How DDoS Protection Works

decorative line

Blockchain for DDoS Protection!

Recap

In our first series, we covered the following 6 articles:

 

Note

If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.

 

The internet is growing dramatically in both the number of users and applications, and their respective bandwidth. Over the past few years, a new variant of user has entered the world of the internet, commonly known as a smart device. In its simplest form, it can be a refrigerator, an AC unit, or a microwave, while it can be as complex as a drone or automated vehicle. These smart devices are also referred to as Internet of Things (IoT) devices, monitoring the functionality and operations of connected utilities. Despite of enough use cases, attackers are making use of them to launch some massive cyber attacks called Distributed Denial-of-Service (DDoS) attacks. In this article, you will learn about DDoS attacks and how blockchain can be more effective at defending organizations from such massive attack operations.

In this article, we will cover the following topics:

  • DDoS attacks
  • Types of DDoS attacks
  • Challenges with current DDoS protection solutions
  • How blockchain can transform existing DDoS protection platforms

DDoS attacks

A DDoS attack is a malicious attempt to disrupt legitimate traffic to a server by overwhelming the target with a flood of requests from geographically dispersed systems. Now, let's first understand how a Denial-of-Service (DoS) attack works. During DoS attacks, the attackers bombard the target machine with a massive amount of requests that lead to the exhaustion of server resources and, as a result, it fails requests from legitimate users. In a DoS attack, a threat actor uses a single machine to exhaust the target server; however, a DDoS attack is much more powerful as millions of machines can be used to exhaust a target server.

 

What is a DDoS attack?

More and more organizations are moving to the cloud with massive infrastructure to fulfill their immersive customer demands. Organizations either build their own heavy server infrastructure, or they move to cloud providers to host their servers. Today, attackers prefer the DDoS attack method to disrupt target services as they can generate GBs to TBs of random data to overwhelm the target, and also it becomes difficult for a target security team to identify and block each individual attacking machine, as they are millions in number.

Furthermore, attackers never legitimately control their attacking machines, but rather they infect millions of computers worldwide with some tailored malware and then get complete access to launch a massive DDoS attack. This collection of millions of infected computers is named a botnet and the individual infected computers are named bots.

The first instance of DDoS is a bit hard to recall exactly, but the first noticeable and significant attack occurred in 1999, and it targeted the University of Minnesota. It impacted more than 220 systems and brought down the entire infrastructure for several days.

On Friday, October 21, 2016, the entire world witnessed one of the most complex and sophisticated DDoS attacks on Dyn (a managed DNS provider). Dyn confirmed the Mirai botnet as a primary source of malicious attack traffic. The attack opened up an important concern on internet security and threats.


How does it work?

To launch a DDoS attack, a threat actor can either build the entire botnet network or rent it from a dark web marketplace. Once the attacker is ready with their weapons, they need to discover vulnerable sites or hosts, or maybe an entire network.

A computer scientist at Lockheed-Martin Corporation coined a term called cyber kill chain that lays out the stages of a cyber attack, starting from reconnaissance to final goal of attack. These stages are as follows:

  • Reconnaissance: The attacker identifies its target device and starts searching for vulnerabilities in it
  • Weaponization: The attacker uses a remote tool kit and malware such as a virus or worm to address the vulnerability
  • Delivery: The threat actor inject the cyber weapons to the victim network through several methods such as phishing email, drive-by download, USB drives, insiders and so on
  • Exploitation: The malware code is used to trigger the attack, taking action on the target network to exploit vulnerabilities
  • Installation: Malware is now installed in the victim machine
  • Command and control: This malware allows the remote threat actor to gain access to the victim machine

In order to understand each of these stages from DDoS perspective, it is important to understand the botnet infrastructure and how it is built.

 

Building up the botnet

As mentioned, the distributed nature of a DDoS attack requires millions of infected machines globally. Today, attackers leverage the dark web marketplace and either rent readily available botnets or buy them. There are several tools, such as Jumper, Dirt, and Pandore, that eliminate the technical barrier in creating these botnets.

The following graphic outlines the botnet life cycle:

Blockchain-Based DDoS Protection

 

Reconnaissance

The targeted system can be as large as a data center and as small as a computer. In both cases, the development of a botnet involves identifying hosts with vulnerabilities that can be exploited with some malware families. Attackers look for information directly or indirectly related to their target to gain unauthorized access to their protected assets. The threat actor tries all possible ways to bypass the existing security systems, such as firewalls, Intrusion Prevention System (IPS), web application firewalls, and endpoint protection.

