A little about the types of DDoS-attacks and methods of protection
According to the research , the scale of DDoS-attacks have increased by about 50 times over the past few years. At the same time, the attackers “tag” both into local infrastructures and public cloud platforms on which customers' decisions focus.
“Successfully implemented attacks have a direct impact on customers' business and have destructive consequences,” comments Darren Anstee, a representative of Arbor Networks, which provides security solutions for networks.
The frequency of attacks also increases. At the end of 2014, their number was 83 thousand, and in the first quarter of 2015, the figure increased to 126 thousand. Therefore, in our today's material we would like to consider various types of DDoS attacks, as well as ways to protect against them.
')
/ Flickr / Kenny Louie / CC
The DoS attack (Denial of Service) is a bombardment of the victim’s servers with separate packets with a false return address. Failure in this case is the result of overflow (clogging of traffic) of the strip rented by the client or increased resource consumption on the attacked system.
The attackers at the same time masked the return address to eliminate the possibility of blocking by IP. If the attack is distributed and is performed simultaneously from a large number of computers, they are talking about a DDoS attack. Let's take a look at a few common types.
The purpose of a SYN Flood attack is to cause system overspending. For each incoming SYN packet, the system reserves certain resources in memory, generates a SYN + ACK response that contains cryptographic information, searches in session tables, and so on - that is, spends CPU time. Denial of service occurs with a SYN Flood stream from 100 to 500 thousand packets per second. And an attacker, having at least a gigabit channel, is able to send a stream of up to 1.5 million packets per second.
Protection against the type of SYN Flood attacks is carried out by means of DPI-systems that are able to analyze and control the traffic passing through them. For example, this functionality provides a SCAT solution from VAS Experts. The system first detects an attack on exceeding a specified threshold of SYN requests not confirmed by the client, and then responds to them, instead of the protected site. TCP session is organized from protected sites after confirmation of the request by the client.
This attack is carried out by small fragmented UDP packets, for the analysis and assembly of which the platform must allocate resources. Systems for in-depth analysis of traffic also provide protection against this type of flood, discarding irrelevant protocols for the client's site or restricting them by band. For example, for websites, the working protocols are HTTP, HTTPS - in this case, irrelevant protocols can be simply excluded or limited by band.
Attackers usually try to flood a victim’s band with a large number of packets or connections, overloading network equipment. Such volume attacks are conducted using a variety of compromised systems that are part of a butt.
In this example (image above), the attacker controls several “zombie machines” to conduct attacks. "Zombies" communicate with the main machine via a secure hidden channel, and management is often carried out via IRC, P2P networks and even via Twitter.
When conducting an attack of this type, the user does not need to hide the IP address of each machine, and due to the large number of computers involved in the attack, such actions lead to a significant load on the site. And usually the attackers choose the most resource-intensive requests.
To protect against botnet attacks, various behavioral strategies are used, the task of which is to detect unexpected traffic deviations and spikes. Another option offered by VAS Experts is to use the Turing test (page with CAPTCHA).
In this case, only those users who have successfully passed the test of "humanity" are allowed to work with the site. At the same time, the captcha page is located on a separate server that is able to cope with the flow of requests from a botnet of any size.
I would also like to mention the attacks that have appeared relatively recently. We are talking about attacks on IoT devices in order to “capture” them and turn them on in a botnet for DDoS attacks.
According to a Symantec report , 2015 has broken records in the number of attacks on IoT, and eight new malware families have appeared on the Internet. Attacks have become frequent for several reasons. First, many smart devices are always available from the Web, but at the same time they do not have reliable means of protection - the computing power does not allow. Moreover, users often do not update the software, only increasing the risk of hacking.
Malefactors use simple tactics: scan all available IP addresses and look for open Telnet or SSH ports. When such addresses are found, they try to log in using a standard set of logins and passwords. If the hardware is accessed, a script file (.sh) is loaded onto it, which boosts the bot's body, starts it and closes access to the device, blocking the Telnet ports and making changes to iptables to prevent the system from being intercepted by another worm.
