Hello, my name is Bruno Cerqueira, I’m a network analyst here at Made4it and today I’m going to explain about DDoS attacks and some ways to protect your company from these attacks.
First of all, it is important to understand what “Denial of Service” means and what are the consequences of this attack. A “Denial of Service” attack is an attempt to make a system’s resources unavailable to its users. Its main targets are WEB servers, Routers, L3 Switches, or any equipment with a public IP.
Two more well-known consequences of DDoS attacks:
> Consume all host resources (such as memory and CPU) so that the system is no longer usable (such as an unavailable WEB server)
> Use all available bandwidth between users and the system, so that the Host does not communicate correctly with the user.
Now that you know what “DoS – Denial of Service” is, you need to know “DDoS – Distributed Denial of Service”, which translates as Distributed Denial of Service, that is, the attack comes from several different sources. DDoS can be commanded from a computer that sends orders to thousands of infected devices, such as computers, cameras, IPTV systems, servers, creating an army of enslaved machines, generating attacks on one or several target IPs. And these compromised equipment are called ‘botnets’, which can steal data, send spam and also carry out DDoS attacks. To better understand what DDoS attacks are, go to this content where we explain what they are and the main reasons for attacks
There are several types of DDoS attacks, the most well-known being:
Distributed Attack:
Its characteristic is an attack originating from different different
locations, with a common destination, with the purpose of consuming all the resources of the destination Host or using all the available bandwidth, so that the Host does not get connectivity with other equipment on the Internet. This type of attack can also affect other company equipment, such as routers and switches on the way to the destination host.
Amplification Attack:
As the name suggests, the purpose of this attack is to amplify the amount of traffic that will arrive on a given network. It is quite common in this type of attack that the source IP of the packet does not match the original IP, known as Spoofing, so the attacker can send thousands of requests to a Server with a forged source IP, causing the Server to respond to the request and sending several responses to a host that has not made any requests from that server. The main point of this type of attack is to use DNS, NTP servers, among others, that can amplify the packet size. If the origin sends a request with 64 Bytes, the server can respond with 640 Bytes for example, amplifying the size of the attack by 10x, making the attack more efficient.
There are still several other types of attacks, some that can abuse a vulnerability of a specific equipment, making it a new equipment to generate attack or it can consume all available resources of that equipment, so that it becomes inoperative for other services.
And now, what do we do to protect the network from these DDoS attacks?
As well as the attacker’s tools, we also have tools and means to protect the provider or the company.
What we need is to mitigate the attack, which consists of protecting the target from DDoS attacks. There are several ways to do the mitigation, among them, there are diversion techniques using routing.
The 2 most used are:
- BGP Routing: We can divert traffic to a mitigation service that will analyze the traffic and allow only legitimate traffic to pass through
- DNS routing: We can point the IP of the mitigation service to the DNS server instead of the real IP. The Mitigation Service will scan traffic and block malicious traffic, redirecting legitimate traffic to the server
Considering routing using BGP, we have some options that the provider or company can use to protect themselves from attacks at the network layer:
- Use of Local Appliance: Detects and directs traffic to a local server for protection.
- Advantage:
- Does not require purchase of Link Protected or Link Clean Pipe
- Advantage:
- IP Advertisement via BGP for Blackhole: Makes an IP unusable on the internet!
- Advantage:
- Does not require purchase of Link Protected or Link Clean Pipe
- Advantage:
- Disadvantage:
- Will stop all browsing and connectivity to the advertised IP for Blackhole
- /24 prefix advertisement for Clean Pipe Link/Mitigation Link/Anti-DDoS Link/Protected Link
- Advantage:
- It will not stop connectivity from any of the IPs on the network
- Advantage:
- Disadvantage:
- Depending on the solution purchased, latency may increase
- Use of 100% protected link
- Advantage:
- Does not require any tools for attack detection
- Advantage:
- Disadvantage:
- Higher costs with the use of protected link
How to ensure that your ISP is not the source of a DDoS attack?
Most attacks are done by Amplification, Spoofing, infected equipment, among others. A good practice is to apply settings and firewall to prevent this from happening within your company, such as:
- Configure Recursive DNS Server, NTP, to respond only to your internal network
- Anti Spoofing Filters (known as RPF)
- Firewall blocking service ports towards residential customers (for ISP cases)
- Participate in the MANRS program, so that your network is monitored from the outside
- Track vulnerabilities through the Qrator website
- Avoid public IP on Local Servers (with network management software), and if you have it, it is always necessary to keep software up to date and a well-implemented firewall protecting the services of these servers
And I cannot fail to mention a tool that can detect attacks and take action to protect your network, Made4Flow. If you want more information, you can consult it here.
Anyway, any network on the internet is subject to DDoS attacks, but it is important to always maintain good operational practices, know the types of attacks and the means to protect yourself, in case you are a victim of this crime one day.
Bruno Cerqueira | CCNA | HCIA | MTCNA | JNCIA