In this blog post first i will start with expanding the definiton that i gave in here. Then i will move on to explaining why DDOS protocol attacks are a living threat. After that i will mention some of the well known DDOS protocol attack types. Finally i will explain the mitigation techniques and preventive measures against them.
Definition and the goal of protocol attacks
Let’s start with the definition. In the cyber-security field this type of attacks are also known as network protocol attacks or state-exhaustion attacks. This is because they generally exploits the weakness of Layer three or Layer four protocols. Attackers are doing it by consuming the resources of the security or network products between the client and the server.
Unlike Volumetric attacks packets matter most in protocol attacks. Also we know that botnets are huge networks of infected IoT or network devices. So attackers can generate lots of packets from a highly distributed range of ip adressess. This will be a problem for our network and security equipments. Because all those packets have to be processed. Do you understand where this is going? All our devices has a limit of throughput pps. If we consume all the pps it will cause a service disruption.
How exactly is this happening? Well it depends on the attacks itself but we can give some examples. What happens if you open a tcp session to a server behind a stateful firewall from tens of thousands of clients till the firewalls state table is full. This will cause a service disruption from firewall since it will run out of memory. It will be unable to respond legitimate client traffic. Let’s assume we have a stateless firewall. Our attacker can attack it by exhausting the processing resources. As you can see from the examples nonetheless they are statefull or stateless , firewalls are not designed for responding a DDOS attack. Like firewalls, IPS/IDS or WAF solutions are also not designed to respond DDOS attacks.
Internet of Things or Living threat?
According to Ericsson ; (they removed the original page so i added a google cache snapshot of it)
- 70% of wide-area IoT devices will use cellular technology in 2022.
- Around 29 billion connected devices are forecast by 2022, of which around 18 billion will be related to IoT.
As a security Engineer’s point of view there will be 18 billion devices that can be potentially dangerous as a botnet to attack any target or can be exploited. I would like to mention the Mirai Botnet here.Because it is the first botnet that infects the insecure IoT devices.
What makes botnets like Mirai a living or huge threat? I will explain it from Mirai but the general logic is similar. An infected IoT device is looking for another exploitable IoT device. When one found it is also doing same thing and the chain goes on. It is autonomously spreading itself. Also it is changing. Since the release of the source code of Mirai it has evolved. As a result preventive actions against botnets are not so effective.
Common Protocol Attack types
- TCP SYN Flood
- UDP Flood
- Ping Flood
- IP Fragmentation
- HTTP Protocol attacks (Layer 7)
- Slowloris
- Slow READ/POST
- NTP Attacks
- DNS Attacks (Layer 7)
I am not gonna deep dive into these attacks one by one because i would like my posts bespeaks to any IT professional from a Sales person to a Security operations engineer.
Mitigation techniques
Mitigation technique for a protocol attack should be precisely tailored. For TCP attacks sources must be authenticated. DNS attacks queries could be forced to use TCP and using filters for any or non-existent domain queries. For HTTP protocol attacks packet inspection is good for anomalies. Rate-limiting for queries are another good mitigation technique in protocol attacks. To sum up in order to protect our companies assets we must have a better understandings about our companies services. After that we can tailor solutions to them.