To minimize the risk or avoid hacking IoT devices, you need to do simple things: turn off unused device network functions, turn off Telnet access and access SSH, switch to a wired connection instead of Wi-Fi if possible, and regularly conduct software updates.
The attacker sends a fake ICMP Echo packet to the broadcast address. In this case, the source address of the packet is replaced by the address of the victim in order to “substitute” the target system. Since the Echo packet was sent to the broadcast address, all the amplifying network machines return their answers to the victim. By sending one ICMP packet to a network of 100 systems, an attacker initiates a DDoS attack gain a hundred times.
To prevent the gain effect, network security experts advise banning direct broadcast operations on all border routers. Also, it is worthwhile to install in the OS the mode of “silent” discarding of the broadcast ECHP packets.
A boost attack is the most common DDoS attack using recursive name servers. It looks like a Smurf-attack, only in this case the attacker sends small queries to the DNS resolver, as if forcing him to send replies to the substituted address.
As for the concrete example, in February 2007, a series of attacks on root DNS servers were carried out, the operation of which directly affects the normal functioning of the entire Network. Popular practices to protect against this type of attack can be found on the Cisco website .
TCP reset is performed by manipulating RST packets during a TCP connection. An RST packet is a header that signals the need for reconnection. This is usually used if an error has been detected or if you want to stop loading data. An attacker could interrupt a TCP connection by constantly sending an RST packet with valid values, which makes it impossible to establish a connection between the source and the receiver.
You can prevent this type of attack - you need to monitor each transmitted packet and make sure that the sequence of numbers comes in the right order. With this system in-depth analysis of traffic.
Now the main purpose of hacking devices is the organization of DDoS-attacks or damage by limiting user access to a site on the Internet. Therefore, telecom operators themselves, Internet providers and other companies, including VAS Experts , also offer and organize DDoS protection solutions — real-time traffic monitoring for tracking anomalies and bandwidth spikes, the Carrier Grade NAT feature , which allows you to “hide »Subscriber device from intruders, closing access to it from the Internet, as well as other intelligent and even self-learning systems.
Further reading on the topic of DPI (Deep packet inspection):
“Successfully implemented attacks have a direct impact on customers' business and have destructive consequences,” comments Darren Anstee, a representative of Arbor Networks, which provides security solutions for networks.
The frequency of attacks also increases. At the end of 2014, their number was 83 thousand, and in the first quarter of 2015, the figure increased to 126 thousand. Therefore, in our today's material we would like to consider various types of DDoS attacks, as well as ways to protect against them.
')
/ Flickr / Kenny Louie / CC
The DoS attack (Denial of Service) is a bombardment of the victim’s servers with separate packets with a false return address. Failure in this case is the result of overflow (clogging of traffic) of the strip rented by the client or increased resource consumption on the attacked system.
The attackers at the same time masked the return address to eliminate the possibility of blocking by IP. If the attack is distributed and is performed simultaneously from a large number of computers, they are talking about a DDoS attack. Let's take a look at a few common types.
TCP SYN Flood
The purpose of a SYN Flood attack is to cause system overspending. For each incoming SYN packet, the system reserves certain resources in memory, generates a SYN + ACK response that contains cryptographic information, searches in session tables, and so on - that is, spends CPU time. Denial of service occurs with a SYN Flood stream from 100 to 500 thousand packets per second. And an attacker, having at least a gigabit channel, is able to send a stream of up to 1.5 million packets per second.
Protection against the type of SYN Flood attacks is carried out by means of DPI-systems that are able to analyze and control the traffic passing through them. For example, this functionality provides a SCAT solution from VAS Experts. The system first detects an attack on exceeding a specified threshold of SYN requests not confirmed by the client, and then responds to them, instead of the protected site. TCP session is organized from protected sites after confirmation of the request by the client.
Fragmented UDP Flood
This attack is carried out by small fragmented UDP packets, for the analysis and assembly of which the platform must allocate resources. Systems for in-depth analysis of traffic also provide protection against this type of flood, discarding irrelevant protocols for the client's site or restricting them by band. For example, for websites, the working protocols are HTTP, HTTPS - in this case, irrelevant protocols can be simply excluded or limited by band.
