DDoS

Most archaic forms of attack can now be thawed automatically!!

DDoS is a denial of service attack through distributed and diverse machines from all over the globe or region. It rapidly sends a huge amount of data in small pieces to a targeted system congesting its network bandwidth, eating up its resources like CPU cycles affecting its availability, and thawing an organization’s operations.

Why is this attack used widely?

  1. DDoS is the simplest way to stop services from serving legitimate traffic, the attack is so straightforward there is no need to develop specially crafted payloads, and no need to search extensively for attack vectors.
  2. The only 2 requirements for this attack are a botnet and a command and control center to command all these botnet
  3. This kind of attack costs a lot in operations as the services are down for long time periods because of the sheer magnitude of this attack.

What is a botnet?

  1. A botnet is a collection of devices that are infected by malware which communicates with the command and control center.
  2. There are various devices, including DVD players, IoTs, old/legacy computers, mobile phones, etc. Anything that can be connected to the internet and communicate over the internet can be infected and included in a botnet.
  3. These devices have low security, and have basic internet capabilities with a processor to do its intended use. Once their weakness has been exploited they can be reprogrammed or repurposed to do the attacker’s bidding.

CloudFlare the HERO!

Cloudflare defeated the world’s biggest DDoS attack in the month of September the DDoS attack was of 3.8 Tbps magnitude and the cream on top is that it was achieved automatically they implemented various techniques to achieve this. Below we will explore what little information Cloudflare has shared publicly. No one will share their secret sauce out in the open.

Where did the traffic originate from?

  1. As this was a DDoS attack the traffic originated from various devices ranging from DVD players, Thermostats, Vaccum, TV to infected computers.
  2. The traffic mainly originated from Vietnam, Russia, Brazil, Spain, and the US.
  3. ASUS home routers were the major contributors to this attack as they had a severe vulnerability a CVE 9.8 (Critical) vulnerability that was recently discovered by Censys
  4. The attack utilized the fastest protocol that works without any acknowledgment, user datagram packets (UDP)

Mitigation Techniques used by Cloudflare:

  1. Not so secret - Anycast:
    1. Anycast is a network routing method in which the incoming traffic is sent to its nearest serving point (content delivery network )(CDN), e.g. An infected DVR in Dallas, Texas will send packets to a Cloudflare server in Dallas. An infected webcam in London will send packets to a Cloudflare server in London.
    2. A large proportion of traffic on the Cloudflare network does not consume bandwidth in a symmetrical manner i.e. the size of a request is smaller as compared to normal industry standard
    3. This helps with handling the sheer magnitude of incoming packets as every packet would be distributed throughout the network, in next step we will see how they manage to identify and drop the bad packets
  2. Generating real-time signatures to block attacks:
  1. l4drop: l4drop enables executing custom code in kernel space and process (drop, forward, or modify) each packet directly at the network interface card (NIC) level. This component helps the system drop packets efficiently without consuming excessive CPU resources on the machine.
  2. eBPF: eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.
  3. XDP: XDP to sample packets to look for suspicious attributes that indicate an attack. The samples include fields such as the source IP, source port, destination IP, destination port, protocol, TCP flags, sequence number, options, packet rate, and more.
  4. Dosd: This analysis is conducted by the denial of service daemon (dosd). Dosd holds our secret sauce. It has many filters that instruct it, based on our curated heuristics when to initiate mitigation.
  5. As it receives samples from XDP, dosd will generate multiple permutations of fingerprints for suspicious traffic patterns. Then, using a data streaming algorithm, dosd will identify the most optimal fingerprints to mitigate the attack. Once an attack is qualified, dosd will push a mitigation rule inline as an eBPF program to surgically drop the attack traffic. Stopping all the bad traffic at the entrance consumes low resources, this is a very fast and efficient process.
  6. A heroic feature: when a signature is generated for bad traffic at any point in the distributed network, which may result in DDoS or any other malevolent behavior. The servers have the ability to gossip with each other that is they can talk with each other sharing their signature across the network which minimizes the impact of DDoS as the rules to drop the packets are already in place.
  7. The Advanced TCP Protection system and Advanced DNS Protection system work alongside our dynamic fingerprinting to identify sophisticated and highly randomized TCP-based DDoS attacks and also leverage statistical analysis to thwart complex DNS-based DDoS attacks.
  8. They also have incorporated real-time threat intelligence in their DDoS prevention arsenal for network profiling as this will help determine bad packets and to categorize bad network actors.

Reference:

  1. https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/

That is it, Folks! 😁

Feel free to correct me or connect with me on any of the social platforms, see you next week