The Outlook of DDoS Threats in 2015

An Introduction to Temporal Lensing

The Panzerhaubitze 2000 is a 155 mm self-propelled howitzer capable of Multiple Rounds Simultaneous Impact (MRSI). Essentially, the artillery shells are fired with different trajectories, but all impact the target concurrently. How is this type of artillery related to denial-of-service attacks?

Well, as released in a new research study titled “Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks,” it is possible to perform a similar distributed denial-of-service (DDoS) attack that uses timing to ensure simultaneous arrival of IP packets. The authors term this temporal lensing and claim it is a potential new class of attack, especially if combined with amplification attacks. Amplification attacks result in the multiplicative creation of new packets in an asymmetric sense. Can you see the lens below?

Note that this attack hasn’t yet been seen in the wild. But if history is a teacher, it’s only a matter of time before it does.

JavaScript Injection DDoS, or the Great Firewall of China

In April 2015, we witnessed a massive denial-of-service attack against the code-sharing site GitHub via China’s Internet backbone — specifically China Unicom, a major service provider in China.

This represented a new class of attack utilizing JavaScript injection and the users of Baidu (the fourth-largest website in the world, as per the Alexa Internet ratings) to attack Github. Essentially, every visitor to Baidu had JavaScript silently injected into their browser sessions. This resulted in two Web pages being requested from Github for every Baidu visit. Unbeknownst to the users, they were participants in a massive attack against GitHub.

This is a powerful new vector. If your infrastructure becomes the target of a large population of Web surfers, you’d better be prepared for the onslaught. Imagine for a moment what would happen if every Google visitor also started hitting your site with traffic. Ouch!

Denial of Service via BitTorrent

You all remember the classic Smurf and Fraggle attacks from the 1990s, right? For those of you not schooled in the basics, this was an attack that relied on amplification of data — in this case, ICMP (for the Smurf attack) and UDP port 7 (for the Fraggle attack). In both instances, the protocol was the underlying weakness. Many computers would respond when only one computer made a small request.

As it turns out, we have a new threat vector in the BitTorrent protocol that is being termed distributed reflective denial-of-service (DRDoS). Again, we have a protocol that allows for the amplification attacks. As described in a recent research paper, BitTorrent and BTSync protocols can enable DRDoS attacks using an amplification mechanism.

Some characteristics of the DRDoS attack vector include the fact that:

  1. It is anonymous. Because it utilizes UDP, it is entirely spoofable.
  2. It can be initiated by a single computer but still generate a tremendous amount of traffic coming from multiple sources on the BitTorrent network.
  3. It amplifies the original packet very well. The researchers state that the amplification factor can be as much as 120 times.

Recommendations

I hate to present threats without also providing solutions, but in the case of DDoS, it really requires an in-depth consultation to ensure you’ve got your bases covered. Recommendations depend on the threat level for your organization, your risk appetite, your desire to be actively involved, the degree to which you can sustain any downtime, etc.

To complete a comprehensive DDoS defense strategy, the following questions need to be answered:

  • Have you already been attacked?
  • If so, how did you resolve that situation?
  • Do you know the motivations and persistence of the attackers?
  • Are you willing to be up at 3 a.m. and solve an outage over the next 72 hours?
  • What are the technical characteristics of the attacks?

Additionally, some of the following technologies need to be considered as part of your architecture decisions:

  • Scrubbers versus content delivery networks;
  • ISP-based defenses versus on-premises;
  • TLS keys and related regulatory and compliance concerns;
  • Web application firewalls (WAF); and
  • Global load balancing.
Contributor'photo

Andrew Lemke

Security Strategist, IBM

Andrew Lemke has been involved with information security for 15 years in nearly every area knowledge domain. He is also...