The stakes have been raised even higher as organizations prepare for three new methods of DDoS attacks that have emerged in the last six months alone. The reflective/amplified category of DDoS attack has been around for nearly four years, but once again attackers are finding new methods of launching their assaults within this attack category. Below is a diagram of the various categories of DDoS attack and the three new methods fall into the 2nd category - Reflective Amplified DDoS.
By now most people who operate in network security, engineering, and support understand how reflective DDoS attacks work. All an attacker needs to do is first understand how various protocols operate; then build a list that contains the IP addresses of devices that are freely accessible to anyone on the Internet that have those protocols exposed.
For example if an attacker suspected that the Network Time Protocol (NTP) could be used for a reflective/amplified DDoS attack, the attacker first tests their hypothesis in a lab environment to understand the operation of the attack in question. Once the attacker was convinced the protocol can provide a reflective component and amplify the return traffic, they next build a list of open NTP servers which could number in the millions. The attacker next finds their victims IP addresses and using a botnet, spoof their victim’s IP address. The botnet infected machines are directed through command and control to query the open NTP servers. The NTP servers respond with large responses, the responses are directed to the victim due to the spoofing, and the attacker takes the victim offline. As a matter of fact the US-CERT (as I have blogged about in the past) provided an advisory in 2014 that listed a group of protocols that could be used in this style of attack – and the list continues to grow.
In early 2015 the IT community received notification of a new method of reflective/amplified DDoS attack using MS SQL. In this case as well as others, attackers use automated scripts to scan the Internet attempting to find as many servers as possible that have port 1434 open to the Internet. Then attackers use these servers in the same fashion as the NTP example mentioned above.
In August another method of attack was proven to be a threat described in a research paper pertaining to BitTorrent; once again using the same method as described above. Finally in August another method was discovered using Portmapper (a.k.a. RPCbind, portmap or RPC Portmapper) and the list keeps getting longer. Today we can add three more protocols to the list.
- BitTorrent (now proven)
DARPA to the Rescue
On August 14th the U.S. Defense Advanced Research Projects Agency (DARPA) announced an initiative called Extreme DDoS Defense (XD3). Seeing that DDoS attacks are becoming a serious threat to not only ISPs, Hosting Providers, Cloud Providers, and the online Enterprise, DDoS is becoming a serious threat to national security as well. According to the initiative, “DARPA is soliciting innovative research proposals in the area of resilient defenses against distributed denial of service (DDoS) attacks on computer networks. The XD3 program aims to thwart DDoS attacks by dispersing cyber assets (physically and/or logically), disguising the characteristics and behaviors of those assets, and mitigating the attacks that still penetrate the targeted environment.” The program is set to begin in April 1, 2016 and will end in 2019. With this in mind, the industry will likely not see any tangible contributions to the DDoS defense effort from this program for at least the next three years.
Within the XD3 initiative, the announcement also mentions the following, “In general, the program aims to thwart DDoS attacks by dispersing cyber assets (physically and/or logically), disguising the characteristics and behaviors of those assets, and mitigating the attacks (especially low‐volume attacks) that still penetrate the targeted environment.” This is actually an interesting perspective with regards to DDoS defense. Apparently DARPA believes that by dispersing and disguising assets reduces the abilities of the attacker to take sites offline; which does have some merit. However the industry also recognizes that anything that has a public IPv4 or IPv6 address can become a victim of an attack.
Attackers don’t necessarily always target websites to take Enterprises offline; instead they often target firewalls or other downstream infrastructure that are quite physical in nature and are unable to withstand the onslaught during a volumetric attack. Also low-volume attacks penetrate firewalls in almost every instance. Trying to disperse and/or disguise firewalls (which are an asset) doesn’t seem to make a great deal of sense. All an attacker has to do is find the public IP addresses used in any network exposed to the Internet - and flood those devices with nothing but bogus traffic.
Today’s DDoS attacks are being marginally defeated by several methodologies including on-premises DDoS defenses coupled with Cloud-based anti-DDoS services. Many organizations are surviving the onslaught of attacks with this approach, but it falls well short of the desired capabilities. There is a better way, but it will take the Service Providers to get involved and finally solve this issue. Service Providers are in a very unique position to “profitably remove” DDoS attack traffic that’s targeting their subscriber base and many are moving forward with new initiatives.
Technology exists that can detect and defeat all DDoS attacks and this technology can be easily deployed in the Service Providers networks at peer points and/or subscriber edges. The technology can be deployed in a host of different fashions but regardless of how it’s deployed, it will detect, alert, and block any DDoS attack traffic presented to it. If today’s Service Providers began the widespread deployment of these newer technologies, the DDoS problem would likely fade into the history books.