Mitigating Malicious Attacks that Interrupt Network Services — Distributed Denial of Service (DDoS)

Attacks on networks are happening daily around the world and network operators need to protect their networks from attempts to disrupt their services. A DDoS attack is a malicious attempt from multiple sources to make a server or network resource unavailable to its intended users. It is achieved by saturating memory, processors or network bandwidth which results in a temporary or indefinite interruption or suspension of services to the legitimate users.

Attackers gain control of, possibly, a large number of end hosts and concurrently launch a DDoS attack. Because of the distributed nature of such attacks, firewalls are not suitable for DDoS protection. In fact, the new generation of stateful firewalls can be a target and victim for stateful DDoS attacks causing the whole network behind the firewall to become inaccessible (we will discuss about stateful attacks later on).

Before going into details of DDoS, we clarify the following terminologies:

Attacker: The system(s) launching the DDoS attack from multiple end nodes.

Malicious users: Refers to end nodes which have been hacked and are remotely controlled by attackers. Usually attackers try to infect the end nodes with some malware to gain control of the end nodes and launch attacks from there.

Legitimate users: Refers to non-malicious end nodes that require services from a network node under DDoS attack.

Victim: The targeted network nodes, e.g. DNS servers, webservers, firewalls, etc.

Botnet: A network of zombie computers programmed to receive commands without the owners’ knowledge.

Main types of DDoS attacks:

Volumetric attack
Attackers generate large volume of traffic (may go above 100 Gbps) which can cause network bandwidth saturation, host, or network element’s memory and CPU overload. The defense against volumetric attacks can be frustrated in two ways. First, if the attackers forge the source IP addresses (e.g. in TCP SYN attacks, see below). Secondly, if a large botnet is created and used to launch the volumetric attack from inside the subnet.

Application-level attack
This type of attack happens at the application level of the OSI’s seven-layer reference model. An application-level attack does not require high traffic volume. It will send “smart requests” which can cause the target to spend a lot of CPU power, memory usage and/or network bandwidth to process and respond to the malicious requests. For example, a request for a non-existing file on a webserver can force the target to perform extensive disk search. In a second example, an http request for a file with a large size can consume large amounts of memory buffers. Another example is a web-application request for a summary report of 1 year’s account transactions at a bank which causes a lot of processing in the backend database server.

State-exhaustion attack
Attackers can utilize the stateful processing of layer 3 and layer 4 protocols to saturate the memory of the nodes. Examples are Slowloris attacks or Ping of Death attacks (see below).

Zero-day attacks
A Zero-day attack can be defined as any previously unseen type of DDoS attack that common methods of protection may not be capable of handling because there is no known signature (behavior and traffic patterns) available to the DDoS protection system. An adaptive DDoS protection system should have a way to detect and react to such zero-day attacks.

Multi-vector DDoS attacks
Attackers do not use a single type but use multiple types of DDoS attacks at the same time. That makes the detection and mitigation of the attacks much more difficult.

Well-known DDoS attacks

TCP Syn Flood Attack (volumetric attacks)
A classic example of a DDoS attack is TCP SYN flood & IP proofing attacks. It can be launched from a single node by sending TCP SYN requests with the source IP address being spoofed. Since the current Internet routing protocols only take the destination addresses into account, the spoofed packets with random source IP addresses have no difficulty in reaching the destination node. The node will allocate memory structures to accommodate the future flow to be opened by each TCP SYN packet. A high number of TCP SYN packets exhaust memory and crash the server.

Reflection and amplification DDoS attacks (volumetric attacks)
Let us start with DNS reflection and amplification attacks. Since the DNS protocol is based on the connection-less UDP transport protocol, an attacker can send a DNS request without establishing a connection. The DNS request has a forged source IP address that is the IP address of the victim. The DNS server will respond to the DNS request with a DNS response to be sent to the forged IP address in the request. The victim will receive DNS responses without sending DNS requests. The attackers can increase the DNS response traffic by increasing the rate of DNS requests and use specific requests that result in a larger response size (The name of DNS amplification comes from the large response size). For example, a DNS ANY request of 64 bytes will result in a 512-byte DNS response.

Other reflection and amplification attacks exist and work the same way as the DNS one. Examples are NTP, SSDP, BitTorrent, RIPv1, mDNS, CharGEN, QOTD, SNMP, NetBIOS Name Server and RPC port map (Open Network), Sentinel (a license server) reflection and amplification attacks.

