Why DDoS is still a major attack vector and how to protect against it
The first massive, documented DoS-style attack occurred during the week of February 7, 2000, when “mafiaboy,” a 15-year-old Canadian hacker, orchestrated a series of DoS attacks against several e-commerce sites, including Amazon and eBay. These attacks used computers at multiple locations to overwhelm the vendors’ computers and shut down their sites to legitimate commercial traffic.
It’s been 22 years since the “mafiaboy” strike and distributed denial of service (DDoS) attacks have gotten bigger, stronger, and still represent a major attack vector on applications, services, networks, and infrastructure.
In this blog post, I will cover the different DDoS attack vectors, why DDoS threat actors love DDoS as part of their arsenals, and some mitigation techniques to protect your organization from such attacks.
What is a DDoS attack?
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aren’t new cyberattack vectors; They go all the way back to the early 1970s when modern commercial and enterprise networks emerged.
DDoS is a cyberattack in which the adversary seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. It doesn’t peruse any private data or get control over the target’s infrastructure; it just aims to bring the service down.
In today’s world, specifically with COVID, which accelerated organizations’ digital transformation, web presence is a must for just about any business. In this environment, DDoS attacks can be very destructive.
Main ingredients of DDoS attacks
Ingredient # 1 – Botnet
A botnet is a group of infected, compromised machines with malware controlled by malicious software without the knowledge of the machine owner. It ranges from ordinary home or office PCs to IoT devices. Compromised machines called bots or ‘zombies’ are used to launch DDoS attacks, spread SPAM, or perform other malicious activities orchestrated by the attacker.
One of the most infamous Botnets is ‘Mirai,’ which used hundreds of thousands of hijacked IoT devices. The creators of the Mirai botnet, Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built Mirai, managed to hijack IoT devices by scanning the Internet for vulnerable IoT devices with factory-set usernames and passwords, log into them, and infect them with the Mirai malware.
The Mirai botnet was used in multiple DDoS attacks between 2014 and 2016 and, when the creators felt the heat coming from the authorities, they published the Mirai source code in a Hackers’ forum in an attempt to cover their tracks. All three were eventually indicted, plead guilty, and are now fighting crime with the FBI. Amazing how life turns out.
Just like we have COVID variants and mutations, Mirai also evolved and its source code mutations have been used in the wild by hackers. Okiru, Satori/Fbot, Masuta, Moobot, and more than 60 other Mirai variants are out there.
Ingredient # 2 – Command and Control
Command and control, also known as C2 or C&C, is the management or orchestration component used to control an army of botnets. It’s a critical component used by adversaries to issue instructions to compromised devices, download additional malicious payloads, launch attacks, and weaponize compromised machines to be used for different types of malicious activities varying from spreading SPAM, participating in a DDoS campaign, and even exfiltrating data.
The communication between compromised machines and the C2 server is difficult to detect, as it takes advantage of trusted traffic and blends in with legitimate traffic that is widely in use, such as HTTP/HTTPS or DNS.
Command and control utilizes modern topology architecture that you will find in a modern tech company and varies from off the shelf platforms like Cobalt Strike, Covenant, and Powershell Empire. A common Client/Server model is used, and common topologies are:
- Star topology – Centralized hub and spoke topology using a single C2 server to communicate with the botnet. It features reliable and low-latency communication but can easily be disabled once the C2 server is taken down.
- Multi Server topology – Very similar to the star hub-and-spoke topology, except that the C2 consists of multiple interconnected servers that provide high availably and resiliency without a single point of failure.
- Hierarchical topology for multiple segments – In this topology, the botnet and the C2 are divided into multiple segments or zones, similar to virtual LAN topology. Each segment is controlled by a specific C2 server. This topology is more difficult to detect, as a single segment doesn’t have full visibility of the entire botnet network.
Ingredient # 3 – The target
Once adversaries build a botnet army and establish communication with the C2 server, they can launch a DDoS attack against any online server, service, application, or network.
All they need is the target IP address or URL to disrupt normal operations and even take it down.
DDoS attack types
Over the years, cybercriminals have developed several technical approaches for taking out online targets using DDoS that can be summarized under the following three main types of DDoS attacks:
Volumetric attacks – These classic type of DDoS attacks employ methods to generate a massive volume of traffic to completely saturate the bandwidth pipe, creating a traffic jam that makes it impossible for legitimate traffic to flow into or out of the targeted site. This is the simplest type of DDoS attack and the most common attack until now. The measurements are in bits-per-second (bps) and, in recent DDoS attacks, can reach to multi Tbps in attack size.
