DDoS-TheWeaponofMassDestruction

Contents

1. Scope

2. Introduction

3. WhysomebodyDDoSyou?

4. WhatarethetypesofDDoSattacks?

4. HowtoSecurefromDDoSattacksanditsimpacts?

8. Conclusion

1. ScopeThis whitepaper analyzes DDoS (Distributed Denial of Service) attacks, itsscope, types,andthe impacts itcreates toorganizationalcapabilities.Also, ittriestoexploreatbestpracticestoprotectnetworksandservicesfromDDoSattacks,byproactiveandreactivemeasures.

2. IntroductionDoS (Denial of Service) attacks means service denial by interrupting certainservices, functionalities, and traffic through various technical methods. Thistypeofattackpreventsor impairstheauthorizedusebymakingthebusinessserviceunavailableforlegitimateusers.Heretheoriginoftheattackmostlyisoneora fewsources, and theattack sizemaybeminimal,but the impact issignificant.

However,DoStookadifferentturnandformduringlastfewyears,wherethesource of an attack become extremely distributed, in a very co-ordinatedmanner with a common goal in the target. The DDoS (Distributed Denial ofService)attackusesahugenumberofsourcecomputers,whicharemalwareinfected, and is under the control of the attack originator or the force thatexecutes theattack.The recentlyexecutedDDoSattackof thesizeof1Tbpswaswiththeuseofmalware-infectedsmartdevices;thatmighthaveincludedCCTVcameras,recorders,thermostats,routersandCars.

Inmostofthecases,aDoS(DenialofService)attackusesonecomputerandone Internet connection (or a few), and a DDoS uses multiple computers(devices) and Internet connection, that spread across the cyber world, andwithoutanygeographiclimitation.

3. WhysomeoneDDoSyou?AnyorganizationsintheworldcanbeunderaDDoSattack,irrespectiveofitssize, nature, geographical location, and sector. The easiness of triggering anattack and the increased realization of the potential gains for the attackersaddedtothealarmingrise in theexecutionof theattacks in therecentpast.Bigorganizationswereatthereceivingendinthepast,eventhoughtheyhavereasonable maturity in their cyber security measures. Those attacksinterrupted services for hours and days. Identification or the origin of theattackerortheforcebehindisstillunknown.

More casesofDDoSattacksdidnot come in thepublic spectrumdue to theobvious aspects of defaming, and reputational challenges. In some of thesecases,attacksmighthavesubsidedafterpayingaransom!

So,whysomeonetoattackyou?Whynot they targetyourcompetitor?Whynotyourneighbor?

➢ Blackmail:Bybringingdownorimpactingtheserviceforfewminutesto

hours, someonewants toprove thatyouareat theirmercy.With thatimpacting your business or services, they are expecting that you areready to dowhatever theywanted to get, out of this exercise. It is aforceonyou,togetsomethingdonebysomebodyelse,whichinmostofthe cases is to get financial gains. Alternatively, in some cases, theobjectivecouldbesomeotherintentionsoftheblackmailers,whichyouhavethecapabilitytogetdone.

➢ Ideological or hate attacks: Difference of ideas between you, andsomeone else, who possess some entirely different thoughts, whichopenlyorindirectlyconfrontedearlierorhasthepotentialtogoagainsteach other later. Attackers do not like your ideology or belief orthoughts,andtheeasiestmodeofoperationforthemtoworkfromthedark isaDDoSattack, throughwhich theywant tomakeyousilent,ortheywanttoprovethattheyhavetheupperhand.

➢ Competition:AcompetitorwhothoughtofbringingyoudownduringakeybusinessactivityorseasonbringscanbeanothersourceofaDDoSattack. Your failure can be a business advantage for your competitor;thatcouldbethemotivebehindthiskindofattacks.

➢ Politics:InsomecasesgovernmentalorprivateinstitutionscanbeunderDDoSattack,aspartofapolitical revengeoragenda.Stateactorsmaybeopenlyoranonymouslybehindthoseattacks.Incertaincases,itmaybeanorganizationalor individualpoliticalvendetta,but inmanycases,the DDoS could be Arsenal in the armory of a declared/non-declaredCyberWar between nations. Terrorist or extremists organizations also

could be behind these, or sometimes hacktivists, who ran the waragainstcertainnations!

➢ ElectronicProtests: A recentactionordecisionsbyyourorganization,

stateorcommunityisnotlikedoragreedbysomeoneelse,mighthavetriggeredaDDoSattack.

