, meanwhile, continue a trend of volumetric DDoS attacks reaching new heights.

A recent report from Arbor Networks said the provider has already tracked more than 70 DDoS attacks that topped 100 Gbps or more of malicious traffic. The largest on record reached between 325 Gbps and 400 Gbps of traffic.

Almost all of these attacks rely on DNS reflection or a growing number on network time protocol amplification attacks. In both cases, IP addresses are spoofed as the target, and massive amounts of traffic is sent their way at no cost to the attacker.

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud.


Leave a Comment

DOS: You Got Served

DOS (Denial of Service) attacks come in various different forms and intensities, but all have the same purpose, to take a website offline and damage the organization running that website. The most common use for DOS attacks are ransom missions. A hacker will DOS a site and email the owner, demanding payment or else the website will be taken offline. DOS attacks are also used as a form of protest. In 2009, Iranians DDOS (Distributed Denial of Service) attacked several government websites to protest the presidential election. Anonymous has also used DDOS attacks in “Operation Payback” to protest Megaupload being taken offline. They attacked the websites of UMG (the company responsible for the lawsuit against Megaupload), the United States Department of Justice, the United States Copyright Office, the Federal Bureau of Investigation, the MPAA, Warner Brothers Music and the RIAA, as well as the HADOPI, all on the afternoon of January 19, 2012.

The tool most commonly used to conduct DDOS attacks as protest is LOIC (Low Orbit Ion Cannon). LOIC is a free program you can download for any platform and does nothing but send garbage data to a server. One person downloading this program and trying to take down a server does nothing. Not a single website on the internet will fall to one Low Orbit Ion Cannon. Websites only go down when you have thousands upon thousands of people using LOIC at the same time, on the same server. Much like a real world protest, this clogs up bandwidth on the server, making it very difficult for legitimate traffic to travel through. LOIC is most publicly used by Anonymous. In 2008, they gathered enough people to attack the websites of the Church of Scientology. In 2010, they also attacked the Recording Industry Association of America and the websites of organizations opposed to WikiLeaks during Operation Payback.

While large groups of people can very easily take down a website through coordination, for one hacker to DDOS attack a website, he needs an army of botnets, or infected computers that he can control remotely. Another tactic that hackers use to multiply the amount of data sent is to hijack the NTP (Network Time Protocol). NTP is basically the protocol used to get the current time. What’s important is that you send a small request and get a large response, meaning that if hackers who have the NTP server send the response to a single target website, they can triple the amount of data they use to attack. Luckily, many NTP servers are aware of this vulnerability, and about 4 out of 5 servers have been patched against this type of attack.

Not all DOS attacks require angry mobs of people or thousands of zombie computers. Some attacks exploit vulnerabilities in the computer’s software to remotely crash or hang the computer. Teardrop is one of those attacks. Luckily, no modern computer can be taken down with a Teardrop attack – it was discovered and used on Windows 95, NT, and 3.1. An attacker would send a broken internet packet to the computer, causing it to crash. There was no other destruction of data, unless something had not been saved on the computer at the time, the attack would only cause the computer to blue-screen. A similar attack is the Ping of Death. To attack a computer with the Ping of Death, an attacker would send the largest bit of data in one chunk possible. In order to crash the computer the data would have to be larger than 65,536 bytes. The attacked computer would have nowhere to store the extra bytes in memory and would crash.

There are many forms of DOS attacks, and hackers are finding new vulnerabilities to exploit every day. The most effective attacks are still DDOS attacks, where large groups of people decide to take down a site in a form of protest. Though it may not seem like a government site going down for a couple days matters, DDOS attacks have a real world effect and can be used for peaceful protest or they can be used as a form of extortion from a mafia-like group of hackers.


Leave a Comment

‘Biggest ever’? Massive DDoS attack hits EU, US

A massive DDoS attack hit EU- and US-based servers, with security companies reporting it to be even more powerful than last year’s Spamhaus attacks. While the method of the attack was not new, CloudFlare warned there are “ugly things to come.”

Only scant details about the attack were released by US-based web performance and security firm CloudFlare, which fought back against the distributed denial of service (DDoS) attack early Tuesday.

According to CloudFlare CEO Matthew Prince, the attack reached 400 gigabits per second in power – some 100Gbps higher than the notorious Spamhaus cyber-assault of March 2013 that at the time was branded the largest-ever attack in the history of the internet.

“[It was] very big. Larger than the Spamhaus attack from last year… Hitting our network globally but no big customer impact outside of Europe,” Prince was quoted as saying by TechWeekEurope blog.

Prince said one customer was initially targeted by the attack, but added that he would not disclose the customer’s identity.

The company spent several hours mitigating the attack, but said that the European network was largely unaffected. When helping to deal with the massive cyberwar on Spamhaus last year, CloudFlare claimed it slowed down the entire World Wide Web, which prompted critics to dub the company’s part a “PR stunt effort.”

CloudFlare had some spooky statement to offer its customers this time as well. According to Prince, the latest attack has shown someone has got “a big, new cannon,” and it could be a “start of ugly things to come.”

French hosting firm OVH also reported being hit by an attack of more than 350Gbps in strength, but it was not clear whether it was the same attack CloudFlare experienced.

The technique used by Monday’s attackers was not exactly new, as they exploited the Network Time Protocol (NTP) used to synchronize clocks on computer systems. A weakness in the protocol allows querying an NTP server about connected clients and their traffic counts. If made en masse, such requests can generate an overwhelmingly large traffic, bringing down the target just like a typical DDoS attack would do.

What makes the recent attacks worse is the so-called “spoofing” of IP addresses of attackers, making it look as if the victim is actually generating those spam requests. The number of trash requests also skyrockets by “large” replies thrown back at the target from a number of servers “compromised” in the attack. For this reason, such tactics are often referred to as an “reflection and amplification” attack.

Back in January, the US Computer Emergency Readiness Team (US-CERT) issued a warning about such NTP amplification attacks after a number of prominent gaming services were brought down by them in December, including Steam, League of Legends and

While CloudFlare in its warning urged server administrators to patch and upgrade their NTP servers to solve the issue, it appears that few have since bothered to carry out these security measures.


Leave a Comment

Older Posts »