SDN and DDoS mitigation

DDoS mitigation has long been one aspect of our networks that heavily relies on custom processors called ASICs (Application-specific Integrated Circuits) because of the massive processing requirements, but now with shrinking die sizes and powerful Intel CPU architectures permeating every aspect of our networks, we are seeing the rise of software-defined DDoS mitigation solutions running on top of commodity rackmount network appliances. There are several different implementation architectures to choose from, and even cloud protection providers that can work in tandem to thwart even the largest attacks orchestrated these days (biggest one recorded in 2016 reaching 602Gbps). It seems distributed attacks will only get bigger and more advanced as political activism and cybercrime continue to thrive. In this article I will detail the most advanced attack techniques, and how security vendors in the industry are successfully mitigating them.

DDoS explained

First I shall briefly explain what a modern DDoS attack consists of, its aims/motivations and the different forms it can take.

Distributed Denial of Service, like its name heavily implies, is a way for malicious entities to overload, crash or somehow compromise an online service for legitimate users- utilizing extensive (distributed) resources to do so. This can directly translate to both massive monetary losses and brand devaluation. A good example of the latter would be when eager kids, itching to play their shiny new PlayStation 4’s on Christmas eve, were instead left with the equivalent of a 400$ brick due to the fact that to play any new game on the console, one had to connect and download updates from a network that was under a massive DDoS assault at the time. In cases like these, it’s easy to see just how much damage a targeted attack could do to unsuspecting companies.

At the heart of the largest attack flows, is a botnet (made up of compromised PC’s, servers and IoT devices). Through these “puppets” the master can send out truly gigantic amounts of traffic in a short period of time, with little bandwidth resources of their own. The difficulty in identifying and curbing malicious traffic, while at the same time not hindering real -paying- users has made mitigation a computationally expensive task.

Attack Methods

Apart from the standard brute-force method, the development of DDoS mitigation architectures and appliances has given rise to equally advanced attack vectors and techniques. Below I will detail the 2 attacks vectors that have been used in most of the attempts this year.

UDP flood attack

It’s currently the most common method, constituting over half of all DDoS attacks. This is because of its relatively simple nature, all it consists of is overwhelming servers by sending traffic to random UDP (user datagram protocol) ports. The server tries to look for the application associated with the port, finds none and sends back a “destination unreachable” packet. When applied through a botnet with a throughput of 10GBps+, it’s easily capable of taking down most unprotected and even moderately equipped servers.

Visual of the devastating effects of reflection-amplification. Taken from CloudFlare's website.

A frightening way to maximize results from this kind of approach is to use a technique called reflection. Through the use of public servers like DNS and NTP (Network Time Protocol), hackers can spoof the victims IP address as their own and make a small query to the third-part server. The server in turn sends a payload to the spoofed IP address (target victim) that is several times larger than the original packet. Methods like these effectively amplify their bandwidth throughput several times over. This remarkably easy technique is fostering the largest DDoS attacks today, and if they continue growing at the same pace, will hit a staggering 1tbps flow come late-2017/2018.

Mitigation:

Modern operating systems help by limiting UDP ICMP response rates, however indiscriminate blocking will negatively impact legitimate traffic.  One popular method is placing a firewall in-between and filtering or blocking illegitimate UDP requests.  But even this has its limits as firewalls can be overwhelmed. Spending hundreds of thousands on network equipment to handle potential attacks just doesn’t seem like a cost effective solution for most companies. That’s why there are various successful cloud vendors offering DDoS mitigation services that are built to handle 100GBps+ flows. Not unlike modern day insurance, where people pay money to a third party, which in turn distributes these pooled resources on an incidence case-by-case basis. These services can act work in tandem with on-premise network appliances to kick-in when the traffic hits a certain threshold.

Application Layer Attack

These attacks while involving just the right amount of brute-force, are much more targeted and precise by their nature. They are nowhere near the scale of the attacks like UDP flood, but their effects can be just as devastating. Owing to its success in recent years, it’s grown to comprise almost half of all new attacks.

When it comes to overloading a system, it helps to think not only just in terms of Gbps throughput capacity, but also CPU cycles. If a small HTTP request on, for example a login page, takes up considerable CPU cycles, imagine what’ll happen when it’s a botnet churning them out in the thousands. This attack becomes favorable for targets like low-power Virtual Private Servers on clouds like AWS. These can easily handle 100,000’s of packets from a UDP Flood attack, but when approached with an application level assault like an HTTP requests, it’s easily crippled with a couple thousand. Quite the difference in the scale of attack required for the same desired results

Mitigating:

Malicious layer 7 activity (where the application layer resides) is much harder to analyze, detect and mitigate in a real-time fashion. Apart from the standard application firewalls, to detect activity on the layer 7 would require deep packet inspection. This is still a developing technology and requires intense resources to process every single packet, feed them to an analytics platform with the power to make sense of the tremendous amount of data all the while keeping in mind this has to be done in an incredibly short span of time to be usable for mitigation. There are a lot less cloud vendors that offer full DDoS protection encompassing layer 7, due to the considerable increase in infrastructure and on-premise network appliances that would be required (ex. below).  

Lanner’s FW-8895 - High Performance Intrusion, Detection and Prevention Network Security Platform x86 Rackmount network appliance.

Last words:

Constant network testing and stressing is a must if you wish to guarantee uptimes in this age of proliferating, random attacks. Having adequate infrastructure to handle high-volume input is essential, but not cost-effective in SMB for the largest attacks. That’s why a software-defined and orchestrated approach that can easily scale with third party vendors is becoming more popular amongst companies seeking to keep their network services available under any circumstances. It’s an expensive game of cat and mouse between motivated criminals and ever-learning cyber security professionals, and valuable targets in the industry have no choice but to play it.