A lot has been written and said about the DDoS for hire industry over the past few years, with major media publications recently reporting on the takedown of a popular Booter website. With all the hype surrounding this, the focus tends to be on ease of use of these malicious services, however, it is equally important to keep in perspective the effectiveness of these attacks. It is evident that attack tactics are being continuously improved in an attempt to evade the trusted mitigation methodologies typically being used for DDoS protection today.
Ever evolving threat landscape
Corero’s research and analysis division tracks the developments in attack vectors being used by such booter sites, to ensure our solution’s continued robustness against these services.
A recently observed attack vector involved attackers spoofing Google’s well known 126.96.36.199/19 address space to send a flood of TCP ACK packets to the unsuspecting victim. The idea behind this impersonation attack, is to evade mitigation strategies that take advantage of geographical IP categorization and IP reputation-based policies. As these mitigation techniques rely solely on trusting source IP addresses on face value, the attacker’s tactic is to overwhelm resources and carry out a successful denial of service whilst leveraging Google’s ‘good source’ rating.
This highlights a critical issue with devices which rely on GeoIP and IP Reputation type feeds to filter or scrub attack traffic, especially against such easy impersonation attacks. In today’s IoT driven threat landscape, such source-based protection measures are easily evaded by botnets using IP address spoofing.
Moreover, the broader challenge posed by today’s volumetric DDoS attacks requires more careful traffic analysis and deployment of smarter techniques to ensure effective mitigation.
Fallacy of source IP based mitigation strategies against volumetric DDoS
In today’s IoT derived botnet farms there exists a high risk of collateral damage when relying on source-based bad-bot or IP block lists. The rationale for this can further be described as follows:
As alluded to earlier, Corero observes many attacks where the bad actors have successfully spoofed their attack signatures to make it appear that these originate from reputable sources, in an attempt to throw any defenses off their scent.
The Mirai effect
Corero has observed that many Mirai-based attacks by default use the compromised device’s source IP information, which usually is not present in such reputation-based block lists, especially if the participating ‘bot’ is recently infected.
Update frequency and false positive
It is important to understand that most IP reputation lists are tardy in nature. Even though vendors endeavor to schedule daily updates, the odds of getting false-positives are greatly enhanced when dealing with bots which are behind some form of NAT. This is because multiple ‘good’ hosts typically share their public IP with the ‘bad’ hosts. When the public IP becomes listed as ‘bad’, the good traffic/hosts are also denied the opportunity to access desired services.
Generic Source blocking
Basing a DDoS mitigation strategy on generic lists, results in indiscriminate blocking of the source rather than the detection of actual attack vectors. Whereas, the focus should be on a solution which delivers real-time attack detection and automated mitigation.
A path to effective mitigation
The best defense strategy against volumetric DDoS attacks is always to identify the malicious nature of the traffic itself, rather than just relying on third-party historical or anecdotal reputation of the traffic source.
Corero provides a real-time, automated solution to today’s DDoS challenges, which benefits from a comprehensive analytics platform, to defeat such attacks on the network perimeter. With a focus on blocking the actual attack vectors, as opposed to using techniques which can cause false positives and other collateral damage, Corero ensures businesses remain online in the face of today’s DDoS threat.
For more information, please contact us.