DDoS Research Paper

Running head: DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 1

DDoS Attack Analysis and Mitigation Strategies

Matthew Waldron

Central Connecticut State University

DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 2

Abstract

This paper explores several reputable technology papers that report on the analysis of DDoS

attacks regarding their motives, impact on business, types of attacks, and advanced methods to

prevent, detect, and mitigate them. DDoS attacks remain one of the most pervasive and crippling

cyber security threats. An in-depth look at DDoS attacks may shed light on the increased severity

of these attacks and present ways in which businesses can better defend their networks against

them. This paper’s purpose is to define and analyze DDoS attacks by using information gathered

from many sources to provide a comprehensive analysis. Most importantly, new strategies and

technologies, their benefits and limitations, will be examined.


Table of Contents

Cover Page 1

Abstract 2

Table of Contents 3

Introduction 4

Brief History 4

Impact on Business 5

Types of Attacks 6

Attack Tools 8

Preventative Measures 8

Detection Strategies 10

Mitigation Strategies 11

Conclusion 14

Appendix 15

References 17


DDoS Attack Analysis and Mitigation Strategies

The invention, implementation, and widespread adoption of the Internet remains one of

the most significant technological achievements in human history. The Internet has changed the

way in which we process information, communicate, interact with others, and how we conduct

business and commerce. Unfortunately, cyber-attacks have increased in scale and sophistication

and have been effective in disrupting this communication. DDoS attacks are just one of many

attacks, but remain at the forefront of cyber-warfare. They are conducted by a malicious party or

entity. Their purpose is to disrupt the availability of a website on the Internet by flooding the web

server with illegitimate requests to overload the server and prevent legitimate requests from

getting through (Radware, 2013). According to Radware (2013), it is estimated that more than

7000 DDoS attacks occur daily. Businesses need to be better prepared to defend against these

types of attacks. If they don’t then that means clients won’t have reliable access to crucial

information such as financial / bank statements, medical records, e-commerce transactions, and

services. Downtime caused by DDoS attacks can incur heavy costs and can even bring the most

robust networks to their knees. More must be done to prepare future technologists and business

entities from these crippling cyber-attacks.

The history of DDoS attacks traces back to the early days of the Internet. According to

Fortinet (2013), the first documented large scale DDoS attack occurred in on an IRC server at the

University of Minnesota in 1999. It effected over 200 systems and left the server unusable for

days. Later in the early 2000’s, many high profile traffic generators such as CNN, Amazon, and

EBay were hit with attacks and prevented users from accessing their webpage for several hours

(Fortinet, 2013). Things turned ugly in 2005 when hackers resorted to extortion. In 2005, a

programmer created a worm that opened a backdoor on Windows computers that connected to an


IRC server that secretly waited for instructions. This was one of the first uses of the command

and control aspect of DDoS attacks that remain crucial for their destructive capabilities. Using

these techniques, hackers began demanding payments from companies in return for protection,

but these companies were often exploited by them instead (Radware, 2013). According to

Fortinet (2013), since 2010, the rise of hacktivism took hold and DDoS attacks became the

vessel of such ideologies. Most notably, the hacker group Anonymous has been associated with

several high profile DDoS attacks. Many examples include their assault against PayPal,

MasterCard, and Visa because they terminated their services with whistleblower WikiLeaks

while exposing their vulnerabilities (Radware, 2013). More recently, the rise of application

attacks target specific services for depletion and are much harder to detect (Fortinet, 2013). With

a clear understanding of DDoS attack’s history, their impact on business has been disastrous in

the past several years.

The impact DDoS attacks have on business is enormous. In a survey of 450 businesses

conducted by Neustar, in 2013, nearly 60% of business surveyed said they were hit with a DDoS

attack in the past year, up from 35% in 2012. Also, 95% of businesses said they view the DDoS

threat the same or more serious than in previous years. Arbor’s analytics conducted from

hundreds of businesses concluded that 88% of attacks lasted up to an hour. In 2014, 87% of

business said that they were attacked more than once per year and, surprisingly, 17% of

respondents said they lost count (Neustar, 2014). The size of the largest reported DDoS attack in

2014 reached 400Gbps with attacks ranging between 1 – 5 Gbps increasing three-fold. (Neustar,

2014; Arbor, 2014). The costs incurred of DDoS attacks can be tremendous. According to

