By Mathan Babu Kasilingam
In present day, organizations are a lot more dependent on the internet for day-to-day business operations compared with what it used to be earlier. Though it is agreed that the internet offers enormous potential, it also exposes an organization to cyber-attacks.
Distributed Denial of Service (DDoS) is one such risk which has the potential to create havoc. It is an attack wherein multiple compromised systems on the internet (most often), infected with malware are used to target an organization’s IT infrastructure (mostly single service, like web portal) causing a Denial of Service to legitimate customer’s access.
In 2016, MIRAI attack used Internet of Things (IoT) for attacking DYN DNS that brought down services of Twitter / LinkedIn. This is an example of DDoS where over 380,000 IoT devices were used from various geographies including from India as BOTs.
Typical way a bot is used in DDoS
While not all DDoS attacks come from botnets, but here’s why botnets are effective:
- Obfuscation – The attackers is able to conceal themselves from the victim
- Amplification – By using compromised systems, the attacker can launch a larger attack
- Geographical dispersion – A large botnet can span the globe making for a massively distributed attack that is hard to mitigate
There’s nothing new about botnets. They’ve been with us for a long time. In fact, some very large ones existed in the early 2000s that involved millions of nodes.
The US Federal officials have arrested three hackers who have pleaded guilty to computer crimes charges for creating and distributing MIRAI botnet.
Paras Jha (a 21-year-old from New Jersey), Josiah White (20-year-old from Washington) and Dalton Norman (21-year-old from Louisiana) were indicted by an Alaska court in December 2017 on multiple charges for their role in massive cyber attacks conducted using MIRAI botnet.
The attackers have by then already made the MIRAI attack code open to the market to be used by other cyber criminals.
DDoS attacks can be broadly divided into three types:
Volume Based Attacks
This type of attack includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site or associated services like DNS, and magnitude is measured in bits per second (bps). This attack targets the Network Layer (L3) of the OSI Stack. MIRAI was this type of attack.
This type of attack is mostly identified reactively and can be mitigated only by Scrubbing Services, wherein the entire traffic is re-routed to a Scrub Center which filters our bad and sends only good traffic.
Few intelligent Layer 7 inspection devices that can be deployed in Enterprise Perimeter (next to ISP Router) have the ability to identify these types of attacks and automatically signal the Scrub Center to mitigate such attacks.
It is essential that an organization aligns with a Cloud Scrubbing provider who has the ability to accept traffic re-routing from any of the subscribed Internet Service Provider that the organization use.
State exhaustion (TCP) attacks
This attack includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second. This attack targets layers like network (fragmented attacks), transport (SYN Flood, Varying State Flood, IPSEC Flood), Session Layer (Connection flood exhaustion, Long lived TCP Session) and Presentation Layer (SSL Exhaustion, DNS Query Flood), (L3 to L6) of the OSI Stack. These attacks are hard to detect and need integrated monitoring systems / intelligent Layer 7 inspection devices that can study patterns and decide to filter out traffic when it sees malformed packets (SYN Flood / fragmented packets etc).
Application Layer Attacks
This includes low and slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in requests per second (RPS). This attacks targets only Application Layer (L7) of the OSI Stack and especially HTTP and HTTPS. These attacks are defended by Web Application Firewalls (WAF) that can learn, inspect and defend an enterprise from such attacks.
The way forward
There has been a major shift over time in the motivation of the people behind the DDoS attacks. Instead of simply using them for spam, botnet operators have figured out a way to monetize their efforts through extortion or by launching a DDoS-for-hire platform like MIRAI. In the current era we are aware that hampering the digital presence of an organization can bring down the organization to kneel. To combat against such attacks, an organization needs to deploy multi-pronged and multi-layered DDoS Protection to sustain their infrastructure availability as there are various elements in the IT landscape than can come handy to tackle DDoS attacks.
How can one sustain a DDoS attack?
DNS forms the core in ensuring the digital channels are available to all customers at all time and hence deploying DNS infrastructure in a resilient data center, meaning either on public clouds or on multiple data centers, will be able to sustain large scale attacks on DNS. Ideally if the DNS infrastructure is geographically distributed, it can sustain attacks of larger scale.
In case of volumetric attacks it is essential that a Cloud-based Scrubbing service is subscribed from either the ISP or independent Scrubbing providers to mitigate attacks. Most of these providers do not provide Clean Pipe service which means, they should be able to block all attack traffic irrespective of the size of attack and organization should review the agreement as appropriately to include clauses for Clean Pipe or as per their risk appetite.
Building resilient infrastructure is core to sustaining DDoS attack and quickly recovering from the same. Most often leveraging cross platforms of infrastructure has also helped many organizations to tackle attacks that are low and slow (called Slow Lorris attacks that are hard to detect). On detection, if there are resilient copies of web servers running from non-uniform infrastructure, meaning, a primary location and DR location having websites, for example running in Windows – IIS infrastructure and a copy of the application (either static code of website or dynamic code) running in any other non-windows environment, for example running in Linux – Java infrastructure.
There are other security components that can come handy in defending DDoS attacks and most often, it is seen that Intrusion Prevention Systems and Load Balancers have significant controls that can mitigate some types of DDoS attacks. It is essential that the network and security teams work in conjunction to identify the layers of security that the organization has deployed and have understanding to the ability of such devices which can be used while under attack and a comprehensive DDoS response Hand Book helps.
It is also essential to periodically engage professional firms that can simulate DDoS attacks to measure the response ability of the solutions that are deployed and tweak them basis results of the simulation.
(The author is the Chief Information Security Officer at NPCI)
Disclaimer: The opinions expressed in this article are those of the author’s and do not necessarily reflect the views of NPCI