 

Weaponization

The wide range of open source software has removed the technical barrier for creating malicious code. If a programmer has malicious intent and develops the code, a new breed of malware can be developed that would be difficult for security systems to detect.

The following is a list of some of the popular tools for developing DDoS:

  • Low Orbit Ion Cannon (LOIC): This is one of the favorite tools, used by the popular hacktivist group Anonymous. It is a simple flooding tool that can generate a massive volume of TCP, UDP, or HTTP traffic to overload the target server. It was originally developed to test the throughput of server performance; however, the Anonymous group used this open source tool to launch sophisticated DDoS attacks. The tool was later enhanced with IRC features, which allow users to control the connected machines over IRC.
  • High Orbit Ion Cannon (HOIC): A couple of years after effectively using LOIC, the Anonymous group dropped it and used the HOIC tool to first target the US Department of Justice (DOJ) in response to its decision to take down the website megaupload.com. HOIC is again a simple application built to support cross-platform basic scripts sending HTTP POST and GET requests with an easy and simplified GUI. It was later powered with booster scripts, which are text files that contain additional basic code, called a booster script. This booster script also allows the attacker to specify the list of target URLs to attack. HOIC is still in use by the Anonymous group to launch DDoS attacks globally.
  • hping: Just like the Anonymous group, there are several different hacktivist groups actively targeting businesses and government institutions. A tool called hping was developed to overcome anonymity challenges with Ion Cannon tools.It is again used to generate a massive volume of TCP traffic at the target, and it can remain anonymous by spoofing the source IP address. It is one of the most powerful and well-rounded tools used by several groups of hacktivists.
  • Slowloris: Slowloris is one of the most advanced tools used to make attackers difficult to detect and track. This tool was developed by a gray hat hacker who is known as RSnake and is able to initiate DDoS for servers by creating very slow HTTP requests. It generates a bulk of tiny HTTP headers that target the server and make it wait for the rest of the headers to arrive.

 

Delivery

Once the malicious code is developed or software purchased from the dark web marketplace, this software can either be delivered through spear phishing emails or can also be sent through spam email campaigns. The selection of either depends on the target and also the sophistication of the operation.

We can classify the process into the following three groups of methods for propagating malicious code:

  • Central source propagation: In this method, the vulnerable system that an attacker is planning to make into one more bot will be given to a central system so that the copy of the attacking system is transferred from centrally hosted infrastructure to the newly compromised system. After the entire toolkit is moved, a script automatically initiates a fresh attack cycle. This entire mechanism uses HTTP, FTP, and remote procedure call (RPC) protocols. In this method, threat actors exploit the victim machine, the compromised system get connected to a central repository of the attackers, and finally the central source pushes the code. Take a look at the following diagram:

Blockchain-Based DDoS Protection

 

  • Back-chaining propagation: In this method, the attacker's toolkit is relocated to

the newly compromised host by the attacker. The attacker's toolkit is specially
designed to accept a file request from a compromised system. The back-channel
file copy can be done by a port listener using Trivial File Transfer Protocol
(TFTP). Unlike the central source propagation method, attackers transmit both
exploit and code together into the victim machine:

 

Blockchain-Based DDoS Protection

 

 

  • Autonomous propagation: In this mechanism, the moment an attacker breaks into a system, their toolkit is transferred to the compromised host. This mechanism differs in terms of method of transfer, as attack toolkits are first planted into the compromised host by the attackers only. In this method, attacker transmits the exploit first and then the code from himself but not from any central repository. Take a look at the following diagram:

Blockchain-Based DDoS Protection

 

Exploitation

Once the malware is delivered to the network, it will initiate the process of exploiting unpatched software vulnerabilities, weak software coding practices, and lack of user attention. Usually, there are numerous vulnerabilities present in the network; however, the availability of exploits makes the vulnerability much more critical in nature.

 

Installation

In the installation stage, the malware is installed in the targeted system and allows the remote attacker to gain access to it. During the installation process, the malware may be installed in the user space or kernel space of a system. Malware installed in the user space has a high possibility of detection; however, malware installed in the kernel space has a low chance of being detected by security systems, such as endpoint protection, endpoint detection, and response platforms.

 

Command and control (C2)

After the weapon has been successfully installed, the target is now completely under the control of a remote central system, named the system. The network of compromised devices is called a botnet, completely under the control of the threat actor; however, the botnet remains silent until it gets activated by the attacker. There are even several types of encrypted bot-to-bot communication present over public peer-to-peer networks.

