Dissecting DDoS Attacks

Introduction

Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade online services.

This blog post will explain, in extremely basic terms, a specific type of attack called a Reflection/Amplification DDoS Attack. This post is not intended to serve as a comprehensive technical guide, but merely a relatively non-technical overview for the novice. We will try to avoid jargon and explain it where we have no alternative.

Motivations

The Underground Economy (UE) is a term used to describe the massive communications and economic infrastructure used by criminals who engage in crime against, and facilitated by, the Internet and its users.

Primarily designed for financial crime, transactions seen in the UE generally tend to shy away from DDoS attacks, after all ‘nobody makes any money if you break the Internet’.

However, DDoS attacks clearly do occur, for some of the following reasons:

Revenge –attacks against a rival, typically to take that person’s shell2 or home connection offline, traditionally part of petty disputes on Internet.

Demonstration – DDoS attacks normally utilize botnets: networks of computers that are all infected with the same virus that are all under the control of one person. DDoS attacks can be used to prove the size and power of a botnet before it is rented or sold in the UE. Many apparently motiveless attacks have been demonstrations with a victim picked essentially at random.

Extortion – a favorite of many Organized Crime groups, DDoS attacks on e-commerce, and legitimate online gambling sites in particular, can yield ransoms of a few tens of thousands of dollars in exchange for allowing the victim site to resume business. Interviews with perpetrators now in prison have confirmed that they will ignore potential victims who ignore their demands and move onto new targets in the hope of engaging in negotiations with them.

Competitive advantage – DDoS services can be rented to take a competitor’s website offline, causing lost business or embarrassment and forcing current or potential customers to use a rival who can often claim plausible deniability for any attack.

Collateral damage –  often many thousands of sites will be hosted on the same server and IP address. An attack on one site will have the effect of taking them all offline. Due to the topology of the Internet, huge attacks will often cripple companies that provide connectivity, well before the attack even reaches the final intended target. Routers can be attacked just as websites and end users can be, resulting in connectivity issues for perhaps millions of users that the attacker had no reason to want to impact.

Combination attacks – one that is only theoretical at this stage, but involving a conventional attack in the real world (bank robbery…) that also disrupts communications links to cause panic and hinder first responders.

Political attacks – now a mainstay of all conventional conflicts, these attacks often involve regular, otherwise law abiding, Internet users or the re-tasking of botnets that are normally engaged in conventional UE activities. These attacks often impact IP addresses in geographic regions or the IP space used by specific function within a government, to further a political cause. Protest attacks are also generally considered to be a form of political attack.

A real ddos attack:

Last week our partner reached out to us about a behavior inside his network. After investigation we found that his network under ddos attack:

2 waves of attacks targeting his network. The first wave reach 3.22gb/s and the second wave reach 2.88 gb/s.

Network Traffic

From the graph below we can see that’s a UDP traffic.

Network Traffic by Ports

From the graph we can see that the sources ports are:

  • 3283: Apple Remote Management Service (arms)
  • 389: Lightweight Directory Access Protocol (ldap)
  • 11211: memcached
  • 123: Network Time Protocol (ntp)

Since the protocol is UDP and based in source ports we can say that’s distributed reflective denial-of-service (DRDoS)

The following is a list of protocols used in this attack and their associated BAFs.

ProtocolBandwidth Amplification Factor
ntp556.9
ldap46 to 55
arms35
Memcached10,000 to 51,000

The graph below show the total bytes received by partner all port combined

Total Traffic

NTP Protocol: Below a graph with top 15 countries source used in this ddos attack where the source port is 123 (ntp):

NTP Total Traffic

LDAP Protocol: Below a graph with top 15 countries source used in this ddos attack where the source port is 389 (ldap):

LDAP Total Traffic

ARMS Protocol: Below a graph with top 15 countries source used in this ddos attack where the source port is 3283 (arms):

ARMS Total Traffic

Memcached Protocol: Below a graph with top 15 countries source used in this ddos attack where the source port is 11211 (Memcached):

Memcached Total Traffic

Conclusion

DDoS attacks have been around almost since the birth of the Internet. Even the volume of traffic not comparable to X Tbps, Our partner was able to handle 3 Gbps.

Whilst the world is distracted, it is clear that criminals are not. Team Cymru can help: we have clueful network engineers and analysts that are able to work with you, at no cost, to help you secure your networks and react to these attacks with no panic, just clueful insight and assistance – reach out to day for details of what we can do for you and your customers. 

Comments are closed.

Up ↑

%d bloggers like this: