Volume knob
Image: Al Elmes on Unsplash

A typical Distributed Denial of Service attack looks like this: first, infect a large number of machines with malware. You’ll now be able to control those machines, acting as servants in your botnet. When the time is right, send all of the machines under your command the instruction to attack your target. They will now start to send as much data to your target as they can, hoping to overwhelm the target’s bandwidth and server capacity. The result: the targeted website can’t deal with the traffic and is forced offline.

Both attackers and those defending against them are always looking for more effective techniques.  An attacker can dial up the level of onslaught by using amplification. A popular method, which has been around for a number of years, is to abuse the Internet’s address book: the Domain Name System. In a DNS amplification attack, the attacker has their botnet send numerous requests to a DNS server. The source IP address in these requests is faked to look like they came from the intended target, and that’s where the DNS server will send all its responses to. A small request (just ask for all information in a DNS zone) can generate large replies, so for every single request a machine in your botnet does, a much larger volume of data is directed towards your target. Not only does this amplify the magnitude of the attack, easily generating enormous amounts of traffic, but it’s also hard to defend against: if you run a network, you might not really want to cut off communications with the DNS system.

Recently, we’ve been seeing a new approach where hackers are using memcached servers to amplify their attacks. Used properly, a memcached server can speed up your website by storing data in memory, in order to reduce the number of times you need to retrieve information from a database or API. A lot of large websites have deployed memcached servers and, apparently, not all of them are well protected. The concept of a memcached amplification attack is similar: have your botnet send small queries to a vulnerable memcached server, using a fake source IP address. The memcached server will then send large replies back to your target. A 15 byte request can result in a reply of hundreds of kilobytes, amplifying your attack at least 10,000 times. Abusing these servers, hackers have managed to generate DDOS attacks of up to 1.7 Tbps. That’s 1,700,000,000,000 bits per second! Good luck defending against that.

To stop these attacks, we’ll need the people running memcached servers to secure them. Usually, only machines on their local network would need to send requests or receive replies and a firewall should block other attempts to access them. However, it might take a while for every last person running a memcached server to configure it properly. Until then, expect to see a few more huge attacks.

Image: Bas van Schaik, CC BY-SA 3.0, Wikimedia

How to protect your site from DDOS attacks? It’s always been a bit of a cat and mouse game, but with DDOS attacks becoming more and more frequent and troublesome, the Amsterdam Internet Exchange is thinking of new ways to fend them off.

When launching a DDOS attack, a hacker will try to send massive amounts of traffic your way, overwhelming your servers or network capacity. The bad guy in question doesn’t have to be a sophisticated network guru either: you can simply hire a DDOS attack for a few bucks in the darker corners of the Internet. A Dutch guy, recently arrested for taking a number of national banks offline, claims to have spent as little as 40 euros to have his attack performed.

So, how to protect against this? If you can recognise certain patterns in the attack coming your way, you can start by blocking suspicious traffic, either by looking at specific protocols (does anyone from the outside world really need to ping you?) or by looking at IP addresses or ranges that seem to generate excessive traffic. Of course, the culprits will be doing their best to blend in with the regular visitors to your site. A DDOS attack, by nature, comes from many places at once. How to tell your regular users apart from the malicious traffic? Thus, there are limits to this approach.

Another way to deal with the issue, is to extend your capacity. Either by setting up more servers and bandwidth, or by going into the cloud. A cContent Delivery Network like Akamai has their servers set up all over the world and could help you handle massive amounts of traffic. Of course, there’s an upper limit to this as well, and many businesses (like banks) would not be happy having their customers’ sensitive data stored by someone else.

Back to the Amsterdam Internet Exchange (AMS-IX) and their Trusted Networks Initiative. The Internet exchange is a peering point: a place where a large number of Internet Service Providers, mobile operators and hosting providers connect their networks with one another, and the rest of the world, to exchange traffic. The idea of the Trusted Networks Initiative is to create a kind of safe haven, a seperate network (or VLAN), where trusted ISP’s and companies can connect. When a DDOS attack takes place, this trusted network would be disconnected from the outside world, but people within the trusted network could still communicate with each other. Typically, a large DDOS attack would originate from a foreign country. By closing off the trusted network, the attack from outside would be blocked, while people connected to a trusted Dutch ISP would still be able to contact their banks or other important services. A bit like a storm surge barrier for the Internet! Once the ‘storm’ has passed, the trusted network could be opened again to the outside world.