Common attack types induce TCP floods, UDP floods, and ICMP floods. More information can be found in the DDoS Attack Handbook.
Another form of volumetric attack is a Reflection attack where the attacker makes use of potentially legitimate third-party components to send attack traffic to a victim, ultimately hiding the attackers’ own identity. The attackers send packets to the reflector servers with a source IP address set to their victim’s IP, therefore indirectly overwhelming the victim with the response packets. Below is an example of reflection attack based on NTP.
The reflection attack method can be amplified, which brings us to another form of volumetric attack called an Amplification DDoS attack where the requests from the server output large amounts of data, which are then routed directly back to the server by spoofing the reply-to address. NTP and DNS amplification attacks are possible. In a DNS amplification, a spoofed query of the type “ANY” will return all known information about a DNS zone in a single request and will send it to the victim server. Below is an example of amplified reflection attack based on DNS.
Below you can see examples of the amplification factor per protocol:
Protocol attacks – Protocol attacks target resources by eating up the processing capacity of network infrastructure resources, such as servers, firewalls, and load balancers, by targeting Layer 3 and Layer 4 protocol communications with malicious connection requests.
The measurement of protocol attacks is in packets-per-second (pps).
Typical attacks are SYN flood and TCP/UDP/ICMP fragmentation attacks. More information can be found in the DDoS Attack Handbook.
Below is as example of the still very common SYN flood attack, which exploits the TCP three-way handshake process to wreak havoc. The attack ﬂoods multiple TCP ports on the target system with SYN messages requesting to initiate a connection between the source system and the target system. The target responds with a SYN-ACK message for each SYN message it receives and temporarily opens a communications port for the requested connection while it waits for a ﬁnal ACK message from the source in response to each SYN-ACK message. The attacker never sends the ﬁnal ACK and therefore the connection is never completed. The temporary connection will eventually time out and be closed, but not before the target system is overwhelmed with incomplete connections accumulated in its state table.
Application attacks – Some of the more sophisticated DDoS attacks exploit weaknesses in the application Layer 7 by opening connections and initiating process and transaction requests that consume finite resources like disk space and available memory.
These attacks target specific vulnerabilities or issues within a specific application, require fewer resources, and target vulnerabilities within applications by mimicking legitimate user behavior.
Typical application layer attacks include HTTP/S flooding, Slowloris, Low and Slow, all of which are mostly mitigated by a Web Application Firewall (WAF)
Why is it so easy to launch a DDoS attack?
Once a cybercriminal builds a botnet, he or she will probably want to monetize by offering a so-called DDoS attack “service” to others.
Nowadays, it is very easy to find online DDoS-as-a-Service or DDoS for hire services disguised as a legitimate network stresser. A simple Google search of “Booters” or “Stressers” will result in such DDoS services, which can be launched very easily for a small fee as low as $10.
Cybercriminals with malicious intentions don’t need to have any hacking skills or build their own botnets. They can easily, and with minimal risk, arrange DDoS for hire services (not even in the dark/deep web), and launch a DDoS attack from a simple browser with a few mouse clicks. (All payment is done in cryptocurrency, which can’t be traced, and some Booters/Stressers guarantee complete anonymity without log records.)
Some examples of available packages and payment forms using cryptocurrency:
How to protect against DDoS attacks
In summary, DDoS is a main attack vector used by cybercriminals. It is so easy today to launch a DDoS attack using DDoS for hire services and in most cases the adversaries will use multiple attack vectors for maximum impact. In some cases, a DDoS attack will be used as a smokescreen for other types of attacks, so security professionals need to be alert to their entire security posture before, during, and after attacks.
Allot provides state-of-the-art zero-touch autonomous DDoS attack protection with automatic detection and mitigation of DDoS attacks within seconds. As an inline always-on protection solution, Allot DDoS Secure can scale up to a capacity of Tbps, mitigating inbound DDoS attacks using NBAD – Network Based Anomaly Detection – and outbound analysis using HBAD – Host Based Anomaly Detection – to detect if a host is compromised and participating in malicious activities, such as spreading SPAM or participating in a DDoS attack campaign.
Below is a summary of Allot DDoS protection highlights: