A massive DDoS attack on DNS provider Dyn last Friday resulted in limited or no access for many users on major websites and platforms such as Twitter, Pardot, Spotify, New York Times, Netflix, SoundCloud and other popular websites. (Learn more about DNS in our ICANN article.) The attack was conducted using a self-replicating botnet called Mirai to infect devices connected to the Internet. Tens of millions of IP addresses were associated with the attack. This is not the first time a DNS network has fallen under attack – NSI experienced a massive, combination DDoS attack back in May that involved simple volumetric attacks to complex DNS lookup attacks.
Though there are different vectors for DDoS attacks, they all have the same outcome which is to overwhelm servers, firewalls or other perimeter defense devices by sending request packets at very high packet rates. The network becomes overwhelmed to the point where good traffic is not able to access a website. Here are five attack vectors that have become more popular in the past year:
- DNS (Domain Name System)
Attackers send fake DNS request packets at a high packet rate and from a very large group of source IP addresses. Because they look like valid requests, the victim’s DNS servers respond to them. This attack consumes large amounts of network resources that exhaust the DNS infrastructure until it goes offline. DNS flood attacks may also be amplified or reflected. DNS flood attacks have increased from 6% to 18% in the past year. See our DDoS infographic to learn more about how attacks are evolving and increasing. - UDP (User Datagram Protocol) fragmentation
Attackers send large UDP packets (1500+ bytes) to consume more bandwidth with fewer packets. These fragmented packets are normally forged and have no ability to be reassembled, but the effort to do so can consume significant resources. Some firewalls will begin to indiscriminately drop all good and bad traffic to the destination server in order to remain up and running. - NTP(Network Time Protocol)
Attackers use NTP as a variant of a UDP flood. Attackers send fake NTP request packets at a high packet rate and from a very large group of source IP addresses. Since these appear to be valid requests, the victim’s NTP servers respond to them. The NTP server can be overwhelmed by the vast number of requests. This attack consumes large amounts of network resources that exhaust the NTP infrastructure until it goes offline. - SYN (short for synchronize)
Attackers send SYN packets at high packet rates that can overwhelm the victim by consuming its resources to process these incoming packets. In most cases if a server is protected by a firewall, the firewall will become a victim of the SYN flood itself and begin to flush its state-table, taking all good connections offline or worse – reboot. - SSDP(Simple Service Discovery Protocol)
SSDP is a protocol that enables networked devices to seamlessly connect with each other. These attacks were uncommon just a couple of years ago, but with growing number of devices connected to the Internet (Internet of Things) they are now one of the most common types of attacks. Using SSDP can amplify an attack 30 fold, according to Sucuri.
Mitigating Attacks
Multi-vector attacks are becoming more common, and they are more difficult to mitigate. Acquiring different types of tools to mitigate different types of attacks is costly and ineffective. As attacks are becoming more complex and sophisticated, so must mitigation tools.
Data Foundry uses a sophisticated hybrid mitigation tool that employs profile-based optimization to distinguish between normal and potentially threatening traffic. Hybrid tools that use both on-premises and cloud-based scrubbing provide the best of both worlds – virtually no latency, plus the capacity to mitigate large-scale attacks.
Our inline, always-on mitigation tool builds a profile for your network based on your day-to-day traffic and provides mitigation against UDP, DNS, SYN floods, TCP and a variety of other types of DDoS attacks. Tools with profile-based optimization are most effective when they’ve had time to build a profile for a network. This will allow for optimal protection in the event of an attack.
Learn more about Data Foundry’s DDoS Mitigation Service.