An ordinary user of computer in an organization may not really care too much as to the cause of either crawling internet connection or complete outage, most of the time, an average employee outside the IT department only cares more about when the internet connection will get back to being as fast as ever.
Well, by the time these users are complaining, the Network Admin am sure would be sweating profusely somewhere in the air-conditioned IT room to arrest the situation, for an Admin that is not very prepared for these types of situations anyway.
I am sure most of the Network Admins or Engineers sure know how to set up their networks to mitigate this sort of threats and recoveries. What i am talking about today anyway is DDOS (Distributed Denial Of Service) attack, this sort of attack has evolved over time to some sophisticated tool.
Formerly an old version, called DOS, Denial Of service, used to be the low key way of attacking networks from hackers, which is originating a huge amount of traffic from one source to a target server or network device in other to do many things, which include but not limited to rendering a targets internet connection dead slow or temporarily out of bandwidth, making targets network device, in this case a router or a server to drop packet requests as a result of overwhelming packet requests flooding the link.
Now we have DDOS, which is originating an insane amount of traffic from different sources in the internet to a target machine, links or servers, these sources are computer systems that have been compromised, with potentially one of the computer system being the DDOS master or botmaster.
These computer systems that have been infected with malware (vulnerable computer systems), will then be under the control of the master DDOS computer system, and will carry out the instruction to send or forward traffic to a chosen target without even the knowledge of the users.
These computers are called botnets, and they can overwhelm about any network, given their number, and the packets emanating from each of them or better still, a botnet is a gang of Internet-connected compromised systems that could be used to send spam email messages, participate in DDoS attacks, or perform other illegitimate tasks.
The word botnet comes from the words robot and network. The compromised systems are often called zombies. Zombies can be compromised by tricking users into making a "drive-by" download, exploiting web browser vulnerabilities, or convincing the user to run other malware such as a trojan horse program.
This attack can be targeted at financial institutions, news sites, any organization with great standing and can be as large as maxing out the bandwidth of a country.
So the sole aim of this type of attack is preventing the legitimate users from accessing their systems or sites and in some other instances, it can be a smokescreen to camouflage and do more dangerous and sensitive stuffs, like stealing very sensitive information from a server or system.
Because of the nature of this attack, that is emanating from thousands of machines at once, they can be very difficult to stop by simply blocking traffic from machines, especially when the attackers forge IP address of attacking computers, thereby making it so difficult for network defenders devices to filter traffic based on IP addresses.
These attacks are not just limited to computers and web servers, a variation of the attack can also target phones and phone systems, which was reported some time ago in Ukrain, where hackers caused power outage at two plants, and launched a telephone denial of service attack against customer call centers to prevent residents from reporting the outage to the companies.
So we are in the era of high DDOS sophistication and so many reports in the media about varied ranges of attacks carried out using DDOS, from country to country to institutions being constantly attacked.
There are some specific common types of DDOS attacks, which are
ICMP (Ping) Flood
Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies.
This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting in a significant overall system slowdown.
PING of Death
A ping of death ("POD") attack involves the attacker sending multiple malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes.
However, the Data Link Layer usually poses limits to the maximum frame size - for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet.
In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.
HTTP attack
In HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server.
The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each single request.
TCP Connection attack
An attack of this nature exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester.
In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address.
Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
SLOWLORIS
Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible.
It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open.
This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
In all these specific types, they can be categorized into three, when defending against them, there are, the Volume based attacks, protocol based attacks and application based attacks.
To be properly prepared to defend the network infrastructure from DDoS attacks, it is extremely important to know as soon as possible that there is anomalous behavior, malicious or otherwise, occurring in the network.
Having a pre-emptive awareness of malicious or nefarious behaviors and other incidents in the network will go a long way toward minimizing any downtime that impacts the network's data, resources, and end users.
The challenge in preventing DDoS attacks lies in the nature of the traffic and the nature of the "attack" because most often the traffic is legitimate as defined by protocol.
Therefore, there is not a straightforward approach or method to filter or block the offending traffic. Furthermore, the difference between volumetric and application-level attack traffic must also be understood.
Volumetric attacks use an increased attack footprint that seeks to overwhelm the target. This traffic can be application specific, but it is most often simply random traffic sent at a high intensity to over-utilize the target's available resources. Volumetric attacks generally use botnets to amplify the attack footprint. Additional examples of volumetric attacks are DNS amplification attacks and SYN floods.
Application-level attacks exploit specific applications or services on the targeted system. They typically bombard a protocol and port a specific service uses to render the service useless. Most often, these attacks target common services and ports, such as HTTP (TCP port 80) or DNS (TCP/UDP port 53).
Lets look at a few Cisco approved ways of mitigating these attacks, though there is no single method to fight this DDOS attack, it's a combination of many strategies.
Geographical Dispersion (Global Resources Anycast)
A newer solution for mitigating DDoS attacks dilutes attack effects by distributing the footprint of DDoS attacks so that the target(s) are not individually saturated by the volume of attack traffic. This solution uses a routing concept known as Anycast.
Anycast is a routing methodology that allows traffic from a source to be routed to various nodes (representing the same destination address) via the nearest hop/node in a group of potential transit points. This solution effectively provides "geographic dispersion.
Route Filtering Techniques
Remotely triggered black hole (RTBH) filtering can drop undesirable traffic before it enters a protected network. Network black holes are places where traffic is forwarded and dropped. When an attack has been detected, black holing can be used to drop all attack traffic at the network edge based on either destination or source IP address
Unicast Reverse Path Forwarding
Network administrators can use Unicast Reverse Path Forwarding (uRPF) to help limit malicious traffic flows occurring on a network, as is often the case with DDoS attacks. This security feature works by enabling a router to verify the "reachability" of the source address in packets being forwarded.
This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. uRPF guards against IP spoofing by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Reputation-Based blocking
Reputation-based blocking has become an essential component to today's web filtering arsenal. A common trend of malware, botnet activity, and other web-based threats is to provide a URL that users must visit for a compromise to occur. Most often such techniques as spam, viruses, and phishing attacks direct users to the malicious URL.
Reputation-based technology provides URL analysis and establishes a reputation for each URL. Reputation technology has two aspects. The intelligence aspect couples world-wide threat telemetry, intelligence engineers, and analytics/modeling. The decision aspect focuses on the trustworthiness of a URL. Reputation-based blocking limits the impact of untrustworthy UR.
And many other ways, you can read more at
Incapsula
CISCO
0 comments:
Post a Comment