Neustar (2014), 14% of business surveyed said that a DDoS caused outage can incur costs

between $50K and $100K assuming that the majority of attacks last half a day. One-third of


companies said half a day would cost them upwards of $500K. Interestingly, companies that lose

more than $50K are more likely to start heavily investing in greater DDoS protection

technologies (Neustar, 2014). Customer attrition is another result of increased attacks. According

to Radware (2013), Google engineers determined that a customer will not wait an extra 400

milliseconds for a webpage to load on average. If a company’s website is down for even a

moment, this can cost a large company millions in lost revenue. A down website prevents

customers from accessing information, making purchases, or using services. Lost revenue and

customer attrition may not be the only elements in danger. More worrisome is the growing trend

of smoke screening. DDoS attacks, more often than not, are used to distract a busy IT staff while

the attackers steal sensitive data. According to Neustar (2014), “55% of DDoS targets were also

victims of theft. Attackers stole funds, customer data, and intellectual property” (p. 7). With the

threat of DDoS attacks increasing daily, the majority of business fail to enact effective security

measures. According to Arbor (2013), “The proportion of respondents who practice DDoS

defense simulations has decreased from 49 percent to 45 percent” (p. 78) while 55% say they

never run defense simulations. Also, most companies still use technologies that are not designed

for DDoS mitigation and can actually exacerbate the problem. With an understanding of the

impact and implications of DDoS attacks, the types of attacks and tools used must be understood

so as to properly mitigate them.

There are many different types of DDoS attacks and can be categorized into three main

categories: volume-based, application, and low-rate (Cisco, 2013). Volume-based attacks are

commonplace. The attackers flood their targets with a large volume of packets that are carried

out by botnets (multiple compromised systems controlled by an attacker) which overwhelm

networking equipment. Application attacks target the application layer; HTTP being the most


common protocol exploited. They can be more destructive than volume-based because they

require fewer connections to be just as effective. Low-rate attacks aim to keep connections alive

for before the time to live value expires and also exploit application weaknesses and flaws

(Cisco, 2013). Here are some specific types of DDoS attacks. The first one is called the ICMP

flood attack. According to Cisco (2013), this was the first method implemented by attackers and

takes advantage of the ICMP protocol by flooding its target with ICMP echo (ping) requests and

slows down the network infrastructure. A UDP flood attack is very similar to the ICMP attack

except that it uses UDP (connectionless) packets in high volumes to render network

infrastructure inoperable (Radware, 2013). A smurf attack broadcasts a ping request to all

devices on the network, similar to an ICMP flood attack, but the source address is changed to

that of the victim (called spoofing). It seems as though the victim is requesting a response, so the

other devices will flood it with responses thus overwhelming the victim computer (Ciampa,

2015). A SYN flood attack takes advantage of the system in which devices initiate a session.

This is done through SYN packets (to initialize the connection) and ACK packets (an

acknowledgement of the initial request). A SYN flood attack, similar to a smurf attack, modifies

the source address of the originating packet and assigns it to unreachable computer addresses.

The server will wait for a response for a given amount of time while receiving more false

requests. The cycle continues until the server runs out of resources (Ciampa, 2015). Lastly, DNS

Amplification attacks involve an attacker requesting a DNS lookup from a DNS server with a

spoofed address directed towards the victim. The DNS server, without any way to verify the

validity of the address, unknowingly sends the responses to the victim (Cisco, 2013). There are

many tools available to the hacker to carry out these attacks more efficiently.


The use of botnets is one major tool used to send a large volume of attacks directed at a

server. Attackers often have hundreds, even several thousands of these “zombie computers” at

their disposal. According to Radware (2013), “large botnets can often be rented out by anyone

willing to pay as little as $100 per day to use them” (p. 42). People with limited knowledge of

hacking now have the ability to take down large websites. Another tool is the Low Orbit Ion

Cannon (LOIC). It is an open source flooding tool that can generate an enormous amount of

traffic such as HTTP, TCP, and UDP. The software was originally designed for developers who

wanted to test the resiliency of their servers under a heavy traffic load, but hackers used it instead

to wage war against their victims. Groups like Anonymous used LOIC as the weapon of choice,

but it has declined in popularity because it fails to mask the sender’s IP Address. HOIC is

LOIC’s successor and it boasts new features including the ability to use special scripts that allow

greater precision when launching attacks (Radware, 2014). Both LOIC and HOIC are designed

for brute-force flooding attacks. Slowloris, however, capitalizes on the procedures to initiate a

session. According to Radware (2013), the program creates a condition by utilizing slow HTTP

requests. When these packets are sent slowly to the server, it will wait for the remaining packet

chunks to arrive. If enough of these are sent, this can overwhelm the server (Radware, 2014). It

is important to be aware of the most significant attack types and tools so that we may prevent

future attacks from happening.

