What is a distributed denial-of-service (DDoS) attack?
A distributed denial-of-service (DDoS) attack is when multiple entities are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large scale attacks. Attackers take advantage of security vulnerabilities to control numerous devices using command and control software.
What is the goal of a DDoS attack?
To exhaust network bandwidth, server resources, or applications in such a way that legitimate users cannot access a site. The purpose for such attacks, however, can vary widely.
How does that compare to a denial of service (DoS) attack?
A DoS (denial of service) attack is an attempt to make a computer resource unavailable for its intended users by a single attack entity. For example, a DDoS attack may flood website servers with bogus traffic, causing a website outage. People launch these attacks for many reasons—to extort money, seek revenge, gain a competitive edge, destabilize a government or stage a social or political protest.
What are three types of DDoS attacks:
- Volume-based/Volumetric Attacks: use connectionless protocols such as UDP to congest site bandwidth.
- Protocol Attacks: seek to overwhelm specific devices, including web servers, firewalls and load balancers. These connection-based attacks typically work by exhausting the number of concurrent sessions that a device can handle.
- Application/Layer 7 Attacks: target specific applications or servers by establishing a connection and exhausting resources.
Can firewalls prevent DDoS attacks?
Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack, because:
- Firewalls can be easily overwhelmed and rendered useless. When you consider that the average size of a DDoS attack, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.
- Firewall rules can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls.
- Not all targeted assets are behind a firewall. Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets.
What are volumetric and protocol attacks?
They feature a large volume of traffic, often from botnets, and attempt to overwhelm a network or service.
What are common protocols?
- AMT – Automated Multicast Tunneling Protocol
- ARP – Address Resolution Protocol
- BGP – Border Gateway Protocol
- BOOTP – Bootstrap Protocol
- DHCP – Dynamic Host Configuration Protocol
- DNS – Domain Name Service Protocol
- FTP – File Transfer Protocol
- GRE – Generic Routing Encapsulation
- HTTP – Hypertext Transfer Protocol
- HTTPS – Hypertext Transfer Protocol Secure
- ICMP – Internet Control Message Protocol
- IMAP – Internet Message Access Protocol
- MVRP – Multiple Registration Protocol
- NNTP – Network News Transfer Protocol
- NTP – Network time protocol
- OSPF – Open Shortest Path First Routing Protocol
- PIM – Protocol Independent Multicast
- POP – Post Office Protocol
- PPOe - Point to Point Protocol Over Ethernet
- PPP – Point to Point Protocol
- PTP – Precision Time Protocol
- RADIUS - Remote Authentication Dial In User Service
- RTPS – Network interoperability protocol
- SFTP – Secure File Transfer Protocol
- SMTP – Simple Mail Transfer Protocol
- SNMP – Simple network management protocol
- SSH – Secure shell
- SSL – Secure Socket Layer
- TCP – Transmission Control Protocol
- Telnet – Telephone Network Protocol
- TLS – Transport Layer Security
- TTL – Time To Live
What is a Simple Service Discovery Protocol (SSDP) attack?
This amplification attack uses the protocol designed to advertise and find plug-and-play devices as an attack vector.
How does an amplification attack work?
Amplification attacks begin with the attacker spoofing the target’s IP address. This is one reason that the majority of amplification attacks target services that use UDP, as it is a connectionless protocol that does not validate the source IP address. In the next step, the attacker sends a small query to a server or resource that generates a very large response forwarding that response to the target.
What are common techniques of Layer 7 attacks:
- Cross-site scripting (XSS) is a form of injection in which an attacker injects malicious script into a web application. The end user will have no idea that a hacked site should not be trusted.
- Cross-site request forgeries (CSRF) trick end users into executing state-change actions on a web app with which they are authenticated. Such attacks can instigate actions such as transferring funds or changing email addresses.
- SQL injections are a well-known exploit in which SQL data is inserted into a query response from a client.
What are characteristics of ransomware?
