Generally in life when you feel as though you’ve finally mastered an important skill, you get to be happy. You get to relax. You get to be confident in your ability to perform that skill any time you need it.
However, not only is this not the case when it comes to DDoS protection, it’s nearly the opposite. As soon as DDoS protection gets to the point that it’s humming along nicely and easily bouncing all attack attempts, the brilliant minds behind that protection need to start worrying. If attackers’ best attempts are being thwarted by DDoS mitigation, you can be certain they’re hard at work on the next innovation that will throw all but the best DDoS protection for a downtime-ridden, damage-causing loop. Kind of like these three DDoS developments that have all taken place in just the last 12 months.
Development #1: a clever amplification attack
To be clear, amplification distributed denial of service attacks in and of themselves are clever. With just a minor amount of resources, an attacker can create a massive amount of attack traffic. That takes brains. What isn’t brainy, however, is the attack traffic that’s created. Like nearly all volumetric DDoS attacks, amplification attacks are just a Hulk Smash of malicious traffic that does nothing to disguise what it is or what it’s there to do. Until this year, that is.
In April, DDoS protection provider Imperva uncovered a new amplification method that takes advantage of the AddPortMapping command in the Universal Plug and Play (UPnP) protocol. It’s a reflection attack, which is where attackers make it appear as though the victim is sending requests to external servers for huge amounts of data and traffic in response. Using AddPortMapping in UPnP, attackers send requests to DNS, NTP or SSDP servers and obfuscate the source port of the attack traffic responses.
The problem for protection: diving deep
A major part of mitigation is keeping legitimate users unaffected while attack traffic is filtered out. For most volumetric attacks this is easy, so long as the mitigation service has enough bandwidth to go head to head with a hefty attack. All the service has to do is check the header info on incoming traffic. Does it match the header info of the already-identified attack traffic? If yes, bounce to the scrubbing server. If no, let it through unfettered to the website.
This UPnP exploit is a game-changer because with the source port disguised, header info becomes irrelevant for identifying attack traffic. Instead, mitigation services need to have enough processing power and next-level analysis to quickly perform deep packet inspection on all incoming traffic during an attack – a time when the service is already stressed.
Development #2: encrypted attack traffic
Thanks to data protection measures and Google’s preferences, it’s only going to be a matter of time before almost every website is using encryption to protect the data exchanged between user browsers and web servers. On the whole, this is good. However, if something on the internet can be used for good, rest assured that someone will find a way to use it for evil. Attackers are now hiding encrypted DDoS traffic amongst legitimate traffic.
The problem for protection: two extra steps
In order to check for malicious or suspicious activity in encrypted traffic, DDoS mitigation needs to be able to decrypt all encrypted traffic, analyze it, and then re-encrypt legitimate traffic and send it through to the website while filtering attack traffic. The need for this lightning fast decryption and re-encryption is new, and not all DDoS protection services are currently capable. It’s a must, though.
Development #3: pulse wave pain
Towards the end of 2017 a brand new distributed denial of service attack type was noticed. Dubbed the pulse wave attack, the bad actors behind them used a botnet that was already warmed up to hit their targets. The benefit of a warmed-up botnet is there’s no ramping up period in the attack – from the very first second, the attack is at its peak. Typically, these attacks come in short, repeated bursts, likely because the DDoS botnet quickly cycles through a list of targets before going back to the beginning to hit all the targets again.
The problem for protection: a hybrid hassle
Many businesses that have on-premise DDoS protection have given themselves an upgrade in the last few years with an appliance and cloud hybrid approach to mitigation. Unfortunately for them, pulse wave attacks appear to have been designed to target these hybrid environments. The target is immediately blasted with so much traffic that the network clogs. Not only does this cause a successful DDoS attack, but the DDoS appliance is unable to communicate with the cloud-based scrubbing server to activate it and get rid of the traffic. Just as the appliance recovers from one pulse of the attack and gets the network back online, the next pulse arrives. The attack succeeds like this until the attacker gets bored and puts their warmed-up botnet to bed.
Three problems, one solution
Not all DDoS protection is created equal, and the attack innovation in the last year has done a lot to demonstrate the difference between leading protection services and the services that just aren’t up for the challenges of the rapidly evolving DDoS landscape. Without leading cloud-based protection that boasts a high-capacity global network with multiple Terabits per second scrubbing capacity, granular traffic analysis, and the processing power to perform deep packet inspection as well as analyze encrypted traffic, businesses and websites should start perfecting their Twitter statements about downtime caused by ongoing DDoS attacks. But please, go easy on the emojis.