Preventative measures are the first important step to protect a company from the growing

threat of DDoS attacks. First on the list are Access Control Lists. According to Ramachandran

(2003), ACL’s are “rules which can be applied on a router or switch to filter unwanted traffic”

(p. 4). One method is to identify attack traffic. Once identified the security administrator can

configure an ACL to deny and drop any traffic matching the signature on the edge router.


However, there are downsides. Manually updating ACL’s can be quite laborious especially

during times of heavy DDoS flooding. DDoS attack methods can vary and the time required to

manually update the ACL’s can be too time consuming. ACL’s consume CPU resources and can

degrade the edge router performance (Ramachandran, 2003). More recently however, ACL’s are

used more as a detection strategy because ACL logs provide in-depth insight into network traffic

(Cisco, 2013). Device Security is the bread and butter of network security and can also defend

the network against DDoS attacks. Changing the router default configurations and passwords

will harden the hardware and make it less susceptible to attacks that could try and hack the

routers. Any unnecessary services should be shutdown to lessen the attack vector. Also, one

should be wary of protocols such as CDP because they advertise important device information on

the network. All networks should be using the latest secure protocols such as SNMPv.3 as

opposed to v.1 and v.2 (Ramachandran, 2003). Another preventive technique is tightening the

connection timeouts and limits which protects against SYN flood attacks. As discussed before, a

SYN flood attack takes advantage of the system in which devices initiate a session and creates a

special condition called an embryonic connection. According to Cisco (2010), an embryonic

connection, “is a connection request that has not finished the necessary handshake between

source and destination” (p. 1). By reducing the length of time before a timeout occurs, a

crippling SYN flood attack can be prevented. Load balancers are devices that act as reverse

proxies that distribute traffic to servers. They can be configured to limit connection attempts and

distribute traffic loads efficiently so the clustered hardware is less likely to be overwhelmed if

only one device was present (Cisco, 2010). Another preventative technique is a flood guard

which protects against SYN flood attacks by configuring the maximum number of unanswered

SYN requests (Ciampa, 2015). Lastly, honeypots can be configured with limited security to


entice attackers to target them rather than the actual network. Once configured, the idea is that

the attacker installs a handler or piece of code to understand its behavior in order to defend the

network better (Ciampa, 2015). With a clear understanding of prevention strategies, detection

strategies are essential for spotting attacks before they overwhelm the network.

Preventative strategies are good until an actual attack occurs. The first line of defense is

to have an accurate means of detecting attacks. Packet capturing devices such as Wireshark,

snoop, and tcpdump are useful for this purpose, but one must establish a baseline of normal

traffic activity before an abnormal activity can be detected. The benefits of packet capture

analysis are numerous as they can provide a granular picture of the types of traffic entering and

leaving the network (Cisco, 2013). Similar to packet capturing is Cisco’s IOS Netflow.

According to Cisco (2013), Netflow “is a form of network telemetry that Cisco routers and

switches can collect locally or push” (p. 14). Netflow provides macro packet information such as

source and destination IP address and the port protocol to quickly detect anomalies in the

network (Cisco, 2013). Intrusion Prevention / Detection System alarms are another method in

detecting attacks. IDS / IPS devices are traditionally used in tandem with firewalls. An IDS

device monitor’s traffic flow for any suspicious activities and can signal an alarm once detected.

An IPS system goes a step further and can take precautionary measures to mitigate attacks. Many

technologists believe IDS / IPS devices are good for DDoS mitigation, but this is largely false.

According to Arbor (2013), devices such as IPS systems and firewalls do little to mitigate DDoS

attacks because they are stateful devices and are often the first devices to be overwhelmed when

an attack occurs. They protect against known threats, but fail to monitor attacks across multiple

sessions and are susceptible to more subtitle attacks such as slowloris. (Arbor, 2011). According

to an Arbor (2013) survey, “42 percent of respondents indicated that their firewalls or IDS/IPS


systems were compromised by a DDoS attack” (p. 65). The focus on these devices, however, is

on their alarm and monitoring capabilities. While false positives can be common, the alarms and

log messages generated by these devices can be valuable for detecting an attack (Cisco, 2013).

IPS systems can also be configured to take a specific action to mitigate future attacks if enough

information is known such as dropping a connection from a specific source. However, one

should be wary of inadvertently dropping too much legitimate traffic. The goal of DDoS

prevention and mitigation is to allow as much legitimate traffic as possible (Cisco, 2013). Lastly,

DNS logs are good for detecting a DDoS attack. The DNS protocol is used for locating services

and computer through friendly names and is used by many applications. A closer inspection of

the DNS log chart1 (Figure 1) reveals key information. Notice the spike between 20:00 and 21:00

with a spike over 400 queries at night compared to an average peak of 300 during the work day.

