DDoS attacks: Attack and defense
News headlines today are full of reports of DDoS attacks (Distributed Denial of Service). Distributed denial of service attacks are subject to any organizations present on the Internet. The question is not whether you will be attacked or not, but when it will happen. Government agencies, media and e-commerce websites, websites of companies, commercial and non-profit organizations are all potential targets of DDoS attacks.
Who is being attacked?

According to the Central Bank, in 2016, the number of DDoS attacks on Russian financial institutions almost doubled. In November, DDoS attacks were directed at five major Russian banks. At the end of last year, the Central Bank reported DDoS attacks on financial organizations, including the Central Bank. "The purpose of the attacks was to disrupt the operation of services and, as a result, undermine confidence in these organizations. These attacks were notable because it was the first large-scale use of the Internet of Things in Russia. Internet video cameras and household routers were mainly involved in the attack," the security services of large banks noted.

At the same time, DDoS attacks did not cause significant damage to banks – they are well protected, so such attacks, although they caused trouble, were not critical and did not violate any service. Nevertheless, it can be stated that the anti-banking activity of hackers has increased significantly.

In February 2017, the technical services of the Ministry of Health of Russia repelled the largest DDoS attack in recent years, which reached 4 million requests per minute in peak mode. DDoS attacks on state registries were also attempted, but they were also unsuccessful and did not lead to any data changes.

However, numerous organizations and companies that do not have such a powerful "defense" become victims of DDoS attacks. In 2017, the damage from cyber threats is expected to increase – ransomware, DDoS and attacks on Internet of Things devices.

IoT devices are becoming increasingly popular as tools for carrying out DDoS attacks. A significant event was the DDoS attack launched in September 2016 with the help of malicious Mirai code. In it, hundreds of thousands of cameras and other devices from video surveillance systems acted as means of attack.

It was carried out against the French hosting provider OVH. It was a powerful DDoS attack - almost 1 Tbit/s. Hackers used a botnet to use 150 thousand IoT devices, mainly CCTV cameras. Attacks using the Mirai botnet marked the beginning of the emergence of many botnets from IoT devices. According to experts, in 2017, IoT botnets will continue to be one of the main threats in cyberspace

According to the 2016 Verizon data breach incident report (DBIR), the number of DDoS attacks increased markedly last year. The entertainment industry, professional organizations, education, IT, and retail suffer the most in the world.

A notable trend of DDoS attacks is the expansion of the "list of victims". It now includes representatives of almost all industries. In addition, the methods of attack are being improved.
According to Nexusguard, at the end of 2016, the number of DDoS attacks of a mixed type significantly increased - using several vulnerabilities at once. Most often, financial and government organizations were subjected to them. The main motive of cybercriminals (70% of cases) is data theft or the threat of their destruction for ransom. Less often - political or social goals. That's why a defense strategy is important. It can prepare for an attack and minimize its consequences, reduce financial and reputational risks.

Consequences of attacks

What are the consequences of a DDoS attack? During the attack, the victim loses customers due to slow operation or complete unavailability of the site, the reputation of the business suffers. The service provider may block the victim's IP address to minimize damage to other customers. It will take time, and possibly money, to restore everything.

According to a survey by HaltDos, DDoS attacks are considered by half of organizations as one of the most serious cyber threats. The danger of DDoS is even higher than the danger of unauthorized access, viruses, fraud and phishing, not to mention other threats.

The average losses from DDoS attacks are estimated worldwide at 50 thousand dollars for small organizations and almost 500 thousand dollars for large enterprises. Eliminating the consequences of a DDoS attack will require additional staff time, diverting resources from other projects to ensure security, developing a software update plan, upgrading equipment, etc.

The reputation of the attacked organization may suffer not only because of the poor operation of the site, but also because of the theft of personal data or financial information.

According to a survey by HaltDos, the number of DDoS attacks is growing by 200% annually, 2 thousand attacks of this type are reported daily in the world. The cost of organizing a week-long DDoS attack is only about $ 150, and the victim's losses on average exceed $ 40,000 per hour.

Types of DDoS attacks

The main types of DDoS attacks are massive attacks, protocol-level attacks and application-level attacks. In any case, the goal is to disable the site or steal data. Another type of cybercrime is the threat of a DDoS attack to obtain a ransom. Such hacker groups as Armada Collective, Lizard Squad, RedDoor and ezBtc are famous for this.

The organization of DDoS attacks has become noticeably simpler: now there are widely available automated tools that practically do not require special knowledge from cybercriminals. There are also paid DDoS services for anonymous target attacks. For example, the vDOS service offers its services without checking whether the customer is the owner of the site who wants to test it "under load", or this is done for the purpose of an attack.

DDoS attacks are attacks from many sources that prevent legitimate users from accessing the attacked site. To do this, a huge number of requests are sent to the attacked system, which it cannot cope with. Compromised systems are usually used for this purpose.

