Organizations that operate or use Internet connected services such as websites, portals and Cloud services need to be aware of threats that can disrupt service. In the first part of this series I discussed Domain Name System (DNS) attacks and their potential to disrupt services and infect large volumes of users with malware.  This article discusses Distributed Denial of Service (DDoS) attacks using insights from the latest volume of the Microsoft Security Intelligence Report, volume 15.

Distributed Denial of Service (DDoS) attacks
Another common attack vector that has been used to attempt to adversely affect Cloud services on the Internet and online services at Microsoft is DDoS attacks. On a daily basis, Microsoft’s DDoS protective measures apply mitigations to prevent impact from DoS and DDoS attacks to ensure uptime and availability for services and customers. Common types of attacks include SYN floods, DNS amplification, malformed TCP and UDP packets, and application layer abuses specific to HTTP and DNS. One common attack technique used by a number of freely available DDoS toolkits involves using fragmented IP packets with a fixed payload.

For example, a DDoS attack made headlines in March of 2013, when attackers used DNS amplification to attack the Spamhaus spam prevention service with as much as 300 gigabits per second (Gbps) of traffic. For more information on this attack please see Michael McNally’s ISC Knowledge Base article called “What is a DNS Amplification Attack?”

DDoS attacks can typically be spotted in monitoring telemetry as a significant elevation of both packets-per-second and bits-per-second traffic, as seen in Figure 1. The 30 Mbps attack shown in Figure 1 is nominal, but if left unchecked it could impact the availability of the service. Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable.

Figure 1: Flow monitoring telemetry during a DDoS attack

  

A typical attack involving IP fragments might consist of a padded payload consisting of a single ASCII letter, such as ‘A’ (0x41 in hexadecimal as seen in Figure 2), repeated many times, and transmitted using multiple communications protocols, including User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), KRYPTOLAN, Versatile Message Transaction Protocol (VMTP), Internet Protocol version 6 (IPv6), Extensible Name Service (XNS), and others. Packets often include full 1,518-byte payloads, and UDP fragments are directed to multiple destination ports on target systems.

Figure 2: A UDP fragment from a DDoS attack

  

During one 60-second window of a DDoS attack, Microsoft detected more than 8,985 unique IP addresses sending fragmented traffic. As the service was forced to drop incoming packets during the attacks, it is believed that the actual volume of the attack might have been considerably greater than the available data suggested. In a subsequent investigation, a host known to have participated in a recent DDoS attack (acquired via the appropriate legal means by the Microsoft Digital Crimes Unit), revealed that a common attack tool (Backdoor:Perl/IRCbot.E) was used for UDP flooding. Tools like this IRCbot make it easy for almost anyone to launch potentially damaging attacks on Cloud services, websites, portals, etc. Although the defensive measures and tactics employed by Microsoft and other Cloud Service Providers help mitigate such attacks, it can be resource intensive to do so.

Guidance to Help Manage the Risk
Because DDoS attacks can be difficult to mitigate, Cloud Service Providers and operators of websites need to be prepared for this type of attack. Below is some specific guidance.

To help prevent DNS amplification attacks, it’s important that DNS administrators everywhere be willing to cooperate with each other. The United States Computer Emergency Readiness Team (US-CERT) has provided some suggestions to help administrators stop attackers from taking advantage of their DNS servers to launch attacks. This is a partial list, please see https://www.us-cert.gov/ncas/alerts/TA13-088A for all the details.

  • Most DNS amplification attacks take advantage of open DNS name servers, which resolve DNS queries submitted to them by any computer on the Internet. System administrators should configure their DNS servers to ignore queries they receive from hosts outside their domain. A number of tools are available for helping administrators detect misconfigured DNS servers within their networks, including:
    • The Open Resolver Project maintains a list of open DNS resolvers and provides an interface for searching an IP range for open resolvers.
    • The Measurement Factory also maintains a list of open resolvers and offers a free tool to test a single server to determine if it allows open recursion.

  • Administrators of DNS resolvers can take a number of steps to prevent their resources from being used in attacks, including:Limiting recursion to authorized clients. DNS servers that are deployed within an organization or Internet service provider (ISP) should be configured to perform recursive queries on behalf of authorized clients only, preferably restricted to clients within the organization’s networkLimiting recursion to authorized clients. DNS servers that are deployed within an organization or Internet service provider (ISP) should be configured to perform recursive queries on behalf of authorized clients only, preferably restricted to clients within the organization’s network.
    • Source IP verification. Even well-configured DNS resolvers can be exploited by attackers who use source IP address spoofing to issue DNS queries. The Internet Engineering Task Force has released two Best Current Practice documents (tools.ietf.org/html/bcp38 and tools.ietf.org/html/bcp84) that can help system administrators perform network ingress filtering, which rejects packets that appear to originate from addresses that cannot be reached via the paths the packets actually take.
    • Disabling recursion on authoritative name servers. An authoritative name server is one that provides public name resolution for a specified domain (such as microsoft.com) and optionally one or more subdomains (such as www.microsoft.com). Because authoritative name servers must be publicly accessible, they should be configured to reject recursive queries from clients. For help disabling recursion in Windows Server, see “Disable Recursion on the DNS Server.”

  • Limiting recursion to authorized clients. DNS servers that are deployed within an organization or Internet service provider (ISP) should be configured to perform recursive queries on behalf of authorized clients only, preferably restricted to clients within the organization’s network.

DDoS attacks can target any Cloud service or website.  Well-run Cloud services tend to be much better prepared to deal with DDoS attacks than most enterprise IT infrastructures. Organizations that have struggled with DDoS attacks on their websites or other vital parts of their network infrastructures should consider moving some resources to the Cloud in order to take advantage of the security and operational benefits that Cloud services can provide.

Tim Rains
Director
Trustworthy Computing