When it comes to Distributed Denial of Service (DDoS) attacks, there are many techniques and attack vectors used by cybercriminals. However, many of the terms are used interchangeably. Generally speaking, attack vectors leverage vulnerable infrastructure and services available openly on the Internet; for example, common vectors are network protocols such as SSDP (Simple Service Discovery Protocol), DNS, NTP, SNMPv2, NetBIOS, CharGEN, QOTD, BitTorrent, Kad, Quake, and Steam. A technique represents a specific type of attack; some of the common techniques are spoofing, reflective, amplification, and UDP floods. Organizations commonly have to defend against eight or more vectors in the same attack that are all often deployed within the span of only a few minutes.
Black hat hackers regularly search for and find new attack vectors to weaponize for launching DDoS attacks. As their existence becomes widely known, more and more booter/stresser services include these vectors in their DDoS-for-hire attack suites. This leads to a rapid growth of the new attack vectors in the wild When they are new to cybersecurity experts, these are known as “zero-day” attacks. When that happens, government agencies and cybersecurity experts send alerts and warnings to the general business community, but often by the time the new vector is discovered operating in the wild, the hackers have done plenty of damage already. For example, in mid-2020, the US FBI warned that common network protocols like ARMS (Apple Remote Management Services), WS-DD (Web Services Dynamic Discovery), and CoAP (Constrained Application Protocol) were now being used for attacks, but Corero had already seen those operating in the wild months before that FBI alert was sent.
The challenge for defenders is that the majority of legacy DDoS mitigation solutions can’t automatically defend against zero-day vectors, because they don’t have intelligent mechanisms for blocking attacks that haven’t been seen before in the wild. Many DDoS solutions rely on rigid or historical filters, meaning an attack needs to have been seen previously to defend against it, making new attacks harder to detect, and leaving organizations at risk. In contrast, Corero’s patented, proprietary, heuristic-based detection and mitigation mechanism, called Smart-Rules®, provides dynamic intelligent protection by looking for behavioral indicators, as well as exact matches, in order block attacks that haven’t been seen previously. Corero’s automated solution stops attacks in real-time even if it is a new vector.
The Smart-Rules continuously inspect every packet, looking for those that exhibit specific traits, or indicators, identifying them as potentially being part of a DDoS attack. When repeated packets are seen with the same characteristics, the Smart-Rules accurately identify them as part of a DDoS attack and automatically block them, even if that specific packet type has never been seen before. For example, in late 2016, Corero’s research team observed a Reflection / Amplification attack vector that leveraged LDAP authentication packets transported over UDP port 389. This has since been referred to as a Connectionless Lightweight Directory Access Protocol Attack, or CLDAP for short. This was discovered when the Corero SOC analyzed an attack which had already been blocked automatically by a Smart-Rule at one of our managed service customers.
When new attack vectors appear, it is critical to carry out forensic-level analysis to determine whether the entire attack was blocked and to ensure that no collateral damage occurred. Comprehensive visibility, with dashboards of actionable intelligence, enables users to closely monitor network traffic and patterns in real-time, allowing them to see what exactly is happening. Once new attacks are fully understood, organizations can create dedicated surgically accurate exact match filters, to defend against that new DDoS vector. As an example, Corero’s exact match filters enabled the Streamline Servers security team to create a new fine-tuned attack rule to mitigate TCP URG Flag attacks, an attack type that is now relatively common, but had not been used for DDoS attacks in the past.
With new attack vectors being detected daily, it is impossible for legacy mitigation solutions to accurately and rapidly discern good (legitimate) traffic from bad (DDoS) traffic. A comprehensive DDoS mitigation solution should include intelligently automated deep packet inspection using granular detection mechanisms, with surgical filters that automatically detect and block DDoS traffic, while allowing good traffic to pass through uninterrupted.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.