Denial-of-Service attack (DoS attack) or Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a system, application or network resources unavailable for service to its intended users.
DoS attacks can be classified as:
Logic attacks: Exploits security vulnerabilities to cause a server or service to crash and / or significantly reduce performance.
Resource exhaustion flooding attacks: Causes the server or network resources to be consumed to the point where the service is no longer responding or the response is significantly reduced.
Denial of Service Attack Characteristics
While a Denial of Service attack is usually attributed to network oriented techniques – it is also known to rely on Malware to exploit vulnerabilities by triggering errors, sequencing of information, operating system, applications, etc. Regardless of the vector used, following are the tell-tale signs of a likely Denial of Service attack:
- Consumption of computational resources such as bandwidth, memory, disk space or processor time. This result in unusually slow network performance, e.g. slow browsing, slow file copying, etc.
- Disruption of configuration information, such as routing information. This result in endless waiting for a DNS request to be translated or redirection to a different server.
- Disruption of state information, such as unsolicited resetting of TCP sessions. This results in sudden stop and start of communication between established channels.
- Disruption of physical network components, e.g. inability to connect to a wireless or wired internet connection.
Communication media between the intended users and the victim is obstructed so that they can no longer communicate adequately, e.g. sending out badly formed requests to flood the channel.
DOS is primarily engineered to affect continuity of business through restricting access to key resources. To guard against these attacks the focus should always first be on the characteristics of traffic coming into the systems, rather than their impact. This requires understanding the signatures, patterns and sources of malicious traffic. This understanding either comes from intelligence about developing internal knowledge base about hacker activities or capitalizing on experience of security provider tools which have built a knowledge base based on the scale of the market they capture. This capability can be augmented by attributing your organization specific sources and patterns of threat to the same centralized tool.
Denial of Service Incident Handling Considerations
The following workflow highlights standard practices and techniques used for identifying, managing and handling Denial of Service:
Incident Handling Stages
Implement proactive measures to improve threat preparedness
- Use firewall filter and monitor for outgoing traffic. Traffic of botnet is primarily transmits via IRC, P2P, HTTP and HTTPS. Monitor these protocols and wherever possible block P2P and IRC.
- Use Network monitoring utilities or DPI tools, which will allow monitoring traffic patterns.
- Enable IP Accounting to get visibility into packets, volume, source, destination, ports etc.
- Disable DNS recursive queries, primarily used by attackers to launch DDoS and cache poisoning attacks.
- Update public facing NTP servers to the latest available version. Disable monlist functionality on public facing NTP servers that cannot be updated. Review log files of servers, routers, firewalls, applications, and other sensitive infrastructure.
- Tie up with your ISP or other DDoS detection and prevention service providers for DDoS traffic scrubbing service to be utilized in the event of any DDoS attack happening.
- Configure alerts on your network monitoring systems based on network traffic baseline for usual day to day traffic.
- Maintain an IP blacklist which is periodically updated and also DEL monitoring team. Block or closely monitor any traffic coming from the blacklist IP’s.
- Liaise with your industry partners and keep abreast of cyber intelligence particularly aimed at your sector to watch out for both existing as well as developing threats.
Identification & Verification
Correctly identify the threat by monitoring and verification techniques
- Use Network analysis tool to review the traffic like tcpdump, MRTG etc.
- Contact the ISP to provide details about the traffic sources as identified earlier including: Network blocks involved, Source IP addresses, Protocols etc.
The details could be received in the following format:-
|Parameter||Average Maximum Peak Utilization||Maximum Threshold Value|
|Network bandwidth – MPLS Links between Dolphin Offices||50%||80%|
|Network bandwidth – Internet Link||40%||65%|
|Web based traffic||1200 MB/hour||2800 MB/hour|
|DNS Traffic||5 MB/hour||8 MB/hour|
|E-Mail Traffic||500 MB/hour||700 MB/hour|
- Increase in the volume of encrypted traffic
- Consistent increase in bandwidth utilization above 80%
- Alerts from Cisco botnet filter
- Abnormal increase in DNS lookup failures (hundreds of failure in an hour)
- Increase in firewall logs for DoS attacks like SYN, Teardrop, and ICMP.
- Check and analyze logs of firewall botnet filter
- Increase in NTP “get monlist” requests
- Verify source of increased bandwidth utilization (verify for multiple IP addresses which are not white listed)
- Verify logs of the server being targeted by DDoS
- Excessive HTTP header requestsor abnormal number of HTTP/S POST or GET requests against server, POST request attacks using web forms by sending excessive amounts of data to overwhelm the server
- Indication of flood attacks such as SYN, UDP, ICMP or MAC attacks.
Limit the damage caused
- Block the IP addresses identified.
- Throttle traffic at perimeter router/ firewall.
- Allow only white listed IPs or prioritize them.
- Switch to alternate link.
- If the bottleneck is a particular feature of an application, temporarily disable that feature.
- Configure egress filters to block the traffic the targeted systems may send in response to DDoS traffic.
- Respond via out of band communication.
- Inform ISP to block the suspicious range of IP addresses and multiple connection requests for the same resource.
- Offload SSL traffic from origin infrastructure for inspection at an application delivery point.
Investigate how the attack happened and detect its origin
- Use network monitoring on peering and edge links to determine the ingress point of spoofed DoS/DDoS attacks. The data flow from multiple collection points can be correlated to identify the network ingress points for DDoS attacks and quickly determine the attack characteristics.
- Use firewall logs to view the source IP addresses and its geo-locations.
- Investigate the services under DDoS attack by analyzing their logs.
- Inform ISP to identify the targets as your IPs or other firms IPs under attack, have the ISP provide report for origin of suspicious IP address ranges.
- Utilize a SIEM and a DPI tool in conjunction with an Incident Management tool to access incident data enriched with contextual intelligence.
Remove vulnerabilities and eliminate all causes
- If possible, route traffic through a traffic-scrubbing service or product via DNS or routing changes (e.g.: sinkhole routing)
- Patch the vulnerability being exploited to enable the attack.
- Rate limit ICMP traffic to prevent bandwidth exhaustion.
- Configure egress filters to block the traffic which your systems may send in response to DDoS traffic (e.g.: backsquatter traffic), to avoid adding unnecessary packets to the network.
- Take down devices which have been compromised beyond repair.
- Contact your ISP and make sure that it enforces
- Filtering (if possible at level Tier1 or 2)
- Traffic-scrubbing/ Sinkhole/ Clean-pipe – Blackhole Routing
Recover from the attack and resume normal operations
- Assess the end of the DoS/ DDoS situation
- Ensure that the impacted services are reachable again.
- Replace any devices that were compromised beyond recovery.
- Ensure that the infrastructure performance is back to Dolphin’s baseline performance.
- Rollback the mitigation measures
- Switch back traffic to the original network.
- Restart stopped services.
Conduct post incident activities
- Communication to internal/external user groups, public media etc.
- Perform forensics to identify the source of attack and motivation, e.g. state sponsors.
- Perform Malware analysis if the attack was attributed to one.
- Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector
- Confirm the mode of DDoS attack
- Identify the anatomy of attack and incorporate the learning to ensure defense against similar attacks.
- Understand if this attack was not a diversion attempt for another type of attack in the background, e.g. injecting an APT into your environment.