Peer-to-peer DDoS attacks (Volumetric attacks)
In the case of Peer-to-peer DDoS attacks, the file sharing traffic is routed to the victim’s server.

Slowloris DDoS attacks (State-exhaustion attacks)
The attackers open as many HTTP connections as possible. Then they try to keep the connections open by slowly sending partial requests. This way they can keep the established HTTP connections open while they do not need to send high volume traffic.

Nuke or Ping of Death DDoS attacks (State-exhaustion attacks)
Attackers send corrupt and large fragmented ICMP packets to the victim. The large ICMP packets will be reassembled on the victim side which needs to use a large number of buffers for the assembling of IP fragments. The attackers can also manipulate the fragments, such that the reassembly on the victim’s system keeps holding of the buffers before timeout happens. The purpose is to keep the memory buffers in use as long as possible so memory will not be available for other connections.

How to detect DDoS attacks
The DDoS attacks need to be detected and actions need to be taken to mitigate the attacks. Every DDoS protection systems usually has false positive or false negative decisions about legitimate users or attackers. False positive decisions disallow the legitimate users to access the service and cause negative business impacts.

Active mechanisms are often used to help DDoS protection systems to differentiate legitimate users from attackers. Examples are CAPTCHA tests to mitigate webserver attacks or RST cookies to fight against TCP SYN flood attacks (we will discuss those methods later). These active mechanisms cause inconvenience to the legitimate users.

A DDoS detection mechanism needs to decide whether a network is under a DDoS attack and based on that, what mitigation actions will be taken. Otherwise, no actions are taken to avoid false decisions or the cost of active mechanisms.

DDoS detection can use the following mechanisms for the decision:

  • Rate-based detection: if the rate of a certain traffic to a node exceeds a predefined threshold, the node is considered to be under DDoS attack. Rate measurement can be done in the DDoS detection system or by processing flow information sent by nodes, routers, switches using protocols such as Netflow, sFlow, etc.
  • Memory and CPU usage at end nodes: DDoS detection systems can query and monitor the resource utilization of the nodes under protection using network management protocol such as SNMP, or monitoring software such as Nagios.


How to mitigate DDoS attacks
There is no efficient single mitigation technique for all types of DDoS attacks. Each type of attack requires a different mitigation technique or a combination of mitigation techniques.

TCP SYN flood attack: the DDoS protection system intercepts the SYN packet and does not forward the SYN message to the targeted node, instead it sends a SYN-ACK message with a cookie value. If the sender responds with an ACK with the same cookie value, the sender request is considered as legitimate user and the next TCP connection establishment attempt will be allowed.

Volumetric attacks: A UDP-based reflection and amplification attack can be mitigated by putting a rate limit on the traffic coming to the node under attack.

Web application attacks: These attacks can be mitigated by turning on the CAPTCHA challenge. Legitimate users are those who can solve the challenge. The drawback is that often this CAPTHCHA is not welcomed by end users and could have potential negative impact to the business offering the services (such as banking or P2P services). The DDoS mitigation system can use an IP reputation list or build its own blacklist and whitelist by gradually observing the user behavior and analyzing related statistics of user traffic. The DDoS mitigation system can also block whole or partial traffic from certain geographical areas depending on the priority of the customers the service under protection targets. This method is not effective if the attack is dispersed in different geographical areas and not suitable for international businesses.

Needs and challenges of DDoS attacks
DDoS attacks become more and more prevalent with increasing size. Reports from Akamai, Arbor Networks, and Verisign indicate attacks in 2014 and 2015 with the peak traffic volume of above 100 Gbps and above 100 Mpps. The biggest DDoS attack [1] in the history occurred in the beginning 2016. This targeted BBC with the estimated rate of 602 Gbps, almost twice the rate of the largest DDoS attack Arbor Networks reported in 2015.

With the introduction of cloud computing and Internet of Things (IoT), attackers can get control of large amount of virtual machines and launch DDoS attacks from there.

DDoS protection systems became a have become an important security appliance to avoid service disruption, and prevent the loss of revenue. A report from Digicert [2] indicates that DDoS attacks cost 40% of businesses at least $100,000 for every hour of down-time.

Northforge Innovations identifies the key challenges for a DDoS protection systems to be twofold. First, the ability to handle large amounts of traffic. Second, the ability to mitigate the zero-day attacks. In order to address the first challenge, Northforge employs disrupted/optimized data-path processing, and DPI techniques. Second challenge is met through the implementation of user-behavior analysis techniques.


[1] http://www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html

[2] https://blog.digicert.com/ddos-trends-predictions-for-2016/