Volumetric DDoS Attack

Definition and Defense

What is a Volumetric Attack?

A volumetric attack sends a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities. These attacks work to flood the target in the hopes of slowing or stopping their services. Typically, request sizes are in the 100’s of Gbps; however, recent attacks have scaled to over 1Tbps.

Volumetric attacks are prevalent due to the lower technical barrier to generate a high volume of requests. In most cases, hackers utilize simple amplification techniques to scale their attack.

The amplification techniques deployed often result in traffic originating from many sources (IP addresses or networks). As a result, volumetric attacks are typically much more difficult to manually mitigate than attacks that originate from a single source.

Malware and Botnet Origins

Volumetric attacks typically originate from a network of systems infected with malware. The malware allows cybercriminals to take control of devices that can then be used to generate the necessary influx of traffic.

These networks, often called “botnets”, have historically been built on standard computer systems; such as desktop computers, servers, and the like, and allow the attack traffic to appear legitimate.

However, as hackers continue to look for new ways to expand their networks, they are now leveraging unsecure IoT devices to launch DDoS attacks. Essentially, almost any device connected to the Internet is now at risk of being infected with malware and used as a part of a botnet to deiver volumetric DDoS attacks, that may also use reflective techniques to further amplify their potency.

Reflective, Amplified, Attacks

Before we get into the types of volumetric attacks that use reflective techniques, lets define the term.

Reflective attacks are those that yield the largest bandwidth impacts. In a reflective attack, an attacker sends out small requests to a number of legitimate services hosted on the Internet.  Their one key trick, they make it look like the request originated from the victim, and they use a request that commands a big response.  As a result, they send out a stream small requests to services on the Internet, such as DNS and NTP, and then, in turn, those services send large responses to the victim. The transformation of small requests into large responses, is why it’s called amplification.

  • Domain Name Server (DNS) Amplification: In a DNS reflection-based amplification attack, the attackers send DNS requests, of type ‘ANY’, to open resolvers on the Internet, with the source spoofed to be the IP address of the victim. The DNS resolvers send the requested responses, which are amplified by a large factor, as much as seventy times, compared to the requests.
  • Network Time Protocol (NTP): This type of reflection works similarly to a DNS attack. The difference is that the attacker sends spoofed NTP ‘Get Monlist’ requests to NTP servers and, in return, large Monlist responses are sent to the victim, padded out with details of the last six hundred hosts that queried the server.
  • Chargen (Character Generator): The attacker sends spoofed requests to open chargen servers on the Internet. In response, the servers then send large amounts of random characters to the victim.

Non-Reflective Attacks

Volumetric attacks predominantly rely on reflective techniques, but this is not always the case when an attack is sourced from a botnet. If a botnet is large enough, it does not need to go through another amplifying server, instead each compromised device in the botnet sends its traffic directly to the victim.

Botnets normally operate with small packets and attack at high rates. However, the now infamous Mirai Botnet is an exception to this rule, because it relies on larger packets that operate at a slower rate, therefore qualifying its attacks as a non-reflective volumetric.

Attack Interception and Defense

Volumetric attacks will continue to be a threat as they grow in size and sophistication. The security of the source devices is not something victims of volumetric attacks have any control over. However, advances in DDoS attack protection allow for network edge appliances to intercept incoming requests and automatically filter out bad traffic from the good. Deploying real-time DDoS mitigation technology can significantly lessen the impact on your network, business and customers.

The Corero SmartWall® solution delivers comprehensive protection against volumetric DDoS attacks, from gigabits to tens-of-terabits. The Corero Security Operations Team (SOC), with its in-depth experience in dealing with volumetric attacks also provides the SecureWatch® Managed Service Offering for customers who don’t have in-house DDoS expertise.

Additional & Related Information

Contact us to learn how to defend against volumetric attacks.