After our article summarizing against what CerberHost protects your website, we will focus today on (D)DoS attacks (Distributed Denial of Service).
Even if these attacks are not part of the OWASP TOP 10, they became daily scourges for numerous websites. Indeed, these simple and cheap attacks allow to put websites down with littel resources during several hours.
Our very high security Cloud, CerberHost, provides solutions against these attacks, but it is still interesting to know how they work.
DDoS: some context
A DoS or DDoS aims to exhaust the resources at the disposal of a server, most often the ones linked to the network. However, it is also possible to saturate the disk, the RAM, or the targeted machines’ processors.
We separate here the applicative DDoS from the network DDoS, since the method are different, as well as the way to block them. However, when you hear about a DDoS, this term refers to the network DDoS.
We already published a paper about DDoS attacks, including the “voluntary botnet” tool used by Anonymous, L.O.I.C. We also alerted several organizations, such as CERT (Computer Emergency Response Team) and CERTA, to share with them a method of attack by reflection called DrDoS (Distributied Reflexion Denial of Service), whose massive recrudescence we were the first to know about, thanks to new vectors.
The phenomenon amplified terribly over the last few years. With attacks more and more numerous and traffic volumes that become more and more massive (for those concerning the network), the traffic of the attacks reaches several hundred Gigabits per second. These attacks can touch any service: emails, SSH, Web, etc… But the Web is most targeted. For instance, the famous attacks against Cloudflare and Spamhaus perfectly illustrate the acceleration of this tendency.
On the victim’s side, Neustar report shows that the estimated cost of a DDoS was in average, between 7.000 and 40.000 € per hour, or even more for the big sites. The attacks became a weapon of unfair competition, a method to obtain a ransom, a gag on the newspapers that bother a hacker, and globally a method of online nuisance almost intractable. In 99% of cases, the origin of a DDoS is never known and its author never sued.
An example of a currently fashionable DDoS
First things first, there is a little typical example of a DDoS we hear a lot about currently. It is, more precisely, a DrDoS, a Distributed reflection Denial of Service. The 3 key parameters are the following:
- UDP (User Datagram Protocol) spoofing
- Amplification factor
- Type of vector used
It is the cornerstone of this attack. Spoofing enables the anonymity of the attack.
Thanks to the UDP, which does not ask for an exchange strictly speaking but emits information without caring about whether it will be correctly received or not, the attacker is anonymous and will send forged “spoofed” packets. Spoofing consists in changing the IP address of the packet (where it comes from) by replacing the real IP address of the hacker with the one of his target.
The answers to the sent packets will thus come back to the target, and not to the attacker; it is the “reflection”, bouncing, part of the attack.
If the attacker has a 100 Mb/s connection, for instance, and he sends a 1:1 packet ratio, then the target will receive 10 Mb/s tops.
Thus, for the attack to be efficient, an amplification factor is necessary. It is located in the used protocol, thus vector. A good vector, a good protocol, enables the attacker to get an amplification factor of 40 minimum, up to 50, or even 200 and more. The higher the factor, the most powerful the attack. We will see in the next paragraph the efficiency of the vectors.
A 50 amplification factor for example, which is reachable nowadays, allows with the attacker’s 100 Mb/s to get 50*100 Mb/s, that is to say 5 Gb/s. It is already a serious DDoS. Obviously, the attacker will seek one or many connections as his attack’s source, and an amplification vector as high as possible.
A DDoS already reached 400 Gb/s this year, which blocked one of the biggest Internet CDN. From 10 Gb/s up, one can already cause a lot of problems to most operators and hosts.
Type of vector used
We see through this example that the “vector” used, the underlying UDP that is involved, will condition a lot, including the size of the DDoS. Let us take a simple example: the network protocol of the game Quake 3, that uses UDP.
If a computer wants to connect to a game, it asks with a few octets (about 30 if my memory is correct), which games are currently playing. The answer will vary in size depending on the number of game, but let’s say that in average, if there is 40 on a server and that every game description (number of players, cards…) weights 100 octets, we can get 4.000 octets back for only 30 octets sent… Which is already a multiplying factor superior to 100.
Vectors can also be a time server (NTP) or a DNS (Domain Name Server), or another UDP whose answers are longer than the questions. Everything that works on UDP presents a good amplification factor and allows spoofing, which is good to use in this case.
The different types of (D)DoS
There are several types of attacks that are still in the DoS – “Denial of Services“ perimeter:
- Network DoS
- Applicative DoS
- Network DDoS (including DrDOS)
- Applicative DDoS
Difference between DoS and DDoS attacks
Generally, wheter they are applicative or network, the difference between DoS and DDoS is in the way to distribute the attack. A DoS is distributed from only one starting point, whereas a DDoS implies several computers or servers.
