Short Term Answers to Long Term DDoS Problems

While Anonymous continues to be the boogie-man of the Internet, attribution of Internet attacks is still a game of pin the tale on the donkey. The tactical, short-term, problem is not who's attacking you, but how do you stay online for the first 72 hours of the attack? Knowing whether it's the Al-Qazam Cyber Fighters or graduates of the University of 4chan doesn't really do anything to keep services online. It's like admiring the class ring of the bully punching you in the face.

Whether you label an attacker as American Anonymous, Chinese APT, or Russian RBN doesn't change your immediate problem of defending your network. The key thing is how you're being attacked, and what you're going to do about it in the first few hours.

Types of Attacks

Taking a few moments break down attack types can help you better prepare your defenses. Without getting into the semantics of the OSI model debate, let me narrow down DDoS into two types:
1. Protocol (Layer 4)
2. Application ( Layer 7)

1. Protocol Attacks
Protocol attacks are UDP, ICMP, & SYN floods etc. They abuse the no-handshake feature of UDP & ICMP or abuse the TCP handshake 1st step by repeating SYN packets. Leveraging weakness that Protocol Attacks are spoof-able, attackers can multiply their strength 70X by reflecting their attacks off of thousands of vulnerable UDP servers running services such as DNS (port 53), NTP (port 123), or more recently SSDP (port 1900). These attacks overwhelm interface capacity, sending the proverbial 50G bowling ball through 10G garden hose.

2. Application Attacks
Application attacks are payload data. These are usually GET-floods/Slow-POST/Certificate Renegotiation etc that attempt to lock up or stall processes on a server, by exhausing CPU, memory, or other resources. These attacks, while sexy in their technical nature, are not spoof-able. Since most business applications use TCP, the attack must be delivered from a real IP. As signatures a created & distributed, this equates to a shorter lifespan per infected host, as they are more likely to get reported and cleaned or blocked.

Put on your metaphorical hacker ski-mask-thinking-cap for a moment and ask yourself,
Would an attacker rather:
1. Multiply his attack by 70X with little to no effort?
2. Expose his botnet's real IPs, risk them getting shutdown & traced back?


Consider that most enterprise networks will get hit with the most typical attack, a Protocol attack.
Are you prepared for the most likely event? What will you do when it happens?

UDP is the elephant on the Internet. It's the most abused protocol, but UDP's practical uses are too fundamental to eliminate the protocol. Still, that doesn't mean you need to let the elephant in your living room. Thinking in the concept of layered defense, ask yourself, are there places we can block UDP more upstream? How much can we limit it (ports & IPs)?

Does your network use DNS and NTP?  Yes, it does. Does your network need to talk to every possible DNS or NTP server on the Internet?  No, it doesn’t.  Limiting your exposure to un-patched DNS and NTP servers is a good proactive step you can take now. Unfortunatly, there are thousands of vulnerable DNS and NTP servers un-patched for months (& even years) after reporting. Know who your network commonly communicates using UDP, whitelist those, and in terms of your essential services, drop anything that isn't absolutely necessary.

As you examine your defenses, and work your way out of your network, you may think get lucky and make it all the way to your Carrier Interface to say "We've isolated our traffic. We don't need UDP on this announced network, so the Carrier is dropping it for us." The problem here is, that rule is probably going to be just on the other side of your Carrier Interface, and it can still be overwhelmed.

Want to know more about how to protect yourself from DDoS attacks, whether they are Protocol or Application?  Are you being threatened with an attack?  Our team of DDoS experts are here to help.  With a full suite of on-premise, cloud, and hybrid solutions, including the newly announced F5 Silverline DDoS Protection Services, F5 is uniquely positioned to mitigate the biggest, scariest attacks out there.  F5’s DDos Services are an added layer of protection, standing in front of your servers, announcing the path to your servers through our DDoS Scrubbing Data Centers in Europe, North America, & Asia. With a global footprint and a carrier agnostic network, the most likely vectors of attacks can be swallowed with F5's Silverline DDoS capacity.​

Published Nov 13, 2014
Version 1.0

Was this article helpful?

No CommentsBe the first to comment