This type of unusual behavior can indicate an attack (Cisco, 2013). With a clear understanding of

detection strategies, mitigation techniques are essential for stopping DDoS attacks dead in their

tracks.

Mitigation strategies are crucial for a business security posture. Effective means to

mitigate DDoS attacks remains one of the most challenging tasks in security. As we have seen

before, DDoS attacks have grown very sophisticated in the past decade and masquerade

exceptionally well as legitimate traffic. Firewalls, IDS, and IPS systems are essential for overall

network security, but are often useless for DDoS mitigation. There is no straightforward solution

for effective DDoS mitigation, but there are multiple strategies that provide reasonable coverage.

A common strategy is to employ the use of Remotely Triggered Black Hole Filtering (RTBH).

When an attack is detected, all undesirable traffic is dropped entirely at the network edge (Cisco,

1 Please refer to Figure 1 in the Appendix section for the DNS log chart.


2013). There is a lot of information concerning RTBH, but only the two main types of RTBH

will be mentioned. Destination based filtering uses a technique to black hole traffic directed

towards the IP address of being attacked2. The device that is triggered by the attack sends an

IPBG update to other edge routers telling them to send traffic to their null interface. This

technique has obvious pitfalls. Destination-Based RTBH will drop legitimate traffic too. Source-

Based RTBH attempts to mitigate these issues. This method allows for packets to be dropped on

a specific IP address. When an attack occurs, the attacker’s IP address is discovered and all

packets sent from this address are dropped3 (Cisco, 2005). This technique relies heavily on

Unicast reverse path forwarding (Cisco, 2013). Unicast reverse path forwarding is a mitigation

technique that verifies the reachability of the source addresses being forwarded on routers.

Normally, a router only cares about the destination of the packet, however in uRPF, the packet is

discarded if the source address cannot be verified. This helps protect against DDoS attacks

because it is commonplace for such attacks to spoof IP address directed towards the network

(Cisco, 2013). There are two modes for uRPF. Loose mode checks to see if there is an entry for

the source in the routing table. Strict mode performs the same check as loose mode, but does an

additional check to make sure the packet is received on the same interface the device would use

to forward it. Strict mode is more likely to drop legitimate traffic, so it should be used carefully

(Cisco, 2013). Similar in fashion are Sinkholes. It is a method where attack traffic is diverted to

a dedicated network that can withstand it. It is similar to honeypots because the main focus of

this strategy is to divert the attack to a segmented network where the malicious activity can be

carefully analyzed (Ramachandran, 2003). All the previously mentioned strategies involve the

actual business performing the mitigation. However, ISP providers have additional capabilities to

2 Please refer to Figure 2 in the Appendix section for the Destination-Based RTBH diagram. 3 Please refer to Figure 3 in the Appendix section for the Source-Based RTBH diagram.


further mitigate attacks. They use a technique called traffic scrubbing. According to

Ramachandran (2003), “Scrubbers have capabilities, which allow them to distinguish between

good and bad traffic. They mitigate DDoS attacks by forwarding only good traffic and dropping

attack traffic” (p. 9). Companies such as Arbor Networks, Verizon, and AT&T offer traffic

scrubbing. Each company has its own advanced methods to determine bad traffic. Advanced

traffic analysis and anomaly detection is used to provide the most coverage (Cisco, 2013). As

mentioned before, IDS / IPS devices and firewalls are increasingly overwhelmed by DDoS

attacks. A newer solution is the utilization of Intelligent DDoS Mitigation Systems. One of the

pioneers of this new technology is Arbor Networks. Their main technical solution is called

Peakflow SP solution and Peakflow SP Threat Management System (TMS)4. There are some

notable advantages of using Peakflow. Peakflow can surgically remove threats supporting up to

40GB/s. Arbor’s scalability can effectively combat volumetric attacks (Arbor, 2012). Arbor

offers cloud signaling. On-premise mitigation has trouble with volumetric attacks, while ISP

mitigation can be slow to respond to concurrent threats. Cloud signaling is the combination of

ISP and on-premise mitigation for an effective layered security. Arbor’s Threat Level Analysis

System (ATLAS) boasts real-time advanced analytics and deep packet inspection techniques to

root out even the most persistent DDoS attacks (Arbor, 2012). An important aspect of Arbor’s

IDMS is the utilization of multi-layered DDoS techniques for effective mitigation. Another new

mitigation technique is reputation-based blocking. This technique uses web-filtering to mitigate

attacks. Certain sites may contain viruses and Trojans and it is important to block these sites

(Cisco, 2013). How does this relate to DDoS mitigation? Earlier, I mentioned that DDoS smoke

screening is an increasing concern among businesses. It is very likely that a business will

4 Please refer to Figure 4 in the Appendix section for Arbor’s IDMS diagram.


experience a decrease in DDoS attacks if malware infections from unsafe websites decrease.