Botnet attack
Attackers usually try to flood a victim’s band with a large number of packets or connections, overloading network equipment. Such volume attacks are conducted using a variety of compromised systems that are part of a butt.
In this example (image above), the attacker controls several “zombie machines” to conduct attacks. "Zombies" communicate with the main machine via a secure hidden channel, and management is often carried out via IRC, P2P networks and even via Twitter.
When conducting an attack of this type, the user does not need to hide the IP address of each machine, and due to the large number of computers involved in the attack, such actions lead to a significant load on the site. And usually the attackers choose the most resource-intensive requests.
To protect against botnet attacks, various behavioral strategies are used, the task of which is to detect unexpected traffic deviations and spikes. Another option offered by VAS Experts is to use the Turing test (page with CAPTCHA).
In this case, only those users who have successfully passed the test of "humanity" are allowed to work with the site. At the same time, the captcha page is located on a separate server that is able to cope with the flow of requests from a botnet of any size.
I would also like to mention the attacks that have appeared relatively recently. We are talking about attacks on IoT devices in order to “capture” them and turn them on in a botnet for DDoS attacks.
According to a Symantec report , 2015 has broken records in the number of attacks on IoT, and eight new malware families have appeared on the Internet. Attacks have become frequent for several reasons. First, many smart devices are always available from the Web, but at the same time they do not have reliable means of protection - the computing power does not allow. Moreover, users often do not update the software, only increasing the risk of hacking.
Malefactors use simple tactics: scan all available IP addresses and look for open Telnet or SSH ports. When such addresses are found, they try to log in using a standard set of logins and passwords. If the hardware is accessed, a script file (.sh) is loaded onto it, which boosts the bot's body, starts it and closes access to the device, blocking the Telnet ports and making changes to iptables to prevent the system from being intercepted by another worm.
To minimize the risk or avoid hacking IoT devices, you need to do simple things: turn off unused device network functions, turn off Telnet access and access SSH, switch to a wired connection instead of Wi-Fi if possible, and regularly conduct software updates.
Smurf attacks
The attacker sends a fake ICMP Echo packet to the broadcast address. In this case, the source address of the packet is replaced by the address of the victim in order to “substitute” the target system. Since the Echo packet was sent to the broadcast address, all the amplifying network machines return their answers to the victim. By sending one ICMP packet to a network of 100 systems, an attacker initiates a DDoS attack gain a hundred times.
To prevent the gain effect, network security experts advise banning direct broadcast operations on all border routers. Also, it is worthwhile to install in the OS the mode of “silent” discarding of the broadcast ECHP packets.
Amplified DNS Attack
A boost attack is the most common DDoS attack using recursive name servers. It looks like a Smurf-attack, only in this case the attacker sends small queries to the DNS resolver, as if forcing him to send replies to the substituted address.
As for the concrete example, in February 2007, a series of attacks on root DNS servers were carried out, the operation of which directly affects the normal functioning of the entire Network. Popular practices to protect against this type of attack can be found on the Cisco website .
TCP Reset
TCP reset is performed by manipulating RST packets during a TCP connection. An RST packet is a header that signals the need for reconnection. This is usually used if an error has been detected or if you want to stop loading data. An attacker could interrupt a TCP connection by constantly sending an RST packet with valid values, which makes it impossible to establish a connection between the source and the receiver.
You can prevent this type of attack - you need to monitor each transmitted packet and make sure that the sequence of numbers comes in the right order. With this system in-depth analysis of traffic.
Now the main purpose of hacking devices is the organization of DDoS-attacks or damage by limiting user access to a site on the Internet. Therefore, telecom operators themselves, Internet providers and other companies, including VAS Experts , also offer and organize DDoS protection solutions — real-time traffic monitoring for tracking anomalies and bandwidth spikes, the Carrier Grade NAT feature , which allows you to “hide »Subscriber device from intruders, closing access to it from the Internet, as well as other intelligent and even self-learning systems.
Further reading on the topic of DPI (Deep packet inspection):
Source: https://habr.com/ru/post/313562/
All Articles