Distributed Denial of Service Attacks – It's the Ones You Don't See That Get You
It’s the ones you don’t see that get you.
In the previous post in this series, we talked about the association of the term “Distributed Denial of Service” with attacks that feature very large traffic rates designed to saturate an enterprise’s circuits. These attacks continue to happen; in fact, 12 percent of attacks that were mitigated in the Neustar Security Operations Center (SOC) in Q1 2019 were 50 Gbps and above. Attacks of this size are seen more frequently than they were during the same period last year, and they appear to be the fastest growing class of incursion as well.
But what about the other 88 percent?
Link saturation is certainly going to stop an enterprise in its tracks. But surprisingly, shutting a site down completely may not be the average attacker’s purpose. Customers have told us repeatedly that while revenue loss and data/intellectual property theft are huge concerns around DDoS attacks, the most significant fear is the erosion of customer trust and brand reputation. Making customers think twice about doing business with a company may not necessarily equate to taking them offline. It may well be enough to make online experiences run slowly. And if it’s possible to target those experiences by specific page or part of a company’s site, it can be even easier to sow fear, uncertainty, and doubt. For example, if a bank’s page that shows their selection of available check designs is unavailable, customers may not be too worried. But if the page showing the user’s bill payments does not appear instantly, on the other hand, that will usually ignite immediate concern.
There are a wide variety of attack types that will accomplish these goals. One class that will accomplish this goal is protocol attacks, also known as state exhaustion attacks. These threats operate by overwhelming a part of the target’s infrastructure that traffic to the end server would typically traverse. Examples of such attacks include:
- SYN floods, which are designed to disrupt the TCP three-way handshake by sending a volume of initial connections but never completing the transaction. SYN floods today typically overwhelm an interim stateful firewall state table, causing congestion for devices downstream.
- IP fragmentation attacks, in which malformed packets that cannot be reassembled overwhelm devices such as edge routers.
In Q1 2019, TCP SYN floods and IP fragmentation totaled 33 percent of all attack traffic seen by the Neustar SOC, second only to generic UDP-based attacks. These attacks, while prevalent, are often not especially large. Why? Because, to put it simply, they don’t need to be. As traffic goes further into the network stack, one might consider that the “target” the attacker is aiming for is getting smaller. If you are looking to fill up a firewall’s state table, you don’t need to fill up the entire access pipe—you only need to overwhelm one device.
You well might wonder how large these protocol or state exhaustion attacks must be to succeed. Unfortunately, the inevitable answer is that it’s impossible to say. That brings us to the next big finding we saw in the Q1 2019 SOC report: Less than 25% of the attacks we mitigated used only one vector. The vast majority used two or three different vectors. Another factor in the elusive quality of these attacks is that they take advantage of the communication protocols that the internet was built on.
To learn more about attack trends, download Neustar’s Q1 2019 Cyber Threats and Trends Report at https://www.home.neustar/resources/whitepapers/cyber-threats-report-q1-2019.