- Used in completely opportunistic attacks, affecting individuals’ home computers, as well as targeted strikes against organizations
- Attempted with little risk or cost to the adversary involved
- Successful, with no reliance on having to monetize stolen data
- Deployed across numerous devices in organizations to inflict bigger impacts and command bigger ransoms
What types of attacks should a DDoS Mitigation solution, protect against?
- Spoofed/Non-spoofed DoS Attacks
- TCP (SYN, etc.), ICMP, UDP Floods
- Blackenergy, Darkness, YoYoDDoS, etc.
- Common DoS/DDoS Tools
- Slowloris/Pyloris, Pucodex, Sockstress, ApacheKiller
- Voluntary Botnets (Anonymous, etc.)
- HOIC, LOIC, etc.
- Application Attacks
- HTTP URL GET/POST Floods
- Malformed HTTP Header Attacks
- Slow-HTTP Request Attacks
- SYN Floods Against SSL Protocols
- Malformed SSL Attacks
- SSL Renegotiation Attacks
- SSL Exhaustion (Single Source/Distributed Source)
- DNS Cache Poisoning Attacks
- DNS Request Floods
- SIP Request Floods
- Custom Attacks – Unique to Your Service
- Location-based IP Addresses
What is WannaCry?
WannaCry is a ransomware cryptoworm targeting machines running certain older versions of the Microsoft Windows operating system. One characteristic that made this exploit dangerous was the variety of different elements that it contained, including a transport mechanism used to spread through a network.
Why do amplification and reflection attacks appear together?
Reflection and amplification attacks often come as a pair, though they serve two different but often compatible purposes. By spoofing source addresses, attackers can hide their identity by “reflecting” requests off a third party. Amplification attacks add to this by taking advantage of processes in which a small query will have a large — sometimes very large — response. Amplification attacks are, by nature, always reflection attacks as well.
What is the difference between bots and botnets?
Bots are programs that perform an automated, often repetitive, task. Botnets are a group of connected devised that run a bot or multiple bots. Botnets are commonly used in a DDoS attack.
What types are tactics used to detect a DDoS attack:
- Anomaly Based Detection
- Hybrid Attack Detection
- Passive Log Review Detection
- Pattern Based Attack Detection
- Proactive Detection
- Real-time Anomaly Detection
Does having web applications increase our risk of a DDoS attack?
Web applications are increasingly seen as part of DDoS attacks, in which the goal is not to bring down the target, but to smokescreen a vulnerability assessment of web applications.
What does a Web Application Firewall do (WAF)?
A WAF is a security solution that is utilized to monitor, filter or block inbound and outbound web application traffic.
What is Neustar UltraDDoS Protect?
Neustar UltraDDoS Protect is a DDoS mitigation service. UltraDDoS Protect scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure.
What is Neustar UltraWAF?
UltraWAF is a cloud-provider, hardware and CDN agnostic security solution, making it compatible anywhere applications are hosted. Integrated with Neustar’s always-on DDoS mitigation service, the combination provides a comprehensive, layered protection stack that proactively prevents bot-based volumetric attacks, as well as threats that target the application layer, such as SQL, XSS, CSRF, session hijacking, data exfiltration and zero-day vulnerabilities.
Why is a low Time to live (TTL) important for DNS redirection?
With a low TTL, your DNS changes will take effect faster throughout the Internet. The TTL determines how long recursive servers cache your records. The lower the TTL, the sooner these servers seek new answers from your authoritative DNS server. Generally, the TTL default is 86400 seconds—24 hours, way too long when you’re under a DDoS attack. Neustar recommends that you set your TTL for DNS A records to 300 seconds (five minutes). Your changes will happen more quickly, ensuring you can redirect and protect your traffic.
What is an HTTP Flood attack?
An HTTP flood attack is a volumetric, application layer attack designed to overwhelm a server with HTTP requests
What is a Network Time Protocol (NTP) attack?
It is a DDoS attack that targets the NTP server – flooding it with traffic so that is can not respond.