Therefore, businesses can better protect their assets and information. Lastly, geographic

dispersion techniques represent an effective technique for DDoS mitigation. This solution uses a

routing mechanism called Anycast. Anycast allows traffic to be routed to many destination

nodes. The offending DDoS attack will be dispersed across multiple points across a geographical

area. This technique saw success when a group of white hackers stopped a DDoS attack that put

the Spamhaus website offline by using geographic dispersion mitigation (Cisco, 2013).

DDoS attacks have become a formidable force to guard against in the past decade. As

attackers find new ways to bring large scale networks to their knees, businesses must invest more

time in a security posture that will protect and defend against these types of attacks. Attackers

are motivated by money or personal ideologies and have access to a variety of tools that can

cripple a network. The average DDoS attack can incur thousands of dollars of lost revenue and

stolen data. The size and complexity of attacks make them hard to mitigate. Proper

implementation of prevention, detection, and mitigation strategies is necessary for a business’s

survival. As we move forward in the 21st century, DDoS attacks will continue to be a problem,

but human ingenuity will prevail and continue to improve technology for greater DDoS

prevention and mitigation.


Appendix

Figure 1 - DNS log chart

(Cisco, 2013, 19)

Figure 2 - Destination-Based RBTH

(Cisco, 2005, 2)


Figure 3 - Source-Based RTBH

(Cisco, 2005, 4)

Figure 4 – Arbor IDMS

(Arbor, 2012, 10)


References

Arbor Networks Inc. (2011). Why Firewalls and Intrusion Prevention Systems (IPS) Fall Short

on DDoS Protection THE RISK OF CHOOSING THE WRONG TECHNOLOGY FOR

DDOS PROTECTION. Retrieved April 4, 2016, from

http://www.techdata.com/arbornetworks/files/ARBOR_TB_IPS_EN.PDF

Arbor Networks Inc. (2012). Layered Intelligent DDoS Mitigation Systems. Retrieved April 4,

2016, from https://www.arbornetworks.com/images/documents/White Papers and

Research/WP_IDMS_SP_EN2012.pdf

Arbor Networks Inc. (2014). Worldwide Infrastructure Security Report. Retrieved April 4, 2016,

from http://pages.arbornetworks.com/rs/arbor/images/WISR2014.pdf

Ciampa, M. D. (2015). Security guide to network security fundamentals. Boston, MA: Course

Technology, Cengage Learning.

Cisco. (2005). REMOTELY TRIGGERED BLACK HOLE FILTERING— DESTINATION

BASED AND SOURCE BASED. Retrieved April 4, 2016, from

http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-

protection-nfp/prod_white_paper0900aecd80313fac.pdf

Cisco. (2010). Chapter 53: Configuring Connection Limits and Timeouts. In Cisco ASA 5500

Series Configuration Guide using the CLI (pp. 53-1-53-5). San Hose, CA: Cisco.

Cisco. (2013). A Cisco Guide to Defending Against Distributed Denial of Service Attacks.

Retrieved April 4, 2016, from http://www.cisco.com/c/en/us/about/security-center/guide-

ddos-defense.html

Hoffman, S. (2013, March 25). DDoS: A Brief History. Retrieved April 4, 2016, from

https://blog.fortinet.com/post/ddos-a-brief-history


Hoffman, S. (2013, March 27). DDoS: A Brief History, Part II. Retrieved April 4, 2016, from

https://blog.fortinet.com/post/ddos-a-brief-history-part-ii

Neustar, Inc. (2014). THE DANGER DEEPENS: Neustar Annual DDoS Attacks and Impact

Report. Retrieved April 4, 2016, from

https://www.neustar.biz/resources/whitepapers/ddos-protection/2014-annual-ddos-

attacks-and-impact-report.pdf

Radware. (2013). DDoS Survival Handbook. Retrieved April 4, 2016, from

https://security.radware.com/uploadedFiles/Resources_and_Content/DDoS_Handbook/D

DoS_Handbook.pdf

Ramachandran, V., & Nandi, S. (2003). Bleeding Edge DDoS Mitigation Techniques for ISPs.

Retrieved April 4, 2016, from

http://www.vivekramachandran.com/docs/ddos_paper_Vivek_Sukumar.pdf

DDoS Research Paper

Documents

Transcript of DDoS Research Paper