Senior Threat Researcher
François Paget is a senior threat research engineer and one of the founding members of McAfee Labs, where he conducts a ...
Distributed-denial-of-service (DDoS) attacks can be conducted in various ways (by SYN flood, UDP flood, Teardrop Attack, Ping of Death, Smurfing, Mail Bombing, etc.).Â DDoS attacks can exploit vulnerabilities in software running on the victim’s machine or via sending a higher volume of traffic than the victim’s system can handle. The attacks can target resources (such as the network layer, network link, or end-host systems) or routes to resources. They frequently involve botnets and are used to extort ransoms from websites in the online gambling business. Some recent examples included Sportingbet Australia and Sports Alive. The latter was down for almost an entire day in August.
These days you can find many reports and papers on DDoS attacks. Most of these articles explain how attacks occur, but a few discuss how Internet service providers can protect their customers from this threat. And that’s why I wrote this two-part post.
The following image shows how a typical DDoS attack takes place:
In return for payment or to suit themselves, botmasters start DDoS attacks by relaying instructions via their command-and-control servers to their bots, which simultaneously send fake traffic to the victim to disrupt service. Trying to process packets or requests, the system consumes all of its available resources, crashes, or becomes unresponsive.
The first method ISPs can use to mitigate attacks is redirection or black-hole routing:
When implemented, all traffic going to the victim’s address is forwarded to a “discard pile.” Any router configured this way will eliminate all traffic–the good and the bad–sent to the victim. If an ecommerce website works almost exclusively with national consumers, a black-hole mechanism implemented at the international perimeter can be a good temporary solution to release bandwidth and to allow resources to regular users. But the botnet is not really impacted, and bots within the national perimeter are still active. In this example, however, we anticipate this remaining DDoS efforts will not greatly impact the victim.
A more effective solution is filtering:
With packet filtering, we can distinguish the bad packets from the good packets. Only the good packets will be transmitted to the recipient. However, traditional packet filtering can be inadequate to mitigate some botnets that dynamically or rapidly modify their configuration. Flooding attacks using legitimate services can often succeed. IP protocol and forwarding mechanisms also make it difficult for an ISP to identify the real origin of a packet. Futhermore, DDoS attackers can use spoofed IP addresses. To make up for this gap, we have a third technique: traceback.
With IP traceback mechanisms, we can find the true source of the attacks. We can determine the origin (or nearby) of the attack and block it at a point nearest to its source.
Rate limiting is another effective technique. It imposes a rate limit on high-bandwidth incoming traffic for streams that are characterized as malicious:
Traffic, whether good or bad, might be subjected to rate limiting. The probability of false positives is also high. In Part 2, we shall look at some other solutions, as well as references for reports and a university thesis that helped me in this discussion.