Given all the focus lately on attempts at digital theft and extortion, one area of IT attacks has not gotten much attention—distributed denial of service (DDoS) attacks.
Unfortunately, each type of attack requires a different defense. In order to effectively defend against them, an IT security professional first needs to know how they work. The common thread among these attacks is that the threat actors behind them take advantage of the way the Internet is designed to launch their attacks.
DDoS attacks are essentially unwanted traffic that can come in many forms, including:
- Outbound DDoS
- AET (advanced evasion techniques)
- Pre-attack reconnaissance
- Custom packet attacks
- Reflective DDoS attacks
- Network-level DDoS
- Application-layer DDoS
To get an idea of how they work, let’s look first at reflective DDoS attacks. These are difficult to defend against because they are not a direct attack, but an indirect one where something else, or the appearance of something else, does the attacking.
The most common reflective attack involves the following:
- An attacker sends a DNS request (domain naming service—the service that converts Internet names into IP addresses) to a public DNS server.
- This request spoofs the target’s IP address, making the DNS request look as if it came from the target.
- When the DNS server responds, it responds to the target instead of the true source.
- Attackers will make the request as large as possible (known as an “ANY” request).
The requests are small—maybe 60 bytes. But the responses are large—as large as 4,000 or more bytes, so the attacker is getting a lot of interference for his money, so to speak.
Nearly every firewall lets these requests pass through without inspection since DNS responses are legitimate data coming from valid open DNS servers (by last count, there are more than 25 million of them!).
As the attacker uses more and more computers to send requests, the traffic amplifies, flooding the target’s protected DNS servers with unwanted traffic (think Los Angeles at 5:30 p.m.).
Since the internal DNS servers are what everyone in a company uses to access the Internet, no one can get out, and the amount of traffic being forwarded can stop anyone from getting in.
So how do you defend against a reflective DDoS attack like this? Some products, like non-traditional firewalls that sit outside the normal “port & address” firewalls, can determine the difference between responses that come from the target’s DNS servers, and responses that don’t. Some can even work with agents on desktops and servers to improve their intelligence regarding traffic. “DDoS Mitigation” services run by third parties are another option. Some companies can even switch to alternate IPs if they are prepared.