Distributed denial-of-service attacks have been getting significant amounts of attention as more enterprises are...
reliant on Internet or network access for critical business processes and board-level management become more aware of the impact of these attacks. Being able to take a critical website or system offline by paying a botnet operator a couple Bitcoins has put DDoS attacks within the reach of common individuals with bad judgment and ill intent. As an enterprise becomes more reliant on any technology or process, it needs to ensure it has adequate business continuity and disaster recovery plans in place to respond when there is a problem, as well as sufficient preventative controls in place to minimize the chance of a problem. DDoS attacks might be getting attention, but they are only one type of threat that an enterprise's information security program must address. However, the DDoS threat is also one of the most basic and potentially disruptive attacks available to attackers.
This tip will take a look at the evolution of the DDoS threat and what options are available to enterprises to mitigate it.
Evolution of DDoS attacks
Simple DoS attacks have been around prior to the start of the commercial Internet. The Robert Morris worm in 1989 wasn't intentionally designed as a DoS attack, but it caused a DoS effect on infected systems on the Internet. In 2000, DoS attacks made big news when major websites like CNN, Yahoo and Ebay went offline because of DoS attacks. The DDoS threat history is chronicled in a Fortinet blog post.
The Akamai Security Intelligence Response Team recently discussed new DDoS attacks that started targeting NetBIOS name servers, the Remote Procedure Call portmap service and Sentinel license servers for IBM's SPSS predictive analytics software.
Editor's note: The author currently works with Akamai Technologies via Internet2, but does not have a financial stake in Akamai.
These protocols use UDP (User Datagram Protocol) and have significant amplification factors that allow attackers to issue a single packet to the UDP port of a server and generate a response that has potentially hundreds of times the bandwidth of the initial query. These types of DDoS threats are known as reflection DDoS attacks, because they abuse public servers with open UDP ports.
These servers using UDP are designed to operate on local networks and interact with other computing resources; for example, a Sentinel reflection DDoS attack takes advantage of Sentinel servers designed to manage and enforce licenses on other systems in an environment. They were not designed with security in mind -- UDP does not verify if a source IP address is authentic -- and therefore are more susceptible to DDoS attacks. Each attack starts with IP spoofing -- a forged IP packet requests the destination IP address to respond to the forged IP address with a standard response for the protocol in question. This response could be a list of the other systems on the local network and could result in a significant amount to IP traffic sent to the forged victim's IP address, thus creating a massive DDoS attack.
Options to mitigate the DDoS threat
Enterprises initially had no options for responding to DDoS threats and attacks beyond blocking source IP addresses or changing IP addresses, but those protections are insufficient. Enterprises can implement DDoS protections via devices they manage on their network and service providers' networks. Modern DDoS mitigation providers like Akamai, CloudFlare, Incapsula, Arbor Networks and others have sophisticated systems to respond to volumetric and application-level attacks. An enterprise could implement a device on its network to block or clean the malicious traffic, but inevitability enterprises will need to work with their ISP and other upstream network providers to block the malicious traffic.
As DDoS mitigation providers have evolved, they have started to offer cloud services that can be used to block or clean the malicious traffic before it gets to the enterprise's network. These systems could use DNS redirections to the service provider, a BGP tunnel or even a dedicated connection to deliver the clean network traffic to the enterprise network.
Enterprises and ISPs should also take steps to ensure their endpoints, servers and networks are not used in a DDoS attack. By taking these steps along with the rest of the community, the industry can collectively reduce the impact of DDoS attacks. Implementing BCP 38, a common method that uses ingress filtering, will help prevent an organization's network from participating in a DDoS attack. Enterprises should also limit most protocols on the network to only approved network connections. These steps will help protect vulnerable devices from the malicious network traffic used to start the DDoS attack. Network access can allow for local network connections so the protocols can operate correctly on local networks and still be used. Manufacturers and software developers should include security in their software and system development lifecycles to prevent future protocols and devices from being used for DDoS attacks.
The future of the DDoS threat
It is only a matter of time until attackers start fuzzing other UDP network protocols to identify new ways to create DDoS attacks. The risk from DDoS threats and collateral damage will continue to rise as long as the cost to perform a DDoS attack is small and few criminals are prosecuted. The costs to prosecute DDoS cases often outweigh the costs incurred as the result of a DDoS attack, so the technology community needs to develop more effective mechanisms for preventing and blocking these types of attacks. In addition, ISPs will need to identify ways to deliver clean traffic to their customers, and enterprises need to continue to work with the information security community to prevent network infrastructure and systems from being used for DDoS attacks.
Discover how to secure the SSDP protocol to prevent DDoS attacks