 

Action on objectives

Once the C2 channel has been established, the attacker can launch the DDoS attack on the target. At this stage, the attacker runs the script to activate all the bots in the entire botnet. The attacker also configures the botnet regarding what type of traffic needs to be generated.

 

Types of DDoS attacks

DDoS attacks are carried out in several ways. However, attackers select one of them based on different factors, such as target difficulty, financial capability, anonymity, priority, and other factors. It does not take much technical expertise to run the DDoS attack program and launch it. There are mainly three types of attack, categorized as follows:

  • Attacks targeting network resources
  • Attacks targeting server resources
  • Attacks targeting application resources

 

 

Attacks targeting network resources

These are attack campaigns in which it is planned to consume the network resources of the target system. In this attack, network bandwidth gets completely consumed by flooding. The following are several types of flooding attacks.

 

User datagram protocol (UDP) flood

UDP is a protocol embedded in the IP packet for socket-level communication between two devices. A UDP flood attack does not exploit any specific vulnerability of the target system, but rather it simply disrupts the normal traffic of the target system by overwhelming it with a high level of flooding. It points to random ports on the target server and consumes all the traffic bandwidth for the target system. This UDP flood doesn't even allow the system to send Internet Control Message Protocol (ICMP) destination unreachable packets. Usually, this kind of attack is considered in the class of a small-to-medium-level flood attack and measured in Mbps and PPS, as shown in the following diagram:
Blockchain-Based DDoS Protection


 

 

ICMP flood

ICMP is another connectionless protocol used for IP-level reachability and management operations. Again,it doesn't rely on any vulnerabilities to work. An ICMP flood can be performed with any type of ICMP message, such as echo requests and echo replies. Being one of the oldest flooding techniques, organizations have practices to deploy control-plane policies over network devices to restrict the amount of ICMP packets that can processed by the control planes of devices.

 

Internet Group Management Protocol (IGMP) flood

IGMP is a multicast protocol, connectionless in nature. It is non-vulnerability-based, involving the sending of a large amount of IGMP message reports to networks or routers.

 

Amplification attacks

An amplification attack takes the opportunity of a disparity between a request and a reply in a communication channel. An attacker can compromise a router and force the router to send broadcast messages on multicast addresses by spoofing the source address. It can even be used with DNS amplification, in which the attacker can compromise a recursive DNS name server to cache large files. Take a look at the following diagram:
Blockchain-Based DDoS Protection


 

 

Attacks targeting server resources

Attacks that target the server resources of the victim and exhaust the entire server processing and memory eventually cause disruption for legitimate traffic. In this category, attackers identify the vulnerabilities of the target server and weaponize the malware to exploit those vulnerabilities. You will learn about some of the most common techniques used to perform these attacks.

 

TCP SYN Flood

This attack makes use of the TCP three-way handshake mechanism and consumes most server resources with TCP sync messages. In the TCP three-way handshake, a client first sends the TCP packet with the sync flag set, which requests a server to allocate a resource and establish a communication channel. In a TCP SYN attack, attacking systems send a series of TCP requests with TCP flags set to SYN. To manage each of these requests, the server has to open and allocate certain CPU resources, and also buffer to prepare further communication. Now, the server sends a TCP message with a flag set to SYN-ACK, and expects the client to acknowledge that with a TCP message with the ACK flag. The attacking systems receive that but never respond, and as a result, the server keeps the socket open and resources allocated for the same client machines. Server resources are limited, but the attackers can keep multiplying the request to the server to finally exhaust the server and make it unavailable for legitimate user traffic. TCP has a specific timeout for the request and response process, but the attacker gains the advantage of the same period to send massive TCP requests. Take a look at the following diagram:
Blockchain-Based DDoS Protection


 

 

TCP RST attack

In the TCP/IP stack, the Reset (RST) flag in TCP is used to notify a server to reset its ongoing TCP connection. In a TCP RST attack, the attacker intercepts an active TCP connection between the client and the server by trying a random sequence of numbers. After successfully identifying the sequence of numbers, the attacker then spoofs the TCP RST message to the client's source IP address. For humans to perform such an activity, this would be very difficult. Hence, bots are used to intercept and identify the active sequence number.

 

Secure sockets layer (SSL)-based attack

SSL is standard security protocol for establishing encrypted channels between a web server and a browser. This ensures that all transmitted data is encrypted between web server and browser, and hence provides a better privacy and integrity solution for internet users. SSL runs over TCP/IP and sends the SSL hello only once the TCP three-way handshake is completed. SSL-based DDoS attacks can be performed in a variety of ways, such as targeting the SSL handshake mechanism, sending random and garbage data to the SSL server, or exploiting certain function-related SSL encryption key mechanisms.