➢ Disgruntled employee/individual: Considering the easiness andanonymityofaDDoSattack,adisgruntled(past/present)employeemaytriggeraDDoSattack,toreleasetheirangeragainstthefirm.

➢ Smokescreen:Manycaseswhathasbeennoticedbysecurityexpertsisthat theDDoSattack createsanenvironmentwhereeveryone focusedontheservicesanditsrecoverypart,butamoredamagingactgoingonin the background by the perpetrators. It could be a data-exfiltration,lateral movements, permanent damages to the data and services andhiddenpresence.

➢ Probing: Attackers try to test their capabilities initially with a sampleattack, till they are fully ready for a more powerful and continuousattacksonorganizations.Also, theymaywant to know,howgoodyouare in the incident response capability, and what procedures you arefollowing after an incident. Expense management of the testing alsobetter done, by this way where the attacker assess Return onInvestment(ROI)oftheattack.

➢ Experiment&Prestige:These are attackswithout any specific reason,

butratheranapplicationofwhatsomebodylearned(onhowtoexecuteaDDoS)ortoshowtheirskillsinCyberAttacksorCyberSecurity.Certaincasesgroupsofattackerschallengeeachothertowhichtheypointtheirattentiontothecertainspecifictarget.

➢ Internal Issue/Action: Amarketing campaign thatwasnotplannedor

communicated in advanceor a systembug,which triggershuge trafficalsocouldcreateaDDoS.Thesemaybeunintentional,buttheresult istheservicedisruptionandpotentialfinancial/reputationalloss.Incertaincases, thiscouldbeduetoa lotofmediacoverageoranofferofyourcompanyandahugeincreaseinthetraffictoyourwebsite,whichcouldbring down your service, considering the unexpected/unplannedcapacityissues.

➢ Mistaken: In very rare cases, you could be amistaken identity,wheretheattackerthoughtofyouarepartofatargetedsetoftheinstitutionintheir scheme of things, but itmight not be the case. Company name,nature, executive names and the geographical location could be thecriteriathatmighthave includedyouonthetargeted listofvictimsforthehackers.

Asrecentlydiscovered,aDDoSattackcanbe initiatedbyalmostanyoneataverycheaprateof50$for30minutes(Itmayhavegoneevencheapernow).Plenty of tools, resources, websites (especially in the DarkWeb), which canutilize their botnets with a limited skillset. Determination, objective/goals,intentions,andfewdollarsinhand,withadisgruntledmind,couldtriggerthenextDDoSattackagainstyou.

4. TypesofDDoSattacks

DDoSattacksareofawidevariety,basedontheattackvector,andintensityonwhichitisbeingplannedandexecuted.

1. VolumetricAttacks

Overwhelming of the network bandwidth with UDP (User DatagramProtocol)/ICMP traffic flood constitutes a volumetric attack. Here anycountermeasuresatthevictim’snetworkorsystemsareofnotmuchvalue,considering the flooding of the network pipe (bandwidth) between thetargetandtheISPwithunwantedattacktraffic.Hencethelegitimateusersarenotabletoreachthedestination.Resourceofthevictimisunavailablefor the business or needed users, and hence the service interruptionhappens,withouthavingmuchcontrolattheirend.Thevolumetricattackis

one of the most common DDoS attacks these days, as many of theorganizations are underprepared for this, which makes it easier for theattacker to execute with more potential targets at their will. One of therecent volumetric attacks was of 1 Tbps size and was initiated usinginfected botnets consists of smart devices, including video recorders,routers,andCCTVcameras.

Most common volumetric attack type is an amplification attack, whichobviouslygenerateshighervolumethroughamplificationofthetraffic.

2. AmplificationAttacks:VolumebasedReflectionDenial of Service (DoS) attack,where vulnerablesystems on the Internet as the launching pad. In amplification attack,requestssendtotheseopenserversordevicesforservicewithvictim’s IPaddressasthesourceaddressbyspoofing.Hence,thetargetofattackisthespoofed IP of the victim, to which the vulnerable servers respond withmuch larger packets that end in a Denial of Service (DoS) impact to thevictim. Since unwanted response traffic to the victim may come fromanywhereintheworld,asajustnon-intrusiveaffirmativeactionaspartoftheInternetnetworkingprocess,thevictimwouldmostprobablyfallinthiskindofattack,ifadequateproactivemeasuresnotinplace.

