Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Organizations that operate or use Internet connected services such as websites, portals and Cloud services need to be aware of threats that can disrupt service. In the first part of this series I discussed Domain Name System (DNS) attacks and their potential to disrupt services and infect large volumes of users with malware. This article discusses Distributed Denial of Service (DDoS) attacks using insights from the latest volume of the Microsoft Security Intelligence Report, volume 15.
Distributed Denial of Service (DDoS) attacksAnother common attack vector that has been used to attempt to adversely affect Cloud services on the Internet and online services at Microsoft is DDoS attacks. On a daily basis, Microsoft’s DDoS protective measures apply mitigations to prevent impact from DoS and DDoS attacks to ensure uptime and availability for services and customers. Common types of attacks include SYN floods, DNS amplification, malformed TCP and UDP packets, and application layer abuses specific to HTTP and DNS. One common attack technique used by a number of freely available DDoS toolkits involves using fragmented IP packets with a fixed payload.
For example, a DDoS attack made headlines in March of 2013, when attackers used DNS amplification to attack the Spamhaus spam prevention service with as much as 300 gigabits per second (Gbps) of traffic. For more information on this attack please see Michael McNally’s ISC Knowledge Base article called “What is a DNS Amplification Attack?”
DDoS attacks can typically be spotted in monitoring telemetry as a significant elevation of both packets-per-second and bits-per-second traffic, as seen in Figure 1. The 30 Mbps attack shown in Figure 1 is nominal, but if left unchecked it could impact the availability of the service. Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable.
Figure 1: Flow monitoring telemetry during a DDoS attack
A typical attack involving IP fragments might consist of a padded payload consisting of a single ASCII letter, such as ‘A’ (0x41 in hexadecimal as seen in Figure 2), repeated many times, and transmitted using multiple communications protocols, including User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), KRYPTOLAN, Versatile Message Transaction Protocol (VMTP), Internet Protocol version 6 (IPv6), Extensible Name Service (XNS), and others. Packets often include full 1,518-byte payloads, and UDP fragments are directed to multiple destination ports on target systems.
Figure 2: A UDP fragment from a DDoS attack
During one 60-second window of a DDoS attack, Microsoft detected more than 8,985 unique IP addresses sending fragmented traffic. As the service was forced to drop incoming packets during the attacks, it is believed that the actual volume of the attack might have been considerably greater than the available data suggested. In a subsequent investigation, a host known to have participated in a recent DDoS attack (acquired via the appropriate legal means by the Microsoft Digital Crimes Unit), revealed that a common attack tool (Backdoor:Perl/IRCbot.E) was used for UDP flooding. Tools like this IRCbot make it easy for almost anyone to launch potentially damaging attacks on Cloud services, websites, portals, etc. Although the defensive measures and tactics employed by Microsoft and other Cloud Service Providers help mitigate such attacks, it can be resource intensive to do so.
Guidance to Help Manage the RiskBecause DDoS attacks can be difficult to mitigate, Cloud Service Providers and operators of websites need to be prepared for this type of attack. Below is some specific guidance.
To help prevent DNS amplification attacks, it’s important that DNS administrators everywhere be willing to cooperate with each other. The United States Computer Emergency Readiness Team (US-CERT) has provided some suggestions to help administrators stop attackers from taking advantage of their DNS servers to launch attacks. This is a partial list, please see https://www.us-cert.gov/ncas/alerts/TA13-088A for all the details.
DDoS attacks can target any Cloud service or website. Well-run Cloud services tend to be much better prepared to deal with DDoS attacks than most enterprise IT infrastructures. Organizations that have struggled with DDoS attacks on their websites or other vital parts of their network infrastructures should consider moving some resources to the Cloud in order to take advantage of the security and operational benefits that Cloud services can provide.
Tim RainsDirectorTrustworthy Computing