How DDoS Protection Works
Blockchain for DDoS Protection!
Blockchain for DDoS Protection!
In our first series, we covered the following 6 articles:
If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.
The internet is growing dramatically in both the number of users and applications, and their respective bandwidth. Over the past few years, a new variant of user has entered the world of the internet, commonly known as a smart device. In its simplest form, it can be a refrigerator, an AC unit, or a microwave, while it can be as complex as a drone or automated vehicle. These smart devices are also referred to as Internet of Things (IoT) devices, monitoring the functionality and operations of connected utilities. Despite of enough use cases, attackers are making use of them to launch some massive cyber attacks called Distributed Denial-of-Service (DDoS) attacks. In this article, you will learn about DDoS attacks and how blockchain can be more effective at defending organizations from such massive attack operations.
In this article, we will cover the following topics:
A DDoS attack is a malicious attempt to disrupt legitimate traffic to a server by overwhelming the target with a flood of requests from geographically dispersed systems. Now, let's first understand how a Denial-of-Service (DoS) attack works. During DoS attacks, the attackers bombard the target machine with a massive amount of requests that lead to the exhaustion of server resources and, as a result, it fails requests from legitimate users. In a DoS attack, a threat actor uses a single machine to exhaust the target server; however, a DDoS attack is much more powerful as millions of machines can be used to exhaust a target server.
More and more organizations are moving to the cloud with massive infrastructure to fulfill their immersive customer demands. Organizations either build their own heavy server infrastructure, or they move to cloud providers to host their servers. Today, attackers prefer the DDoS attack method to disrupt target services as they can generate GBs to TBs of random data to overwhelm the target, and also it becomes difficult for a target security team to identify and block each individual attacking machine, as they are millions in number.
Furthermore, attackers never legitimately control their attacking machines, but rather they infect millions of computers worldwide with some tailored malware and then get complete access to launch a massive DDoS attack. This collection of millions of infected computers is named a botnet and the individual infected computers are named bots.
The first instance of DDoS is a bit hard to recall exactly, but the first noticeable and significant attack occurred in 1999, and it targeted the University of Minnesota. It impacted more than 220 systems and brought down the entire infrastructure for several days.
On Friday, October 21, 2016, the entire world witnessed one of the most complex and sophisticated DDoS attacks on Dyn (a managed DNS provider). Dyn confirmed the Mirai botnet as a primary source of malicious attack traffic. The attack opened up an important concern on internet security and threats.
To launch a DDoS attack, a threat actor can either build the entire botnet network or rent it from a dark web marketplace. Once the attacker is ready with their weapons, they need to discover vulnerable sites or hosts, or maybe an entire network.
A computer scientist at Lockheed-Martin Corporation coined a term called cyber kill chain that lays out the stages of a cyber attack, starting from reconnaissance to final goal of attack. These stages are as follows:
In order to understand each of these stages from DDoS perspective, it is important to understand the botnet infrastructure and how it is built.
As mentioned, the distributed nature of a DDoS attack requires millions of infected machines globally. Today, attackers leverage the dark web marketplace and either rent readily available botnets or buy them. There are several tools, such as Jumper, Dirt, and Pandore, that eliminate the technical barrier in creating these botnets.
The following graphic outlines the botnet life cycle:
The targeted system can be as large as a data center and as small as a computer. In both cases, the development of a botnet involves identifying hosts with vulnerabilities that can be exploited with some malware families. Attackers look for information directly or indirectly related to their target to gain unauthorized access to their protected assets. The threat actor tries all possible ways to bypass the existing security systems, such as firewalls, Intrusion Prevention System (IPS), web application firewalls, and endpoint protection.
The wide range of open source software has removed the technical barrier for creating malicious code. If a programmer has malicious intent and develops the code, a new breed of malware can be developed that would be difficult for security systems to detect.
The following is a list of some of the popular tools for developing DDoS:
Once the malicious code is developed or software purchased from the dark web marketplace, this software can either be delivered through spear phishing emails or can also be sent through spam email campaigns. The selection of either depends on the target and also the sophistication of the operation.
