The distributed denial-of-service attack (DDoS) has as its final goal to stop the functioning of the targeted site so that no one can access it. The services of the targeted host connected to the internet are then stopped temporarily, or even indefinitely, which can cause a significant loss of revenue. The hack is done through the master computer system that communicates with, sometimes as many as hundreds of thousands, controlled end user machines. These machines, known as zombies or bots, follow the instruction from the master system and massively launch packets at the targeted site to overwhelm the targeted machine and stop it from functioning. To find out more on how the attack is done and on its implications, visit the DDoS explanation page.

DDoS attack tools (such as Trinoo, Trinity, Shaft) available on the internet are rapidly growing in numbers and types, but so are the techniques that try to lessen the intensity of the attacks i.e. lower the number of the packets launched at the targeted host. Those techniques are known as the DDoS mitigation methods. Packets that flood the targeted system come from multiple sources, and sometimes multiple techniques must be combined. The attack prevention also depends on the entire internet community and their keeping of machines up to date with patches and security tools.

How many DDoS attacks happen each day?

According to Prolexic, 7,000 Distributed Denial of Service (DDoS) attacks are launched each day. Also, according to their analysis of Q1, Q2 and Q3 of the year 2013, attackers can now use smaller botnets to launch high-bandwidth attack, with the size of an average attack rising by 700% each quarter, and an average packet per second rate rising respectively. (Check statistics: http://www.prolexic.com/knowledge-center-dos-and-ddos-attack-reports.html) While attack durations are trending shorter (87.5% last less than 1 hour), they are constantly picking up in volume and intensity.

ddos_live_feed

Image 1 – Digital Attack Map – global DDoS attack visualization (provided by Arbor Networks in collab. with Google Ideas)

Arbor Networks that already provides ATLAS live feed of DDoS attacks, introduced Digital Attack Map in collaboration with Google Ideas. The Digital Attack Map utilizes anonymous traffic data from ATLAS threat monitoring system to create a data visualization that allows users to explore historical trends in DDoS attacks, and to make the connection to related news events on any given day. The data is updated daily and uncovers new attack trends and techniques, sharing it in a visual way that connects the dots between current events and cyber attacks taking place all over the world. You can explore the map here (Digital Attack Map).

Cost of DDoS attacks

The cost of a DDoS attack will depend on several variables, such as the type of business you are in, the volume of your business that is online, the type of brand you are developing, the type of customers, as well as your competitors. There are even calculators that can help you come up with such number in advance, relying on your annual revenue, annual revenue through online sales and the frequency of attacks in a given industry.

According to Neustar (http://www.neustar.biz/) survey results (2013), denial of service attacks costed businesses $100,000 per hour in average, meaning that a DDoS attack can cost an internet-reliant company $1 million before the company even starts to mitigate the attack.

Most companies rely on in-house technology to defend against attacks: 77% have firewalls, 65% have routers and switches, and 59% have intrusion detection. But only 26% use cloud-based mitigation services.

Another serious damage, besides the financial loss, happens along with the denial of service attack. Brand value is seriously eroded, operational costs can skyrocket, and you might have to invest in new people and technologies to manage the risk better in the future.

Most targeted are e-commerce services and financial services, but also large businesses such as Amazon, or Yahoo! Not even PirateBay was spared. In 2011, WordPress, the site that serves 18 million publishers, and is responsible for 10% of all websites in the world, was down for several hours and suffered serious loss of revenue and clients.

Types of DDoS attacks

  • Volume based DDoS attacks – the goal of an attack is to saturate the bandwidth of the attacked site, with spoofed packet floods (measured in bits per second). Examples: UDP floods, ICMP floods…
  • Protocol DDoS attacks – the goal of an attack is to consume server resources or other communication equipment, such as firewalls and load balancers (measured in packets per second). Examples: SYN floods, Ping of Death, Smurf DDoS…
  • Application layer DDoS attacks – the goal of such an attack is to crash the web server (measured in requests per second). Examples: Slowloris, Zero-day…

DDos prevention mechanisms

DDoS attack tools (such as Trinoo, Trinity, Shaft) available on the internet are rapidly growing in numbers and types, but so are the techniques that try to lessen the intensity of the attacks i.e. lower the number of the packets launched at the targeted host. Those techniques are known as the DDoS mitigation methods. Packets that flood the targeted system come from multiple sources, and sometimes multiple techniques must be combined. The attack prevention also depends on the entire internet community and their keeping of machines up to date with patches and security tools.

Classification of DDos prevention mechanisms

  • General techniques - common preventive measures, such as system protection and cleaning, installing security patches, firewalls, IP hopping…
  • Filtering techniques - filtering of incoming IP addresses, adapting restrictive mechanisms, reversing IP paths, filtering spoofed IP packets, controlling traffic…

Examples of DDoS Mitigation General techniques

  • Unused services – disabling the applications and ports that are open on the host system, but left unused
  • Security patches – installing all relevant latest security patches and updates to the system
  • IP broadcast – disabling IP broadcast on the host computer
  • Firewalls – firewalls can help in preventing users from launching simple flooding type attacks from their machines, however this is not useful in complex attacks
    IP hopping - changing location or IP address of the active server proactively, within a pool of homogeneous servers or with a pre-specified set of IP address ranges

Examples of DDoS Mitigation Filtering techniques

Ingress/egress filtering - drop traffic with IP addresses that do not match a domain prefix connected to the ingress router (ingress filtering), or alternatively,  ensure that only assigned or allocated IP address space leave the network (egress filtering), requires knowledge of the expected IP addresses at a particular port

  • SYN proxy - under SYN flood, all connection requests are screened and only those that are legitimate are forwarded
  • Connection limiting - preference is given to existing connections, and the new connection requests are limited
  • Aggressive aging - idle connections are removed from the connection tables in firewall and servers
  • Source rate limiting - when there are limited number of IP addresses involved in a DDoS attack, outer IP addresses that break the norm are identified
  • Dynamic filtering - when the attack and the attackers change constantly, undisciplined behavior is identified and punished for a short time by a creating a short-span filtering rule and removing that rule after that time-span
  • Active verification - combined with SYN proxy, legitimate IP addresses are cached into a memory table for a limited period of time and are being let out without the SYN proxy check
  • Anomaly recognition - for scripted DDoS attacks, anomaly checks are performed on headers, state and rate, most attack filters are thus filtered out
  • Granular rate limiting - rate thresholds are set for attack packets based on past behavior and are adjusted adaptively over time
  • White list, black list - denying/allowing access to certain IP addresses on the black list/white list
  • Dark address prevention - IP addresses not assigned by IANA are known as dark addresses, and are all blocked and considered as spoofs