The DDoS Story- From Rise to destruction

DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

Image

image-source: wideinfo

The Code hosting site GitHub was hit down with massive record-breaking DDoS attack which has crossed all the past numbers of attack intensity. The attack was peaked at record 1.35 Tbps-126.9 million packets per second if we believe the numbers. This was 51000 times more than the actual request serving capacity of the site.

A forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim’s IP.

The notable thing in this recent attack was that there was no use of botnet reported. It was the Memcached servers which were targeted this time to escalate the DDoS attack.

Image

image-source: Cloudfare

We will talk about memcached more in detail but first let's get some clarity about DDoS. What it is, its types, impact and last but not the least countermeasures to take.

What is DDoS?

DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

Types of DDoS attack

1. Volume Based Attacks

2. Protocol Attacks

3. Application Layer Attacks

Volume Based Attacks

SYN Flood

TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

HTTP Flood

HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.

HTTP flood attacks are volumetric attacks, often using a botnet “zombie army”—a group of Internet-connected computers, each of which has been maliciously taken over, usually with the assistance of malware like Trojan Horses.

Protocol Attacks

A NTP amplification attack is a reflection-based volumetric distributed denial-of-service (DDOS)attack in which an attacker exploits a Network Time Protocol (NTP) server functionality in order to overwhelm a targeted network or server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure inaccessible to regular traffic.

Image
DNS Attacks

DNS amplification is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim's servers.

Image

IP Fragmentation

IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms.

Understanding the attack starts with understanding the process of IP fragmentation, a communication procedure in which IP datagrams are broken down into small packets, transmitted across a network and then reassembled back into the original datagram.

Ping Of Death

Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.

While PoD attacks exploit legacy weaknesses which may have been patched in target systems. However, in an unpatched systems, the attack is still relevant and dangerous. Recently, a new type of PoD attack has become popular. This attack, commonly known as a Ping flood, the targeted system is hit with ICMP packets sent rapidly via ping without waiting for replies.

SNMP Amplification

An SNMP reflection is a type of Distributed Denial of Service (DDoS) attack that is reminiscent of earlier generations of DNS amplification attacks.

Instead of Domain Name Servers (DNS), SNMP reflection attacks use the Simple Network Management Protocol (SNMP) - a common network management protocol used for configuring and collecting information from network devices like servers, hubs, switches, routers and printers.

SNMP reflection attacks can generate attack volumes of hundreds of gigabits per second, which can be directed at attack targets from multiple broadband networks. Attacks are sometimes hours in duration, are highly-disruptive to attack targets, and can be very challenging to mitigate.

Getting into Memcached

Memcached is a well-known distributed caching system which is open source and easy to deploy. It makes the use of idle RAM in severs to act as a memory cache for the frequently accessed info. It permits the object data to get stored into the memory and it runs over UDP port 11211.

The motive of designing the memcached application is to achieve the performance efficiency for dynamic web application by limiting the load on the database. This not only helps to improve performance but also give a hand to achieve good scalability for the application. GitHub, Facebook, Youtube, IBM use this for the websites to name a few.

In normal scenario, displaying of information requires below actions:

- Loading the information from the database

- Data filtering (Proper data needs to be displayed in user readable form)

- Showcasing the final data

With using memcached here,

Scenario 1

Load the information from the cache

If info exists, display it

Scenario 2

Load the information from the cache

If info is not available in the cache, same activities are performed just like normal scenario:

- Loading the information from the database

- Data filtering (Proper data needs to be displayed in user readable form)

- STORE THIS INFO IN CACHE (Which will be helpful in the future requests)

- Display final information

Countermeasures

1. Zombie Detection

2. IP address filter list

3. IP black/white list

4. Shaping

5. Invalid Packets

To avoid massive memcached amplification attacks, Limit the rate of traffic or close UDP traffic on Port 11211

Reference: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

RELATED ARTICLES

Image

4G LTE attacks

The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

READ MORE
Image

Wifi Security Protocols

In today’s world Wi-Fi has become the essential thing in our daily routine. The wireless networks are also not secure in this digital age.

READ MORE