We can classify the process into the following three groups of methods for propagating malicious code:
the newly compromised host by the attacker. The attacker's toolkit is specially
designed to accept a file request from a compromised system. The back-channel
file copy can be done by a port listener using Trivial File Transfer Protocol
(TFTP). Unlike the central source propagation method, attackers transmit both
exploit and code together into the victim machine:
Once the malware is delivered to the network, it will initiate the process of exploiting unpatched software vulnerabilities, weak software coding practices, and lack of user attention. Usually, there are numerous vulnerabilities present in the network; however, the availability of exploits makes the vulnerability much more critical in nature.
In the installation stage, the malware is installed in the targeted system and allows the remote attacker to gain access to it. During the installation process, the malware may be installed in the user space or kernel space of a system. Malware installed in the user space has a high possibility of detection; however, malware installed in the kernel space has a low chance of being detected by security systems, such as endpoint protection, endpoint detection, and response platforms.
After the weapon has been successfully installed, the target is now completely under the control of a remote central system, named the system. The network of compromised devices is called a botnet, completely under the control of the threat actor; however, the botnet remains silent until it gets activated by the attacker. There are even several types of encrypted bot-to-bot communication present over public peer-to-peer networks.
Once the C2 channel has been established, the attacker can launch the DDoS attack on the target. At this stage, the attacker runs the script to activate all the bots in the entire botnet. The attacker also configures the botnet regarding what type of traffic needs to be generated.
DDoS attacks are carried out in several ways. However, attackers select one of them based on different factors, such as target difficulty, financial capability, anonymity, priority, and other factors. It does not take much technical expertise to run the DDoS attack program and launch it. There are mainly three types of attack, categorized as follows:
These are attack campaigns in which it is planned to consume the network resources of the target system. In this attack, network bandwidth gets completely consumed by flooding. The following are several types of flooding attacks.
UDP is a protocol embedded in the IP packet for socket-level communication between two devices. A UDP flood attack does not exploit any specific vulnerability of the target system, but rather it simply disrupts the normal traffic of the target system by overwhelming it with a high level of flooding. It points to random ports on the target server and consumes all the traffic bandwidth for the target system. This UDP flood doesn't even allow the system to send Internet Control Message Protocol (ICMP) destination unreachable packets. Usually, this kind of attack is considered in the class of a small-to-medium-level flood attack and measured in Mbps and PPS, as shown in the following diagram:
ICMP is another connectionless protocol used for IP-level reachability and management operations. Again,it doesn't rely on any vulnerabilities to work. An ICMP flood can be performed with any type of ICMP message, such as echo requests and echo replies. Being one of the oldest flooding techniques, organizations have practices to deploy control-plane policies over network devices to restrict the amount of ICMP packets that can processed by the control planes of devices.
IGMP is a multicast protocol, connectionless in nature. It is non-vulnerability-based, involving the sending of a large amount of IGMP message reports to networks or routers.
An amplification attack takes the opportunity of a disparity between a request and a reply in a communication channel. An attacker can compromise a router and force the router to send broadcast messages on multicast addresses by spoofing the source address. It can even be used with DNS amplification, in which the attacker can compromise a recursive DNS name server to cache large files. Take a look at the following diagram:
Attacks that target the server resources of the victim and exhaust the entire server processing and memory eventually cause disruption for legitimate traffic. In this category, attackers identify the vulnerabilities of the target server and weaponize the malware to exploit those vulnerabilities. You will learn about some of the most common techniques used to perform these attacks.
This attack makes use of the TCP three-way handshake mechanism and consumes most server resources with TCP sync messages. In the TCP three-way handshake, a client first sends the TCP packet with the sync flag set, which requests a server to allocate a resource and establish a communication channel. In a TCP SYN attack, attacking systems send a series of TCP requests with TCP flags set to SYN. To manage each of these requests, the server has to open and allocate certain CPU resources, and also buffer to prepare further communication. Now, the server sends a TCP message with a flag set to SYN-ACK, and expects the client to acknowledge that with a TCP message with the ACK flag. The attacking systems receive that but never respond, and as a result, the server keeps the socket open and resources allocated for the same client machines. Server resources are limited, but the attackers can keep multiplying the request to the server to finally exhaust the server and make it unavailable for legitimate user traffic. TCP has a specific timeout for the request and response process, but the attacker gains the advantage of the same period to send massive TCP requests. Take a look at the following diagram:
In the TCP/IP stack, the Reset (RST) flag in TCP is used to notify a server to reset its ongoing TCP connection. In a TCP RST attack, the attacker intercepts an active TCP connection between the client and the server by trying a random sequence of numbers. After successfully identifying the sequence of numbers, the attacker then spoofs the TCP RST message to the client's source IP address. For humans to perform such an activity, this would be very difficult. Hence, bots are used to intercept and identify the active sequence number.