Amplification attacks are a reality, since a high number ofmisconfiguredservices, servers and desktops exist in the Cyber world, andmost of thenetwork administrators still unaware of or ignorant on the basic securitymeasures, which includes filtering of outgoing traffic. The most popularprotocolinuseforamplificationattacksisDNS(DomainNameService),butother protocols like NTP (Network Time Protocol) and SNMP (SimpleNetworkManagementProtocol)alsoprovideamplificationfeaturesandaregetting into theuse recently.UDP isa connection-lessprotocolandbeingquite easily forgedby the attackers as by default it does not validate thesourceIPaddress.

3. TrafficAttacks

AbusingofsystemresourcesbyattackerscancreateDoSandsometimesitcouldbeaDDoSattack.Itconsistsofascenariowheretheattackconsumesactual server, networkandother intermediate communicationequipmentresources.Attackstargetingfirewalls,loadbalancers,andproxiescouldfallunderthiscategory.ItcouldbeexecutedinvariouswaysthroughprotocolabuselikeSYNfloodattack,orsendingamalformedpacketasinthecaseofPingofDeathattacks.Also,sendingonlypartsofTCPpackets(fragmentedattack), thatdisturb the capabilityof the victim to re-assemble the trafficstream,isanothertypeoftrafficDDoSattack.4. ApplicationAttacksThese attacks target application vulnerabilities. The objective is to bringdowntheserviceormaketheserviceunusablebyexhaustingtheavailableresourcesthroughtheunsuspectedtypeoftraffic,andnotofhugesizes.Itfalls under DoS, and when the attack origin or behavior is extremelydistributed,itfallsintheDDoScategory.

Currentattackspectrum

Attacksizesareincreasingeveryyear,andthelatestbeing1Tbps,againstoneof the hosting provider in France (OVH). Usage of smart devices and IoT(InternetofThings)posesahugechallengeinthefuture.

83%increaseintheDDoSattacks inthe2ndquarterof2016comparedtothefirstquarter.DNSisgainingthemomentumastheprotocolofattack,althoughstill, NTP leads the pack with 47% of all attacks have used it as the attackvector. InoneyearperiodfromApril2015toMarch2016, Imperva Incapsulareportsthatitblockedanaverageof445DDoSattackstargetingitscustomersperweek.

ResearchersstatethatreflectionattacksareontheriseandDNSvulnerabilitiesareoneofthemajorarsenalsinthearmoryofattackers.Thesekindsofattackshave contributed toan increase in thenumberof largerDDoSattacks in thefirsthalfof2016.Therewere274attackssizedover100Gbpsinthefirsthalfcomparedtojust223inallof2015.46attacksweresizedover200Gbpsinthefirst half compared to 16 in all of 2015. The average DDoS attack size alsoincreased by 30% in the H1 2016 compared to 2015. The prediction by theindustry is that the averageattack sizehit 1.15Gbpsby theendof the year2016. It warns that a 1 Gbps DDoS is enough to knock most organizationnetworksofflinecompletely.

KasperskyLabreportsthatDDoSattacksareincreasinglyoriginatingfromLinuxboxes in the year 2016. 70% of all DDOS attacks detected, launched fromLinux-basedbotnets.Linuxbotnetshavetheinherentcapabilitytocreateevenaround150Gbpsoftrafficthatcancripplemostnetworks.Oneofthemalwarebehind these botnets, XOR that gets installed on routers, and networkattached storage devices (NAS). XOR was detected in 2014 and is gettingexecuted using brute-force attacks, by guessing SSH login credentials. In thepast,windowsweremorevulnerable,andoriginandtargetformostattacks.Inrecent times it is replaced by Linux, due to the adoption of theOS inmoreorganizationsandareas,whichopenedupmorevulnerabilitiesandexposures.

AsperKasperskyLabreports2016,attacksonChinese,Brazil, Italyand Israelservers are on the rise.More Command&Control (C&C) sites are hosted inthesecountriestoo.DDoSattackswerenoticedinmorethan70countriesandareontherise,where77%ofthoseareinChinaasperthisreport.("BotnetDDoS Attacks in Q2: Report by Kaspersky, 28 Oct. 2016

http://www.itvarnews.com/2016/08/02/botnet-ddos-attacks-in-q2-report-by-kaspersky&http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Botnet-DDoS-Attacks-in-Q2-Linux-Botnets-on-the-Rise-Length-of-Attacks-Increase).SouthKoreaisstillaleaderinC&Chosting,butGermanyandCanadadroppedoutof the10topratingtargetedcountries.DurationoftheDDoSattacksincreasednowadays,asperKasperskyreport.Theproportionofattacksthatlasteduptofourhoursfellfrom68percentinQ1to60percentin Q2. Percentage of longer attacks grew substantially – those lasting 20-49hours increased to 9 percent from 4 percent. Attacks that lasts 50-99 hoursaccountedforfourpercent(onepercentinQ1).ThelongestDDoSattackinQ22016lasted291hours(12days),from9daysinQ1.

