The anatomy of a modern DDoS attack
Distributed denial of service (DDoS) attacks vary from regular denial of service (DoS) attacks due mainly to the extra “D,” which stands for “distributed.” Typically, a DDoS attack is launched from many machines which are generally PC’s that have been infected with a virus or trojan allowing them to be controlled by a “bot herder,” who gathers the infected machines into a single collective. An attacker can then issue commands to the collective, transparently ordering the machines to attack a specific target. The following diagram helps illustrate this concept:
In most cases, the target goes offline instantly and is not restored until the attack ceases or the victim purchases a sometimes costly DDoS mitigation solution. To add insult to injury, the vast majority of DDoS mitigation solutions range from ineffective to somewhat effective, despite costing thousands of dollars for even a small amount of protection.
The image above is a screenshot from the DDoS attack tool known as “Low Orbit Ion Cannon.” These tools, commonly known as “booters,” make it easy for an inexperienced person with malicious intent to take nearly any target offline, for nearly any reason imaginable. These attacks are no longer isolated incidents, attributed to the type of content hosted on a site or the actions of its owner. Instead, DDoS attacks are occurring for reasons such as extortion, political and ideological agenda, anti-competitive initiatives, and suppression of free speech, just to name a few. One of LOIC’s features is known as “HIVE MIND,” allowing a single LOIC user to control an entire network of LOIC daemons distributed globally.
LOIC is sometimes installed through malware as previously discussed, and is often installed by willing participants who wish to assist in DDoS attacks against predesignated targets. Activist groups like “Anonymous,” will often use internet relay chat (IRC) and Twitter to communicate intended targets.
The distributed denial of service (DDoS) intelligence gap
The major problem with DDoS attacks does not exist entirely within the attacks themselves, rather it is the lack of intelligence within the information systems security community. Every day the media reports on DDoS attacks, outlines trends, creates infographics, and touts the latest in protection technologies. At the time of this writing there were about 1970 articles written or syndicated in the past week on these very topics. You see, the actual problem is that the vast majority of DDoS mitigation intelligence was created by, or derived from, vendors of DDoS mitigation solutions.
In essence, there is very limited independently verifiable data available concerning the actual size and frequency of DDoS attacks. Even the most respected journalists and security experts are forced to rely on hearsay or potentially biased reports, whitepapers, and presentations. As a result, much of what is known about DDoS today has been implanted by biased security experts vs. independent research.
Black Lotus began researching and developing DDoS mitigation strategies in 1999, at least 4 years before DDoS mitigation began to develop as a serious commercial enterprise. This provided us a unique opportunity to experience DDoS attacks in various stages as they began to progress in size and complexity. Interestingly, our findings seem to conflict with the marketing spin that is often found circulating in an apparent attempt to be regarded as a pioneer in the IS security market.
The earliest DDoS attacks can be traced back to CERT Incident Note 99-04 from Thursday, July 22nd, 1999 detailing a vulnerability where backdoors could be installed on servers using remote procedure calls. This eventually lead to CERT Incident Note 99-07, detailing “trinoo” and “Tribe Flood Network,” the first known DDoS malware. On Wednesday, December 8th, 1999 Black Lotus was formed as a security think tank with the goal of solving the DDoS problem.
At the time, there was no known solution for mitigating a DDoS attack. Bandwidth was very expensive (eg. $500 – 1000/Mbps vs. today’s wholesale rates of $2 – 10/Mbps were not uncommon). As a result, victims of DDoS attacks were vilified and prohibited from conducting business with any host or ISP that saw them as a risk. The goal of Black Lotus was to counter this logic by identifying the missing piece of the puzzle. In the following years, DDoS and mitigation of DDoS attacks remained very rudimentary: Most attacks were less than 100 Mbps in total size and could be easily filtered by hand, so long as the ISP was willing to absorb the cost of bandwidth (which was generally not the case).
Today, DDoS attacks are far more complex, often reaching into the gigabits (Gbps) per second and millions of packets per second (Mpps). While it is possible to combat these threats on highly capable networks by using organic capabilities or DDoS mitigation appliances, many businesses resort to service providers for a more rapidly deployable solution. Despite years of development, there are still very few providers capable of effectively defending their customers against DDoS attacks. Black Lotus is at the forefront of DDoS mitigation technology, with zero day detection and mitigation that remains on the bleeding edge.
The importance of Layer 7 heuristics
Generally speaking, DDoS mitigation techniques can be viewed as either signature or heuristic based. With a signature based approach attacks are automatically dropped by a purpose built packet filter when an attack is identified using its unique fingerprint, similar to how viruses are detected on PC’s using virus definition files. Despite being the most common method of DDoS mitigation, this has inherent flaws when relied upon exclusively. “Zero day” attacks, those which are previously unknown, strike frequently and will bypass a signature based appliance until the signature has been updated.
Black Lotus relies on a predominately heuristic based approach. Using technologies like network behavior analysis (NBA), and our patent-pending Human Behavior Analysis (HBA), we are able to build profiles of legitimate behavior and detect and mitigate deviations from known legitimate behavior in real time. This approach allows us to instantly mitigate even zero day attacks without having any prior knowledge of its behavior.
There is a common misconception that a hardware firewall, such as a Cisco ASA or Juniper SRX, can mitigate DDoS attacks. While these devices do have anti-DDoS features and can be used as part of a DDoS mitigation strategy, they will fail if relied upon exclusively. The main issue is stateful inspection and the lack of intelligent mitigation. Firewalls cannot intelligent detect and mitigate an attack if it does not match a predefined policy. When the firewall becomes saturated, sometimes with even a small amount of traffic, its session table will hit its maximum capacity with new sessions attempting to spawn substantially faster than the expiration rate of the older sessions.
One problem that cannot be easily mitigated with a DDoS mitigation appliance is known as a Layer 7 attack, referring to the application layer of the OSI model. This is where HBA becomes a critical component to our mitigation strategy. HBA is similar to NBA as it is a technology capable of learning appropriate behavior and identifying malicious behavior within its own intelligence. The key difference is that HBA is an exclusively Layer 7 technology, the only one of its kind to be able to anticipate the behavior of a real human and proactively block malicious requests without the need to associate them with a larger DDoS attack.