What you Need to Know to Beat a DDoS Attack

AllCloud Blog:
Cloud Insights and Innovation

I think most IT professionals are aware by this time of what’s likely to be seen as an historic, record-setting sized cyberattack on Dyn, a large Internet infrastructure company. A three wave distributed denial of service attack (DDoS) that began on October 21, 2016 at approximately 11:10 UTC and lasted until approximately 17:45 UTC took down a big part of the Internet on the East Coast of the United States and affected Twitter, Spotify, Tumblr, Reddit, PayPal and other sites. It’s still unclear who orchestrated the attack.

Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet. A DDoS attack is a particularly effective type of attack on DNS services because in addition to flooding servers with so many fake requests for information that they cannot respond to real ones, those servers also have to deal with automatic re-requests as well as with regular users hitting browser’s refresh button while waiting for an unresponsive page to load.

DNS registrars typically provide authoritative DNS services for thousands or tens of thousands of domain names and that’s what makes attacking DNS so effective; rather than targeting individual sites, an attacker can create a very large damage footprint by hitting the DNS registrar.

“… we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.” said Kyle York, Chief Strategy Officer of Dyn.

The source code for Mirai was recently released and allows even unskilled hackers to take over online devices and use them to launch DDoS attacks. The software uses malware from phishing emails to first infect a computer or home network, then spreads to everything on it, taking over DVRs, cable set-top boxes, routers and even Internet-connected cameras used by stores and businesses for surveillance. Once infected, these devices are in turn used to create a robot network, or botnet, driving malicious traffic toward a given target. The large spread of the attack points makes it difficult to fight, because it’s hard to distinguish legitimate traffic from botnet traffic.

Similar large size attacks are likely to happen more in the future. At this point, there is no bullet proof defense against them and a temporary outage can likely not be avoided but there are various mitigation techniques that can help reducing the impact on your business.

Types of DDoS attacks

Infrastructure Layer Attacks:

  • The most common DDoS attacks, e. g. User Datagram Protocol (UDP) reflection attacks and synchronize (SYN) floods
  • Generate large volumes of traffic that can inundate the capacity of a network or system
  • They have clear signatures that can make them easier to detect
  • Effective mitigation of these attacks requires network or system resources in excess of the volume that is generated by the attacker

Application Layer Attacks:

  • Layer 7 or application layer attack, e.g. HTTP floods,
  • The attacker is attempting to over-exercise specific functions of an application to render it unavailable,
  • More difficult to detect and mitigate.

Mitigation Techniques

Cloud infrastructure is DDoS-resilient by design and is supported by DDoS mitigation systems that can automatically detect and filter excess traffic. To protect the availability of your application, it is necessary to implement an architecture that allows you to take advantage of these capabilities.

Infrastructure Layer Defense:

Leverage the cloud capabilities and architect your application to be able to scale and absorb larger volumes of traffic without capital-intensive investments or unnecessary complexity:

  • Choose from various instance sizes / types and scale vertically and horizontally.
  • Choice of Region. Many DDoS attacks originate internationally, so it is helpful to be close to exchanges where international carriers and large peers frequently maintain a strong presence. Many regions are closer to large Internet exchanges.
  • Consider load balancing the excess traffic so you can reduce the risk of overloading your application by distributing traffic across many backend instances. Load balancers can scale automatically, allowing you to manage larger volumes of unanticipated traffic, like DDoS attacks.
  • Deliver at scale using edge locations. AWS for example offers you Cloudfront (CDN service) and Route53 (DNS service) which are two highly available and fully scalable services capable of absorbing DDoS attacks.

Application Layer Defense:

Defending your application against application layer attacks requires you to implement an architecture that allows you to detect plus scale to absorb and block malicious requests. This is an important consideration because network-based DDoS mitigation systems are generally ineffective at mitigating complex application layer attacks.

  • Detect and filter malicious web requests. Web application firewalls (WAFs) are often used to protect web applications against attacks that attempt to exploit a vulnerability in the application and mitigate web application layer DDoS attacks (e. g. Incapsula – www.incapsula.com ).
  • Scale to absorb. Another way to deal with application layer attacks is to operate at scale and distribute traffic to many instances that are over provisioned or configured to auto scale for the purpose of serving surges of traffic (which might be the result of an application layer DDoS attack).

Important general guidelines:

    • Attack surface reduction means limiting the opportunities that an attacker may have to target your application. For example, if you do not expect an end user to directly interact with certain resources you will want to make sure that those resources are not accessible from the Internet. Similarly, if you do not expect end-users or external applications to communicate with your application on certain ports or protocols, you will want to make sure that traffic is not accepted.
      • Start your sensitive application instances in private subnets, protected using UTMs (Sophos, Fortigate, Checkpoint etc.) and never trust your outbound traffic, filter it using web filters based on URL whitelists.
      • Use security groups to control access to instances and network ACLs to control traffic flow in and out of subnets.
      • Leverage managed services like for example AWS API Gateway that acts as a “front door” to applications running on Amazon EC2, AWS Lambda, or any web application to obfuscate other components of your application from the public. This can help prevent those AWS resources from being targeted by a DDoS attack.
    • Visibility – It is also useful to know when DDoS attacks are targeting your application and to be able to act on this data. When a key metric deviates substantially from the expected value, this is an indication that an attacker may be attempting to target the availability of your application.
      • Leverage tools like CloudWatch and VPC Flow Logs on AWS to learn normal behavior and gain visibility into the key metrics.
      • Monitor your Web Proxy logs and analyze dropped requests (Logz.io – www.logz.io is a tool that can help you do that with little work).
      • Always monitor your entire network traffic and look for anomalies. Observable – www.observable.net can do complex analysis and forensics on your logs and detect all sorts of threats or breaches.
      • Monitor your site reachability over multiple points of presence using third party tools, like for example Pingdom – www.pingdom.com
    • Support – create a plan for DDoS attacks before an actual event. Having a plan in place before an attack ensures that you have a resilient architecture, you understand the cost benefit equation, you know who to contact when an attack happens. If you are running mission critical workloads you should consider signing up for Support with your major technology vendors and consultants. Their expertise can be of a great value when the time comes.

We can help you to better manage your cloud, come talk to us!

Virgil Niculescu

Read more posts by Virgil Niculescu