DDoSattackscontinuedtorisegraduallyinthesecondquarterofthisyear.SYNDDoS, TCP DDoS, and HTTP DDoS continued as the most common attackscenarios,thepercentageofattacksthroughSYNDDoSmethodincreased1.4times to76percent compared toprevious year.Doublingof attacks throughLinuxbots increaseamountedto this risesince theseLinuxmachinesare themost efficient tool for SYN-DDoS. This report is the first analysis fromKaspersky,whereDDoSIntelligencerecordedsuchadisparitybetweenLinux-and Windows-based DDoS bots. Also, more than 90% of the DDoS attacksconcentratesin10countries.

ALargemajorityofDDoSattackarerelativelyshortindurationin2016.Inthefirstquarterover93%strikeslastedunderonehour.Therewasatrendchangein that from2015, asQ22015, observedonly 65%of the attacks lasted lessthan1hourandremainingwasofhigherduration.

Largestattackdetectedinthesecondquarterof2016peakedat256Gbps,asperVeriSign.In2016,Averageattacksizewasmorethan17Gbpswhichisanincreaseof214percentoverQ22015.32%of attackspeakedover10Gbps,and75%ofattackswentover1Gbps.

Beforethe1TbpsattackusingIoTdevices,thelargestandfastestDDoSattackdetected was of 256 Gbps that lasted for about 15 minutes. This attackcontinuedforanother2hoursatarateof200Gbps.

45%ofDDoSattackstargetedtheITservicesindustry,followedbythefinancialsector(23%)andpublicsector(14%).

Most attacks continued no more than four hours, 8.6 percent lasted 20-49hours,and4percentlast50-99hours.ThelengthiestDDoSattackinQ22016took291hours,asignificantsurgeoverthepreviousquarter’smaximumof8.3da

5. HowtoSecurefromDDoSattacksanditsimpacts?

So, ifyourwebsitedisappearsfromtheInternetononebeautifuldayandnoorderscomingthroughononeofthebusiestdaysoftheyear,oryourclientsstartedtocomplainthatyourwebsiteoronlineportalisslowornotreachable,youmight fallvictimofaDDoSattack.Youarenotalone,as this is themostdevastating threat that is looming over the cyber world, especially toorganizations that have a huge dependency on their online presence andavailability. Financial institutions, governments, gaming companies, the list,goeson.

SohowcanwestopaDDoSattack?

1. IdentifyaDDoSAttackasEarlyaspossible

It is critical to know that you are under attack, as early as possible,becausesooneryouestablishthatyourwebsiteorportalorsystemsareunderaDDoSattack,thesooneryoucanstarttoworkonthemitigationmeasures. To do this, we need to be familiar with what islegitimate/normal traffic, so that we can detect when the incomingtrafficprofilechanges.Mostattacksstartasasharpspikeintraffic,and

it is helpful to be able to tell the variancebetween a sudden surgeoflegitimatevisitorsandtheopeningofaDDoSattack.

2. OverprovisionBandwidthTo anticipate and accommodate a sudden spike in the traffic due to abusinesschange,oramarketingcampaignorothergenuinetraffic,makesurethatyournetworkbandwidthisoverprovisionwhichmustbehigherthan what is required presently. However, even if you overprovisionyour bandwidth by 500%, that likely won’t stop a real DDoS attack.However,itmaygivefewextraminutestoactbeforeyourresourcesareoverwhelmed.

3. DefendatNetworkPerimeter

Someofthetechnicalmeasuresthatcanbetakentohandleattacksofatleast certain nature – at least for the initial fewminutes, these couldhelptowithstand.Also,theexceptionsorattacksthatcanpassthroughislimited.

✓ Ratelimityourroutertostopyourwebserverbeingoverwhelmed✓ Add filters to tell your router to drop packets from noticeable

sourcesofattack✓ Timeouthalf-openconnectionsmorehostilely✓ Dropspoofedordeformedpackets✓ LowertheSYN,ICMP,andUDPfloodthresholdvaluestobemore

proactivelypreventattacksonthese.

