Volumetric DDoS Attack Type

 

What is a Volumetric Attack?

A volumetric attack sends a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities. These attacks work to flood the target in the hopes of slowing or stopping their services. Typically request sizes are in the 100’s of Gbps; however, recent attacks have scaled to over 1Tbps.

Volumetric attacks are prevalent due to the low technical barrier to generate a high volume of requests. In most cases, hackers utilize simple amplification techniques to scale the attack. 

The amplification techniques deployed result in traffic originating from many sources (IP addresses or networks). As a result, volumetric attacks are much more difficult to mitigate than attacks that originate from a single source. 

How Volumetric Attacks Work

Volumetric attacks originate from a network of systems infected with malware. Malware allows cybercriminals to take control of devices that can then be used to generate the necessary influx of traffic. 

These networks, often called “botnet” or “zombienet”, have historically been built on standard computer systems; such as, desktop computers, servers, and the like, and allow the attack traffic to appear legitimate. 

However, hackers continue to look for ways to expand their networks and are now leveraging unsecure IoT devices to launch DDoS attacks. Essentially, any device connected to the Internet, once infected with malware, can be used as a part of a volumetric DDoS attack that uses reflective techniques.

 

Volumetric DDoS Attack

 

Common Types of Reflective Volumetric Attacks

Before we get into the types of volumetric attacks that use reflective techniques, lets define the term. 

Reflective attacks are those that yield the largest bandwidth. In a reflective attack, an attacker casts a wide net and sends out small requests to legitimate servers on the Internet.  Their one key trick.  They make it look like the request came from the victim, and they use a request that should demand a big response.  As a result, they send out a lot of small requests to servers on the Internet and then in turn, those servers send large responses to the victim. The turning of small requests into large responses is why it’s called amplification.  

  • Domain Name Servers (DNS) Amplification: In a DNS reflection-based amplification attack, the attackers spoof target server IP addresses and send DNS requests to open resolvers. The DNS resolvers send responses, which are amplified by a large factor as compared to the requests.
  • Network Time Protocol (NTP): This type of reflection attack works similarly to a DNS attack. The difference is that the attacker sends spoofed NTP Monlist requests to NTP servers, and in return large Monlist responses are sent to the victim. 
  • Chargen (Character Generator): The attacker sends spoofed requests to open chargen servers on the Internet. In response, the servers then send large amounts of random characters to the victim.

Non-Reflective Volumetric Attacks

Volumetric attacks predominantly rely on reflective techniques, but there is an outlier where the attack will employ botnets. A botnet does not go through another server, instead it goes directly from the computer that is attacking the victim.

Botnets normally operate with small packets and attack at high rates. One instance that comes to mind is the Mirai Botnet attack type. The Mirai Botnet is an exception to this rule because it relies on larger packets that operate at a slower rate, therefore qualifying it as a non-reflective volumetric attack. 

How to Defend Against Volumetric Attacks

Volumetric attacks will continue to be a threat as they grow in size and sophistication. The security of the source devices is not something victims of volumetric attacks have any control over. However, advances in DDoS attack protection allow for network edge appliances to intercept incoming requests to filter out bad traffic from the good. Deploying in-line or scrubbing DDoS mitigation technology  can significantly lessen the impact on your network, business and customers.

The Corero SmartWall® Threat Defense System (TDS) has various protections against volumetric attacks. The Corero Security Operations Team (SOC) also has in-depth experience in dealing with volumetric attacks and can enable additional mitigation functions for customers not already taking advantage of the SecureWatch® Managed Service offering.

 

Additional & Related Information

 

 

 

Contact us to learn how to defend against volumetric attacks.