A typical DoS (Denial of Service) attack, for instance, would be to send 10 Gb/s from the same IP adress / machine to a targeted server to saturate its network connection of only 1Gb/s.
A typical DDoS (Distributed Denial of Service) attack would be to send 1Gb/s from 10 different servers and to block a targeted server using a 1 Gb/s connection. The result is the same, but because of the variety of resources, the attack is a bit more complex to block.
Difference between applicative and network (D)DoS
A network DDoS’s and DoS’s main goal, as explained in the former paragraph, is to saturate the network connection of a server so that it cannot answer requests any more.
Applicative DDoS and DoS attacks, however, usually target a website one of whose pages takes a long time to load (for example, the one dealing with the indexation of a product catalogue, a Webservice method requiring a lot of resources or, simply, a highly charged functionally checkout page).
Some pages consummate a lot of CPU (processor) and RAM (main memory) resources in order to load, especially with interpreted (not compiled) languages like PHP. By calling this page several times per minute, it becomes quite easily possible, without a lot of machines, to block the targeted website.
Where do (D)DoS come from?
Usually, DDoS comes from several hundred, or even several tens of thousands of machines that are either compromised by a virus or a malware, or part of a “Botnet” (contraction of “robot” and “network”, symbolizing a set of “zombie machines” used for malicious uses, such as spam.)
Thus, DDoS attacks often come from Botnets or “voluntary botnets” (a set of “zombie machines” whose owners voluntarily activated their machines to belong to a botnet, like in the case of Anonymous with L.O.I.C or H.O.I.C – Low/High Orbit Ion Canon).
However, these DDoS attacks can also come from machines whose IP address has been usurped by the attacker: it is called IP spoofing. This principle is called DrDOS (Distributed Reflection Denial of Service).
A DrDOS (Distributed Reflection Denial of Service) is a well thought out bouncing attack.
The basic idea is to call a large number of servers (such as the DNS – name server, the NTP – time server, or Quake, CoD – online videogame protocols…) by using a UDP (User Datagram Protocol). This protocol, whose role is to enable the data transmission between two units, is one of the main protocols used by the Internet. Thanks to the UDP, it is possible to use a third person’s IP address to make the packets bounce (fragmentation of the transmitted data) and hide the source of the attack.
The idea is to send, for instance to a game server, a request for the list of current games from the target’s IP and not one’s own. This request will take a few octets and the answer can take several hundreds of Kilo octets, or even Mega octets. The pirate asks the gaming list, from the target’IP (by changing his source IP address), then “invests” a few octets into hundreds of game servers, and the target receives enormous waves of packets and bandwidth from all those servers. The higher the multiplication coefficient (the amplification factor) between the size of the minimal request and the size of the answer, the more efficient the DrDoS.
By using the Gigabit connection of a compromised server or an individual’s fibre, and with an amplification coefficient of 20 or 50, it becomes possible to obtain a 20 or 50 Gigabit attack by using a few tens of servers. These numbers are huge, and some protocols even allow higher coefficients.
It is also feasable to make this kind of amplification with a “TCP” (Transmission Control Protocol) DrDoS. The TCP protocol, unlike the UDP, ensures before transmitting data that the target is ready to receive the information (“handshake”), and checks after the transmission that the whole data has been received (“ACK”, for ACKnowledge). The “handshake” can be tried 5 times in a row. For a request of a TCP session opening (“SYN” for SYNchronize), the spoofed receiver of the packets will receive 5 tries for a session opening, that is to say a 10 coefficient.
The protocols (UDP/TCP/ICMP/etc…) that rule the Internet and more globally the IPs are 40 years old, and no one at the time had planned such an embezzlement of these tools. Today, it is obviously impossible to change these foundations, at least on a short term basis.
The DrDOS irony
These attacks are partly possible because the telecom operators let them be. Given that, most of the time, the traffic is billed to the client, the operators earn some money by letting the situation last.
To block those attacks, it would be “enough” to not transport the traffic that does not come from one’s network to the outside of the network. For instance, if I am hosted at OVH or Free, these operators have no reason to send packets that do not actually come from their networks, in terms of source IP address. However, most of the time, in the context of a DrDoS, the attacker sends the IPs from the source IP address of the target, which is usually not an IP from the telecom operator network.
Network DDoS settings
The total bandwidth volume emitted and received is one of the key points. For instance, if the host has 20 Gb/s available but the DDoS (and more probably DrDoS) exceeds these 20 Gb/s, then all the host’s websites will be blocked. The “pipe” will be saturated and nothing will pass.
