Nick Le Mesurier, Security Consultant
10 mins read
Although DDoS attacks are not a direct threat to the security of sensitive information stored within an organization, they can cripple critical systems whose availability is relied upon to conduct key business initiatives. The threat has become ever more concerning as governments and criminal organizations generate the resources and capabilities necessary to carry out sophisticated, multi-faceted denial of service attacks.
Akamai’s recent State of the Internet Report observes a 54% increase in denial of service attacks across their networks between the first and second quarters of 2013. The report highlights that, “There is a very real possibility this trend will continue”. Akamai also identifies that ports 80 and 443, typically used to host web applications, have become the most popular ports for attackers to target. Arbor networks observed similar trends in their third quarter review in particular they note a “very rapid growth in the average attack size in 2013”. This is supported by the data graphed below showing the average increase in the size of DDoS attacks over the last four years. An interesting aspect of this graph is the rapid growth of volume in attacks seen this year, highlighting the rate at which malicious actors are increasing their DDoS capabilities.
What we are observing is an increase in both the size and complexity of attacks. Both of these traits must be considered if we are to develop effective defences in the modern threat landscape. On the one hand we must be able to mitigate the sheer amount of ingress traffic that will appear under a DDoS attack; on the other hand we must be able to distinguish legitimate influxes of traffic from malicious floods and apply effective filtering mechanisms.
DDoS attacks have traditionally focused on the consumption of network bandwidth along with the abuse of layer 4 protocols. UDP, ICMP and SYN floods are examples of DDoS attacks that use transport layer protocols. SYN floods are among the most commonly used traditional attacks and are of particular interest as they have been utilized by activist groups using tools such as Brobot and the Low Orbit Ion Cannon (LOIC). SYN floods exploit the behavior of computer systems in their attempt to connect to one another using the TCP three-way-handshake.
The TCP protocol states that if a client wishes to connect to a server it must first send a packet known as a SYN request. The server should then respond with a SYN/ACK packet and wait for the client to acknowledge the connection with a final ACK packet. Whilst the server is waiting for the response, the connection remains in a half-open state typically for a period of 75 seconds. The half-open connection is maintained by the server in a finite memory space which, if exhausted, will drop further connection requests. During a DDoS SYN flood attack, SYN packets are sent from a number of computers distributed across the internet to a single target server initiating the first stage of a TCP three-way-handshake. Often each packet indicates responses should be sent to a spoofed random IP address. The server will respond by sending a SYN/ACK packet to each IP address it believes is initiating a request; however, the final acknowledgement will never be returned. The target server is left with many connections in a half-open state as it is forced to handle many unresponsive connection requests.
By inundating the target with SYN requests it is very easy to exhaust the memory used to handle the connections, causing all subsequent requests to be dropped. Whilst SYN floods are very powerful and still relevant, their use is becoming less widespread as automated defence systems have been designed and are being implemented byorganizations wishing to mitigate DDoS attacks against their networks. Current anti-DDoS solutions are effective at handling transport layer attacks. Akamai, for example, did not analyze SYN floods, UDP floods or other transport layer volumetric attacks, as they were automatically mitigated and absorbed by their systems.
A new class of denial of service attacks known as Distributed Reflective Denial of Service (DrDoS) is increasing in popularity as malicious actors find ways to reflect and amplify traffic off misconfigured public servers across the internet. DDoS attacks can be amplified to dramatically increase the amount of traffic they can direct towards a target. Amplification techniques have evolved from using low level protocols such as ICMP to higher level protocols such as DNS. The SMURF attack, for example, utilizes ICMP to connect to misconfigured networks and broadcast ICMP echo requests to every computer connected to that network. The source IP address defined in each echo request is spoofed to that of the target server, causing each computer on the vulnerable network to send an ICMP echo response to this address. In allowing broadcast requests to be forwarded onto its network, the edge router in this scenario is amplifying a single request by a factor of the number of computers on its internal network. Attacks have since been developed that operate in a similar fashion, although this family of attacks is again being defended against.