SSL is standard security protocol for establishing encrypted channels between a web server and a browser. This ensures that all transmitted data is encrypted between web server and browser, and hence provides a better privacy and integrity solution for internet users. SSL runs over TCP/IP and sends the SSL hello only once the TCP three-way handshake is completed. SSL-based DDoS attacks can be performed in a variety of ways, such as targeting the SSL handshake mechanism, sending random and garbage data to the SSL server, or exploiting certain function-related SSL encryption key mechanisms.
With the growing use of SSL/TLS-encrypted web applications, attackers are also moving toward encrypted HTTP-based attacks. Most organizations don't have a security solution that can inspect SSL traffic and hence fail to protect it from malicious traffic. Attackers make use of this weakness and adopt more and more capabilities to compromise networks through encrypted HTTP.
DDoS attacks are on the rise; threat actors are moving from traditional methods to more advanced and sophisticated application-based attacks. These are not just limited to HTTP-based attacks but are even adapting to HTTPS, DNS, FTP, SMTP, and VOIP. Applications are built with several independent components and hence are vulnerable. Therefore, application-based attacks become more attractive to threat actors. We will cover some of the most widely used attacks.
DNS is used everywhere, and every organization network has to have the DNS port open for name resolution. It is easy to launch DNS-based flooding and also difficult for the security system to detect it. DNS uses the UDP protocol for faster request and response times, without establishing a new connection (like in the TCP handshake). In this kind of attack, the DNS server can be overwhelmed with a massive amount of DNS requests, making the victim server unable to process legitimate requests. This technique was used in the recent Mirai attack on the Dyn network that left users unable to access YouTube, Twitter, Netflix, and several other applications.
These use the low and slow methodology to attack the victim server. The attacker leverages vulnerabilities in the library files deployed in the server. Whenever a client sends a request with regular expressions, a server has to spend a large amount of resources to process the regular expression. Attackers use this to exploit the server and send regular expressions periodically that security systems fail to detect.
With this kind of attack, makes attackers spend days to months identifying vulnerabilities in the web application frameworks. Hash tables are used to index POST sessions in most of the application servers. The server has to manage hash collisions when similar hash values are returned. Collision resolution consumes a lot of processing resources as the attacker keeps sending POST messages with a multitude of parameters. Attackers build the parameters in such a way that they cause hash collisions on the server side and as a result keep the server busy processing them.
In the past few years, a rise in DDoS attacks has been observed. As per the recent report by Radware, 43% of organizations experienced burst attacks, but the rest were unaware of whether they were attacked. Attackers are adapting several emerging techniques and complex tactics to compromise the target network.
On February 28, 2018, GitHub, the code hosting website, was hit with the largest-ever DDoS attack, recorded at 1.35 TBps. As DDoS attacks fall under the cyber threat category, that makes it unfeasible to deploy any security prevention mechanism as system vulnerabilities are under the control of organizations but threats cant be controlled. The frontend of the web application remains centralized for all users; hence, it leaves a single point of failure for organizations.
By definition, blockchain is a decentralized network that allows independent parties to communicate without any third-party involvement. In order to protect networks from DDoS attacks, organizations can be made distributed between multiple server nodes that provide high resilience and remove the single point of failure. There are two main advantages to using blockchain, as follows:
This article is written in collaboration with Raj Gupta who has CISA, CPISI, Cobit 5, ISMS LA, CDPO-GDPR, CEH, and CHFI certifications. He is also the author of Hands-on Cybersecurty with Blockchain book.
Check our blog for more articles and tutorials.
Here is the list of our free webinars that are highly recommended:
Here is the list of our 10 free self-paced courses that are highly recommended:
If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:
If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:
If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:
We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.
$90 Regular
$50 Limited Offer
REGISTER NOW