In late July we were approached by a government agency of a Latin American country who was suffering from an over-a-month long campaign of DDoS attacks they had so far failed to mitigate. Each of the attacks lasted for several hours at a time –sometimes multiple times a day – making it through their existing DDoS protection device and right into the headlines of the local press.
The attacks came in different waves, targeting the communication channels for individuals as well as the agency branches, preventing electronic and virtual transactions and resulting in an unknown extent of reputational and financial losses.
Radware’s ERT DDoS warriors have been fighting these waves of attacks ever since onboarding this agency to our Emergency Mitigation Service. The first action was to divert the traffic to our scrubbing center for cleaning so the packets that arrive at the organization’s network are only legitimate requests, thus protecting their user experience. For a short time after the diversion was made, we saw multi-vector attacks at rates of 1Gbps-4Gbps that we successfully mitigated.
However, at a certain point there has been a significant escalation in the campaign patterns. The attackers probably figured these volumes are not capable of causing an outage and started ramping up the assaults with a combination of 36Gbps-88Gbps fragmented and reflection attacks. While these volumes are not the highest the world has seen, they are still on the very high end for a single reflective hit and could easily saturate any network pipe and knock down any firewall or DNS server.
Behavioral Analysis for Surgical Mitigation
These attacks are comprised of multiple vectors including SYN floods, UDP floods, ICMP floods with high rate UDP fragmented and DNS/NTP reflection attacks. DNS reflection was the primary attack vector that turned highly effective when the attacks began. Each wave was comprised of a quite similar vector blend, leading us to believe these are the same attackers using probably the same tools – a signal for determination and persistency. Due to the high volumes – while the customer internet link was of a relatively low capacity – it required a surgical intervention of our experts to protect the DNS server and also make sure the legitimate traffic is recognized and let through. This could not have been achieved without a behavioral analysis of the regular users’ traffic patterns on one hand and monitoring the changes in the attack traffic as it progressed.
Security experts from Radware’s Emergency Response Team (ERT) performed a thorough investigation, worked in real-time with the customer to challenge the attacking IPs and identify each of the additional vectors, and manually configured supplemental protections, which significantly improved our ability to mitigate the attack. These efforts proved effective and subsequent attack waves have been fully mitigated with no apparent or reported impact to the customer services.
Four steps for complete protection against spoofed IP DNS reflection attacks:
The nature of this attack demonstrates the limitations of rate limiting approach for DDoS mitigation, as well as of an on premise based solution only.
- Hybrid DDoS Protection – Against volumetric attacks, the only way to secure the service SLA is a hybrid DDoS protection solution with identical technologies on-site and in-the-cloud. Such a design facilitates automatic diversion to a cloud-scrubbing center when the internet link is saturated.
- Behavioral Analysis – When the attackers use a wide range of dynamically changing spoofed IPs, there is no way for signature based solutions that rely on IP reputation to determine what is a legitimate request and what isn’t, leading to a significant amount of false positives. Behavioral analysis of the traffic done by auto-learning algorithms creates and updates baselines as well as signatures thus combining positive and negative security models for the highest rate of detection and best SLA protection.
- Automation – plays a great role in adaptively identifying traffic patterns and anomalies and initiate DDoS mitigation and diversion when needed as well as developing new signature in real time.
- An expert team – as DDoS attacks are becoming more complex, and attackers do not simply use multiple vectors but monitor the attack closely and make necessary adjustments during a campaign, the challenge to unexperienced organizations with limited task force and expertise is greater.
Simply put: DDoS attackers call for DDoS defenders.
Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.