Layer 7 protocols are now being used to achieve traffic amplification. The DNS protocol is a perfect example of a layer 7 protocol being used in such a way. DNS requests operate over UDP and so do not require an underlying connection to be maintained. When a DNS Resolver receives a DNS request, it is processed and returned to the address given in the request. This address can be spoofed to that of a target server. As DNS requests are generally much smaller than their responses, a small amount of request traffic can generate a very large amount of response traffic. A DDoS attack canutilize this to reflect its traffic off misconfigured DNS Resolvers and onto target networks, having the effect of amplification in the process.
In the last few months, analysts have begun to see an increase in the amount of DDoS amplification attacks that utilizethe CHARGEN protocol. CHARGEN is a UDP based protocol, meaning that, as with DNS based amplification, destination addresses can be easily spoofed. Interestingly, even though this obscure protocol is rarely used legitimately, there are estimated to be over 100,000 exploitable CHARGEN servers currently on the internet, and recent activity shows an increase in the number of CHARGEN based DrDoS attacks. CHARGEN listens on port 19 and, upon receiving a request, will simply return a random amount of data between 0 and 512 bytes in length. This functionality can be abused by sending requests with no data at all that tell the CHARGEN server to send its response to a target server. This exemplifies the need for network administrators to ensure unused and outdated services are cleaned from their networks. In the last year alone, amplification attacks have increased by 265%. As you can see, modern denial of service attacks are relying less on exploiting transport layer protocols and more on opportunities at the application layer.
A search of the CVE vulnerability database returns over 12,000 publicly disclosed denial of service vulnerabilities using application layer protocols. Prolexic’s 2013 third quarter DDoS report highlights a 101% increase in the number of layer 7 exploits used in DDoS attacks compared with the same time last year. Using layer 7 attacks achieves greater obscurity as UDP and TCP connections are used legitimately. Layer 7 attacks also require fewer connections and are therefore more efficient. With many bespoke applications being deployed within organizations, it is important to identify whether or not they can be exploited to achieve a denial of service. Web servers have been targeted by layer 7 attacks exploiting mechanisms in the handling of HTTP requests. Recent versions of the Apache web server are vulnerable to attacks of this nature, in which a single computer can cause a denial of service. This kind of attack is very direct: it does not consume network bandwidth and so other services running on the target’s network will still be available. The attack uses fragmented requests to keep many connections simultaneously open, eventually holding all available connections to the server. The attacker sends only a partial HTTP request to the server; fragments of the remaining request are then sent incrementally to the server keeping the connection alive. As long as the full request is never completed, the connection will never be closed and made available to other users. The server only has enough available memory to be able to maintain a finite number of simultaneous connections.
This fact is exploited to consume all available connections and deny service to legitimate users. The attack has been understood for many years, but only recently became popular through the distribution of tools such as SlowLoris, which were used during the Iranian revolution to deny service to a number of government websites, whilst keeping traffic to a minimum so as not to disrupt Iranian networks as a whole. Attacks such as these can also be run through anonymizingnetworks, masking the true identity of the traffic’s source.
It is evident that denial of service attacks are becoming more sophisticated. As mitigation techniques improve so too are the methods used to exploit them. When assessing the threat of denial of service attacks to an organization, it is important to be aware of the latest exploits being used. Amplification techniques are only now beginning to be used to generate record breaking volumetric attacks. These techniques must be understood as they continue to evolve. As thedenial of service attack surface continues to expand, we are tasked with constantly adjusting our approaches to mitigation. Organizations that rely on technology to maintain critical aspects of their business now understand that the threat denial of service attacks pose is ever increasing. As denial of service attacks are often used in conjunction with more targeted attacks, their presence may also serve as an indication that the business as a whole is being targeted. If the availability of services is of paramount importance to the operation of your business, then denial of service remediation should be a key consideration in improving your company’s security posture.