DDoS attack is a difficult to assess for enterprise bears number of compromised systems generally infected with Trojan are used to target a single system that can cause DDoS attack. In this attack, attacker sends hundreds of thousands of request to the network from numerous sources. Therefore, it is quite impossible to judge and stop the traffic that can block a single IP address. As a result, it forces the system to shut down; thereby legitimate users also cannot access the service. Perpetrators of DDoS attack target high- profile web servers like bank, credit card payment, and root name servers.
Types of DDoS Attack:
DDoS attack is getting smarter and sophisticated and below discussed are some renowned DDoS attacks.
- UDP flood: In UDP (user datagram protocol) attack, large numbers of packets are sent randomly on to ports of a remote host. The distant host checks the application that no application heeds at port and reply with ICMP packet. Thus sending numerous ICMP packets, legitimate user cannot access the system.
- SYN flood: SYN flood sends spoofed requests often from a number of sources on targeted system and the server respond with acknowledged (ACK) packet on false IP address to fulfill TCP connection. Flood attack never responds with ACK to the server. The server wait for missing ACK and it consumes server resources that results into denial of service.
- Ping of Death: POD (Ping of Death) sends packets larger than the maximum byte allowed and cooks IP address and as a result, giant packet makes servers to reboot or break down.
- Reflected Attack: In this attack, fake packets send to numerous computers, when all computers reply on a spoofed address at once the site gets down until the server resources are consumed.
- Peer-to-Peer: It is an attempt to flood the network with bogus packets, thereby preventing legitimate network traffic.
- Nuke: in this method, corrupted packets are being sent to the target system via modified ping. It is an old method of DDoS attack.
- Slowloris: Attacker uses few resources and sends requests with HTTP headers to targeted system but never completes them and keeps connections open for utmost time.
- Degradation of Service Attacks: spoofed computers send malicious traffic to a targeted system causing performance and page-loading issues. It never makes site offline but impacts performance of system.
- Unintentional DDoS: when web traffic rises on the server, the server fails to respond requests. Server resources consumed rapidly due to more incoming traffic that force server to go offline.
- Application level attack: In this method, attacker targets vulnerable application of system rather than targeting the whole server.
Some Facts about DDoS:
According to Solution who provide security management service said in report that
- Companies have to pay $6500 an hour to recover from DDoS attack and up to 30 days, company has to pay $3000 per day to mitigate and recover from malware infections.
- 90% of all attacks including DDoS attack coming from china based IP address aims different industries like business service, technology, and financial industry.
- 85% of all attacks including DDoS attack coming from Japan based IP address aims manufacturing industry.
- The average packet per second rate reached to 47.4 Mpps and the average bandwidth reached to 49.24 Gbps.
- Attack duration increased from 17 hours to 38 hours in 2013.
Historical Cases of DDoS attack:
Many enterprises have experienced of DDoS attack in the past by forcing them to shut down their servers. Fortunately, those enterprises recovered rapidly from such attack and reset their servers back to the previous stage.
In month of March 2013, Spamhaus was being attacked by DDoS attack flooding requests at bandwidth of 300 Gbps (Giga byte per second), which is believed the biggest attack ever hit in the history of the cybercrime. Nearly 21.7 million open DNS resolvers were at work to generate fake traffic against Spamhaus. Spamhaus maintains filter for email spam and distribute them to email providers.
In July 2013, Network Solution offers hosting services, domain name registration, selling SSL certificate, and furnishes web administration services was under DDoS attack that carried 49.24 Gbps. According to report, almost 5000 domains were affected during this attack. However, company reassured to its clients about normal functionality of their service and within few days, they got back to their normal service to keep assurance of their customers in company.
Recovery from DDoS:
To recover from DDoS attack below steps are eminent in organization through which organization can reinstate its network position and can continue with standard performance.
- After affecting by DDoS attack, contact your ISP for emergency steps. The ISP will redirect large portion of attack traffic away from your network.
- Provide the details about affected IP addresses and URLs, type of traffic, volume of traffic, and notify your ISP about the damage occurred due to DDoS attack because your ISP will have little information about your organization.
- Block the traffic of network cloud like firewall, router.
- Disable the application if it is targeted in such attack.
- Apply rate limiting for certain protocol to reduce number of packets.
- Scan your target network for vulnerability.
- An organization furnished with packet capture ability may recognize the delivery method of the attack and potentially design a precise Intrusion Prevention System.
- Perform monitoring of system log that can provide a clear image of organization environment.
- Perform enterprise risk management to find the cost for affected area in organization.
- Apply DDoS mitigation service to redirect traffic to offsite filters that involves reproducing critical components and implementation of DNS techniques.
- Company needs to hire extra personnel, third party consultant. The company loses revenue arise due to downtime of system.
Precautions against DDoS:
- Enterprise requires technical expertise to analyze the traffic, to differentiate the symptoms of DDoS attack and he should try to block attacks on the base of attack’s characteristics. Even IPS (intrusion prevention system) that concentrates on signature-based technology seems to be traditional practice and fails to protect against DDoS attack therefore, it is better to use Anti-DoS solution that includes Anti-DDoS technology and Anti-DDoS emergency response services.
- Through Anti-DDoS technology, which uses specialized hardware called ASIC-based DDoS Mitigation engines can easily mitigate DDoS attack. Again, NBA (network behavioral analysis) that separates DDoS traffic from normal traffic at all layers. Anti-DDoS technology assures enterprise that no attack is unnoticed including multi vector attack. It is advisable to choose experience and knowledgeable security engineers who are well knowledgeable about DDoS attack mitigation and Anti-DDoS operation. Enterprise must select Anti-DDoS service provider that provides 24/7 service if any type of DDoS attack happens to lessen DDoS attack.
- Beside the above steps, educate your personnel, prioritize critical and non-critical assets, collect information about infrastructure environment, develop robust event response plan, and identify the threat.
- Reject all spoofed traffic and disable all identical hosts used in previous DDoS attack.
- Create a checklist of IPs to give priorities to traffic during an attack.
- All steps taken during recovery of an attack should be reviewed to understand the area for improvement.
DDoS attack is a critical attack that can damage a lot to enterprise and disturb the availability of network resources. If organization take some initiative step, then it is possible to lessen the effectiveness of such attack. It straightly affects client’s service and confidence and company’s revenue aspect. I hope this document will be helpful for system admin persons, security response team, IT security operations, and other related technology groups.