The annual increase in the number of DDoS attacks is estimated at 50% (according to www.leaseweb.com ), but data from different sources differ, and not all incidents become known. The average power of Layer 3/4 DDoS attacks has grown in recent years from 20 to several hundred GB/s. Although massive DDoS attacks and protocol-level attacks are unpleasant in themselves, cybercriminals are increasingly combining them with Layer 7 DDoS attacks, that is, at the application level, which are aimed at changing or stealing data. Such "multi-vector" attacks can be very effective.

Multi-vector attacks account for about 27% of the total number of DDoS attacks.

In the case of a massive DDoS attack (volume based), a large number of requests are used, often sent from legitimate IP addresses, so that the site "chokes" in traffic. The purpose of such attacks is to "score" all available bandwidth and block legitimate traffic.

In the case of a protocol-level attack (for example, UDP or ICMP), the goal is to exhaust system resources. To do this, open requests are sent, for example, TCP/IP requests with fake IP, and as a result of exhaustion of network resources, it becomes impossible to process legitimate requests. Typical representatives are DDoS attacks, known in narrow circles as Smurf DDoS, Ping of Death and SYN flood. Another type of protocol-level DDoS attacks consists in sending a large number of fragmented packets that the system cannot handle.

Layer 7 DDoS attacks are sending harmless-looking requests that look like the result of ordinary user actions. Botnets and automated tools are usually used for their implementation. Well-known examples are Slowloris, Apache Killer, Cross-site scripting, SQL injection, Remote file injection.

In 2012-2014, most massive DDoS attacks were attacks of the type of Stateless (without remembering states and tracking sessions) – they used the UDP protocol. In the case of Stateless, many packets are circulating in one session (for example, opening a page). Who started the session (requested the page), the Stateless devices, as a rule, do not know.

The UDP protocol is subject to address spoofing. For example, if you need to attack a DNS server at 56.26.56.26 using a DNS Amplification attack, you can create a set of packets with the sender address 56.26.56.26 and send them to DNS servers around the world. These servers will send a response to 56.26.56.26.

The same method works for NTP servers, SSDP-enabled devices. The NTP protocol is perhaps the most popular method: in the second half of 2016, it was used in 97.5% of DDoS attacks.
The Best Current Practice (BCP) rule 38 recommends that providers configure gateways to prevent spoofing – the sender's address, the source network is controlled. But not all countries follow this practice. In addition, attackers bypass BCP 38 control by switching to Stateful attacks at the TCP level. According to the F5 Security Operations Center (SOC), such attacks have dominated in the last five years. In 2016, there were twice as many TCP attacks as attacks using UDP.

Layer 7 attacks are mainly resorted to by professional hackers. The principle is as follows: a "heavy" URL is taken (with a PDF file or a request to a large database) and repeated tens or hundreds of times per second. Layer 7 attacks have severe consequences and are difficult to recognize. Now they account for about 10% of DDoS attacks.

The ratio of different types of DDoS attacks according to the Verizon Data Breach Investigations Report (DBIR) (2016).

DDoS attacks are often timed to peak traffic periods, for example, to the days of Internet sales. Large flows of personal and financial data at this time attract hackers.

DDoS attacks on DNS

The Domain Name System (DNS) plays a fundamental role in the performance and availability of the site. Ultimately, it is in the success of your business. Unfortunately, DNS infrastructure is often the target of DDoS attacks. By suppressing the DNS infrastructure, attackers can damage your site, your company's reputation and affect its financial performance. To counter modern threats, the DNS infrastructure must be very stable and scalable.

In essence, DNS is a distributed database that, among other things, matches easy-to-read site names to IP addresses, which allows the user to get to the desired site after entering the URL. The user's first interaction with the site begins with DNS queries sent to the DNS server with the address of your site's Internet domain. Their processing can account for up to 50% of the loading time of a web page. Thus, a decrease in DNS performance can lead to users leaving the site and losses for business. If your DNS server stops responding as a result of a DDoS attack, then no one will be able to get to the site.

DDoS attacks are difficult to detect, especially at the beginning when traffic looks normal. DNS infrastructure can be subject to various types of DDoS attacks. Sometimes it is a direct attack on DNS servers. In other cases, exploits are used, using DNS systems to attack other elements of the IT infrastructure or services.

During DNS Reflection attacks, the target is exposed to massive fake DNS responses. To do this, botnets are used, infecting hundreds and thousands of computers. Each bot in such a network generates several DNS queries, but uses the same target IP address as the IP source (spoofing). The DNS service responds to this IP address.

At the same time, a double effect is achieved. The target system is bombarded with thousands and millions of DNS responses, and the DNS server can "lie down", unable to cope with the load. The DNS query itself is usually less than 50 bytes, while the response is ten times longer. In addition, DNS messages can contain a lot of other information.

Suppose an attacker has issued 100,000 short DNS queries of 50 bytes (5 MB in total). If each response contains 1 KB, then in total it is already 100 MB. Hence the name - Amplification (amplification). The combination of DNS Reflection and Amplification attacks can have very serious consequences.

Requests look like normal traffic, and responses are a lot of large messages sent to the target system.