It is also possible (and more and more fashionable) to try and saturate equipment such as firewalls, switchs, routers, reverse proxies, load balancers. It is possible, for example, to exceed their treatement capacity by sending them too many packets for example. If the limit of an equipment is 1 Gb/s, it also stands in the number of packets that this equipment can treat per second (and this fact is less known).
If a DDoS sends 200 KPPs (Kilo Packet Per Second) and that the treatement limit is 100 KPPs, the equipment is saturated, even if thoses 200 KPPs represent only 50 Mb/s of bandwidth for a 1Gb/s limit. Thus, this method consists in sending a huge amount of small paquets.
Visualizing DDoS attacks on the Internet
The digital attack map is a joined initiative from Google and Arbor Networks, that provides routers allowing to mitigate applicative Dos and DDos attacks. It permits to visualize in “real time” the principal DDoS attacks in the world, at a given moment. It is interesting to see how much of a standard these attacks became.
On this CYMRU team page, we can also see many graphs, one of which is the number of DDoS attacks per day
The future of DDoS attacks
These attacks ferociously increase in volume and frequency, with a worrying speed.
2 or 3 years ago, Anonymous blocked the website of the US Senate with 20 Mb/s. More recently, Cloudflare has been very perturbed, numerous times, by attacks exceeding 100 Gb/s; attacks using 400 Gb/s have also been seen this year. It is even considered that the Tb/s limit will be reached and exceeded before the end of 2015.
Beyond the number and volumes of the attacks, they also became a reflex for pirates. With only a few dollars an hour, it is possible to use a network of compromised machines and to make them do a DDoS. From the office computer from which I write this article, with a simple Perl script, I can send a DDoS of many Gb/s in a few minutes.
Although these action can be punished by a strong fine reaching up to 75.000€ and a 3 year prison sentence, the authors are never found (and very hardly findable anyway). DDoS attacks are thus a simple weapon, needing very little technical knowledge and money, and terribly efficient.
Thus, there is little doubt that they will multiply again in the future, just like they multiplied since we informed the CERT and CERTA of the recrudescence of the DrDoS 3 years ago.
Classic methods to end a (D)DoS
There are several methods to contain a DoS or DDoS. The first and historical one is to mark the attacked IP address as a “Blakhole”. Blackholing consists in letting the Internet routers know, through the BGP (Border Gateway Protocol), that the IP leads to nowhere and that it is useless to send it traffic. It is efficient for the host, who will get his connectivity back, but the affected website becomes inaccessible as long as its IP is in the black hole.
The most elegant method consists in absorbing the global traffic sent against the website thanks to a sufficient bandwidth, and then averting the useless packets that disturb the traffic while letting the legitimate packets reach the target server. There are specialized routers that are in charge of this job, such as the Arbor Networks that NBS System uses for its own infrastructure. These routers filter the protocols that are actually used, or identify the patterns and standard samples of sent packets, in order to only exclude the illegitimate ones. The latters usually present, in the context of a network DDoS attack, common features that allow to separate them from the others.
When the DDoS is applicative, it is necessary to block the illegitimate requests by identifying their common features to block them at the reverse proxy level, and to not let them reach the Web servers.
An ill-known DoS consists in saturating the hard disk, when it is possible. If an attacker can write a large enough amount of data on the hard disks every time a page or a service is called, it then becomes possible to saturate the hard drive or the sharing of its data on the network, and thus to make the site or service unreachable.
CerberHost‘s answers to (D)DoS attacks
CerberHost deploys four different methods to block the DDoS and DoS attacks, whether they are applicative or network:
- Triple telecom provider: in order to avoid the blocking of our telecom operator by an attack against us or another one of its clients, we have three different operators.
- Arbor Network: our bandwidth is protected by Arbor Networks hardwares. This company is considered, to this day, as the one providing the best mitigation tools for these scourges, which is why we are equipped with them. They resolve, for instance, the network DDoS, allowing the concerned service to keep working, even ender strong attack.
- Reverse proxy: we block applicative DoS & DDoS with our reverse proxy Nginx. The method stays classic but to summarize it, we block the standard format of applicative DoS by limiting the allowed number of requests per second or by eliminating them when we are sure it is an attack.
- Kernels tuning: our Linux kernels are composed and compiled, tailor-made, with numerous patches. They apply some settings to the TCP/IP batteries and to some others of our machines’ services, to avoid some of the attacks aiming at exhausting the resources.
For more details about the protections displayed by the CerberHost solution, come and discover its presentation video HERE.