Thesemeasureshavebeeneffective forhandlingDoSattacks inthepastandsomedegreeofDDoStoo.However,nowDDoSattackshavebeen too broad and complex, and these above measures may nothaveanysignificantimpactoveraperiodoflargerattacks.

4. Fine tuning of the server’s OS, Application and network deviceconfigurations

5. Configure Load balancers, firewalls,Web Application firewalls, whichcanmitigatemanyoftheDoSandsomeDDoSattacks.

6. AvailDDoSprotectionservicefromyourhostingprovider, ISPorthirdparty.

Volumetric DDoS attacks can be prevented or mitigated only bysomeoneattheotherendofthebandwidthtunnel,whocanactbeforethe traffic enters to your network link. Most of the ISPs and DDoSprotection service providers have their scrubbing centers, which candetectabnormaltraffictotheirclients,andeitherblockorfilterouttheattack traffic. Momentary disruptions on the legitimate traffic by thecustomerswhoareunderattack.The traffic forwards to the scrubbingcenter,onlyafterdetectingananomalyinthetraffic.Iftheappropriateconfigure of DDoS protection service is not done, false positives candeny legitimate traffic in somecases. In casesofattacks that target toInternet link and hosting clients, who do not have DDoS protectionservice,theISPorhostingprovidermayhavetonullroutethetraffictothe particular customer. Here, all the traffic blocked to the customerunder attack, at the backbone itself. Null routing ensures that otherclients and the provider’s network do not break down for longerdurations,duetolackofadequatesecuritymeasuresatanyotherentity.

Most of the DDoS protection service providers have large scaleinfrastructureanduseavarietyoftechnologiesincludingdatascrubbingto help keep their client's website or online presence, without anyimpactduetoattack.Theseproviderscanthensendcleantraffictotheircustomersandcanwithstandattacksof the sizeofmanyGbps. Itmayaddalittlebitoflatencyonthetraffic,butstill,itisbetterthanthesiteisfullydown.

Someofthoseprovidersare

✓ Akamai✓ Cloudflare✓ ArborNetworks

✓ BlackLotus✓ Incapsula✓ Neustar✓ Nexusguard✓ Prolexic✓ VeriSign✓ Staminus✓ rOOt-Services✓ F5Networks✓ DOSarrest

Latest technologicaladvancementand innovationhashelpedtheDDoSprotection service to come up with new mechanisms that are moreefficientinhandlingattacksofevenbiggerscale.

BGPFlowSpecisanRFCthatallowstheISPsorDDoSserviceproviderstoenhance protection of their own and clients networks further. Thisadditional protection is achieved by automating the process for SOCengineerstoblockattacks(byinvokingACL’s)attheboundariesoftheirnetworkattheirpeeringconnections,allowingthemtopreventattacksbeforetheyreachtheirglobalscrubbingcenters.

7. IncidentResponsePlanMakesuretoplananddocumenteveryactiontobetaken incaseofaDDoSattack,byanalyzingall the scenariosandpossible controls.Keepreadily available all relevant documentationwhich includes all contactnamesandtelephonenumbersthatarerelevanttocybersecurity.DDoSMitigation companies canhelp for analyzing the incidentmanagementcapability, by running a simulated DDoS attack, enabling us to design,develop and refine a rapid corporate procedure for reacting to a realattack.

Crisis communication, which includes interacting with customers andotherstakeholders, isan importantpartoftheDDoSIncidentresponseplan.Somecases,theDDoSattackcouldgoupto24hours,andagood

incident response plan can minimize the damage it creates to yourbusiness.

6.ConclusionDDoS is one most common, easy and anonymous model of attack; that isgettingmoreandmoretakersthesedays.Consideringtheenormousnumberof infectedbotnets across theworld, and smart devices and IoTs are joiningthevulnerablebotsinthecyberspectrum,thethreatsassociatedwithDDoSisgoingtobeeverincreasing.Sincetheobjectivesoftheattackersmayvaryfromscriptkiddiestoastateactor,andthecost-effectivenessoftheattackoptionsgive ample opportunities for the attackers to utilize this mode of cyberexploitation, DDoS is a highly dangerous phenomenon for the business andindividuals across theworld.Critical governmental servicesorpublicutilities,and individual’smedical equipment couldhavebroughtdown to its knees; aDDoSattackcancreatehavoc inthesociety.Multiple levelsofdefenseandaproper business continuity plan with well thought out and trained incidentmanagement plans are the key factors of preventing or mitigating andcontainingaDDoSattack.