This blog has been inspired by the recent events surrounding Wiki-Leaks – a Tit-for-Tat ideology.
What exactly is a DDOS Attack?
It is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The ensuing flood of incoming messages sent to the target system essentially forces it to shut down, thereby denying service provided by the system to legitimate users.
In a typical DDoS attack, vulnerability in a computer system is exploited and the DDoS Master is born. It is from this Master System that the intruder communicates with other compromised systems. The Master system may deploy an IRC server to facilitate this communication. With a single command, the intruder instructs the Master to send commands to the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
A Zombie or a bot is a computer system, which does not have intelligence of its own and relies solely on the commands issued by the Master to carry out the intended task, hence the name Zombie and a group of Zombies or bots working towards the same goal are referred to as bot-nets.
Though the definition is generalized but we need to understand that, every DDoS attack has a different attack vector and it changes from service to service. An attack on SSH server is definitely different from the one on Web Server.
As mentioned in my earlier blog, we refer to the Network Diagram, with a few obvious modifications.
Point A: This is the entry Point for ISP.
Point B: This is the exit point of the ISP.
Point C: This is the entry point to your network
Points D and E : This is the area where Anti DDoS or Firewalls or your IPS/IDS systems reside.
From the above diagram it is quite evident that DDoS may attack a single point in your infrastructure but the repercussions are felt from Point B Onwards and can be thwarted at Point B itself.
Now, let us view this problem from a different perspective:
DDoS attack is an infrastructure based attack, though the footprint of the attack varies but basic algorithm remains the same. One would ask a simple question – who would benefit from such attacks and the immediate answer would be the BotMaster or the one who instigated these attacks.
Now here is a twist: It’s the ISP who has gained financially. Well, some ISPs would offer their services for blocking IPs or blocking specific protocols, but they would always suggest to do so using devices present in your Premises but at the end of the month they are also more than willing to send across to you their 95 percentile bill invoice for the bandwidth used.
If you try to protect the Point C by deploying anti-DDoS devices then again it’s the ISP who has gained.
In DDoS attacks, I have rarely seen any organization being held at ransom or monies being extorted, cause the risk is too high and basically these attacks are conducted for extracting revenge or for seeking retribution, unlike its other counterparts like ransomeware viruses or malwares.*
For an organization/corporate, who invests heavily into network resources which includes bandwidth (Between Point B and Point C), there is very little protection being offered by the ISP in terms of averting such attacks. ISPs are more concerned with their 95 percentile billing, the customer has no choice when it comes to security of the packets being transmitted via the ISP.
An attack which can be terminated at the ISPs end, is still not being considered as a viable solution. The effect of this action would be a global one.
Every individual who is an advocate of Safe Internet, or any System Admin / IT Head who had to withstand the worst of a DDoS attack on their infrastructure would agree, that a part of the Network Security lies on the shoulders of an ISP.
When it comes to liability and accountability, every country / every government on the face of this earth has virtually indemnified the ISP against any action.
DDoS attack is a reminder to all of us that unless and until the ISPs are proactive in providing defensive mechanisms, these attacks will keep going on.
ICMP based DDoS or DRDoS
In this form of attack spoofed ICMP packets are sent to the router with the intention of rendering it useless. During the peak of the attack it may consume 100% of your bandwidth and may even exceed (eg. 1G bits per second), if you are utilising the Dynamic throttling of Bandwidth .
The best solution is to inform the ISP to tweak the ICMP parameters at the ISPs router to reject such packets and at the same time ensure that tracroute is not affected by exceeding the TTL value. Deploying CAR (committed access rate) makes more of a logical sense.
This is one setting/modification which an ISP will gladly do, cause, it protects the whole of ISPs network.
TCP/UDP based DDoS attacks, though can be mitigated at the ISP’s end but for this to happen Sun should rise from the West. Till that happens, you should consider protecting Point C (as shown in the diagram) and deploy analyzers and other devices as per your requirement and investment policies.
End of Part I.
Part II –
This blog will feature a snippent from the past, when an organization was hit by a DDoS – SSH brute force which resulted bandwidth clogging and an unique solution saved the day.
A tool widely used for DOS and when multiple machines used the same software the effect was a DDoS. This tool is recomended for Pen-testers only.