 

Encrypted HTTP attacks

With the growing use of SSL/TLS-encrypted web applications, attackers are also moving toward encrypted HTTP-based attacks. Most organizations don't have a security solution that can inspect SSL traffic and hence fail to protect it from malicious traffic. Attackers make use of this weakness and adopt more and more capabilities to compromise networks through encrypted HTTP.

 

Attacks targeting application resources

DDoS attacks are on the rise; threat actors are moving from traditional methods to more advanced and sophisticated application-based attacks. These are not just limited to HTTP-based attacks but are even adapting to HTTPS, DNS, FTP, SMTP, and VOIP. Applications are built with several independent components and hence are vulnerable. Therefore, application-based attacks become more attractive to threat actors. We will cover some of the most widely used attacks.

 


DNS flooding

DNS is used everywhere, and every organization network has to have the DNS port open for name resolution. It is easy to launch DNS-based flooding and also difficult for the security system to detect it. DNS uses the UDP protocol for faster request and response times, without establishing a new connection (like in the TCP handshake). In this kind of attack, the DNS server can be overwhelmed with a massive amount of DNS requests, making the victim server unable to process legitimate requests. This technique was used in the recent Mirai attack on the Dyn network that left users unable to access YouTube, Twitter, Netflix, and several other applications.

 

Regular expression DoS attacks

These use the low and slow methodology to attack the victim server. The attacker leverages vulnerabilities in the library files deployed in the server. Whenever a client sends a request with regular expressions, a server has to spend a large amount of resources to process the regular expression. Attackers use this to exploit the server and send regular expressions periodically that security systems fail to detect.

 

Hash collision DoS attacks

With this kind of attack, makes attackers spend days to months identifying vulnerabilities in the web application frameworks. Hash tables are used to index POST sessions in most of the application servers. The server has to manage hash collisions when similar hash values are returned. Collision resolution consumes a lot of processing resources as the attacker keeps sending POST messages with a multitude of parameters. Attackers build the parameters in such a way that they cause hash collisions on the server side and as a result keep the server busy processing them.

 

Challenges with current DDoS solutions

In the past few years, a rise in DDoS attacks has been observed. As per the recent report by Radware, 43% of organizations experienced burst attacks, but the rest were unaware of whether they were attacked. Attackers are adapting several emerging techniques and complex tactics to compromise the target network.

On February 28, 2018, GitHub, the code hosting website, was hit with the largest-ever DDoS attack, recorded at 1.35 TBps. As DDoS attacks fall under the cyber threat category, that makes it unfeasible to deploy any security prevention mechanism as system vulnerabilities are under the control of organizations but threats cant be controlled. The frontend of the web application remains centralized for all users; hence, it leaves a single point of failure for organizations.

 

How can blockchain transform DDoS protection?

By definition, blockchain is a decentralized network that allows independent parties to communicate without any third-party involvement. In order to protect networks from DDoS attacks, organizations can be made distributed between multiple server nodes that provide high resilience and remove the single point of failure. There are two main advantages to using blockchain, as follows:

  • Blockchain technology can be used to deploy a decentralized ledger to store blacklisted IPs
  • Blockchain technology eliminates the risk of a single point of failure

This article is written in collaboration with Raj Gupta who has CISA, CPISI, Cobit 5, ISMS LA, CDPO-GDPR, CEH, and CHFI certifications. He is also the author of Hands-on Cybersecurty with Blockchain book.

What is Next

Check our blog for more articles and tutorials.

Resources

Resources- Free Webinars on Blockchain

Here is the list of our free webinars that are highly recommended:

Resources- Free Courses

Here is the list of our 10 free self-paced courses that are highly recommended:

Resources- Self-Paced Blockchain Courses

If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:

  1. Intro to Blockchain Technology
  2. Blockchain Management in Hyperledger for System Admins
  3. Hyperledger Fabric for Developers
  4. Intro to Blockchain Cybersecurity
  5. Learn Solidity Programming by Examples
  6. Introduction to Ethereum Blockchain Development
  7. Learn Blockchain Dev with Corda R3
  8. Intro to Hyperledger Sawtooth for System Admins

Resources- Live Blockchain Courses

If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:

 

Resources- Articles and Tutorials on Blockchain Technology

If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:

Private Custom Tutoring

decorative line

We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.

$90 Regular

$50 Limited Offer

REGISTER NOW