DDoS attacks and defense mechanisms

1
DDOS ATTACKS AND DEFENSE MECHANISMS
2

• In a Denial of Service (DoS) attack, an adversary
  prevents internet users from getting access to
  some service or information. DoS attacks began in
  Internet Relay Chat (IRC) channels. Back then,
  attackers used them to knock users off an IRC
  channel. DoS tools have evolved a great deal in
  the past few years, and evolved into distributed
  denial of service attacks (DDoS) by using
  multiple agents, from multiple locations. The
  attack mechanisms have pretty much stayed the
  same, which usually fall into one of the
  following two categories
• vulnerability attacks
• flooding attacks
• In this blog post we will take a look at DoS and
  DDoS attacks and Instart Logics defense
  mechanisms against them.
• Vulnerability Attacks
• In vulnerability attacks, adversaries take
  advantage of a vulnerability in the software to
  crash it and deny service to legitimate users.
  Vulnerability attacks have been common for quite
  a while. For example, in the 90s attackers
  exploited vulnerabilities in Windows TCP/IP
  stack by crafting and sending packets that would
  make the system run out of memory. Their goal in
  launching these attacks was simply to knock IRC
  users off the channel by crashing their systems.
• Even though software gets continually patched and
  updated, new vulnerabilities are discovered every
  day. However, the difficulty of finding
  vulnerabilities and crafting the packets to
  launch the attack have made flooding attacks a
  more popular alternative.

3

• Flooding Attacks
• The idea behind a flooding attack is quite simple
  attackers send many requests to a target
  service, which attempts to track each of the
  requests as a transaction. As the flood of
  packets keeps coming in, the targeted resources
  get depleted and can no longer respond to
  legitimate traffic. Flooding attacks are divided
  into two categories
• volumetric or Layer 3/4 attacks that target the
  network infrastructure
• application layer or Layer 7 attacks that target
  the web server
• Flooding attacks have been the most successful
  and prevalent type of attacks in past few years.
  The distributed nature of the attacks, along with
  the sheer quantity of agent machines, make it
  impossible for any defense mechanism to discern a
  specific attacker. Employing IP Spoofing
  techniques makes flood traffic look as if it's
  coming from various different sources and makes
  it very hard to block.
• Volumetric Attacks
• These attacks sometimes target bandwidth, and
  other times target routers, load balancers and
  firewalls. They get measured as bits per second
  or packets per second. Some specific volumetric
  attacks are
• DNS reflection attack  the attacker sends DNS
  requests to third-party DNS servers, while
  spoofing the source IP address and pretending
  that the requests came from the victim. The
  requests that the victim sends usually involve
  amplification meaning the requests will result
  in a much larger response. An example is a DNS
  ANY request, which ask the DNS server for all
  information that it currently knows about the
  domain where the mail servers are (MX records),
  what the IP addresses are (A records), and so on.
  This maximizes the size of the response sent to
  the victim. When the DNS servers send their
  disproportionately large response to the spoofed
  source, it results in a huge amount of traffic
  flooding the victim.

4

• SYN flood attack  the attacker sends a flood of
  SYN packets to the victims server while spoofing
  the source IP address, pretending to be sent from
  someone else. The victims server sends back the
  SYN-ACK message to the sender and never receives
  an ACK message. The half-open connections created
  on the server eventually cause the server to run
  out of resources, making it unable to respond to
  any requests, including legitimate requests.
• Smurf attack  the attacker uses
  specially-crafted packets with the victims IP as
  the source IP and sets the destination to the
  broadcast address of a large network. All of the
  responses from all of the hosts on that network
  get sent back to the victim, overwhelming their
  network and servers.
• Application Layer DDoS Attacks
• Application layer attacks happen with the goal of
  disrupting transactions or accessing a database
  by sending a lot of seemingly legitimate requests
  on Layer 7. The attack traffic looks very similar
  to legitimate traffic and it makes it extremely
  difficult to mitigate these attacks.
• AppShield from Instart Logic
• AppShield Security Suite offers defense
  mechanisms against all kinds of DDoS attacks.
• Leveraging Anycast technology, our global network
  of datacenters can mitigate against large
  volumetric attacks. The global network inherently
  defuses large DDoS attacks that are commonly
  seen, especially during holiday shopping seasons.
  During the 2015 Black Friday shopping season we
  successfully mitigated a 110Gbps attack without
  any problems. We have also partnered
  with Verisign, one of the worlds largest
  scrubbing centers, which can scale on demand to
  provide customers with an extra level of
  protection.

5

• AppShield helps customers mitigate Layer 7
  attacks both through our partnership
  with Verisign and also using a variety of defense
  mechanisms such as
• Web Application Firewall rules enable customers
  to block attack traffic and protects against
  server-side vulnerabilities
• Managed Security Service provides customers with
  security operations center that monitors their
  web application 24/7 and identifies and blocks
  all security threats
• IP/User Agent/Geo location blocking and
  throttling enables customers to block or throttle
  traffic from any IP addresses, User Agents or
  geographical locations they have identified as
  malicious
• IP Reputation Feed allows our customers to use IP
  Reputation data to block/throttle traffic from
  low-reputation sources
• Bot or Not identifies traffic originating from
  non-legitimate clients and blocks or throttles
  it. Bot or Not is powered by our
  Nanovisor technology which gives us intelligence
  about the browser, device and application
  behavior.

6
Instart Logic is the worlds first endpoint-aware
application delivery solution that makes websites
and applications fast, secure, and easy to
operate.
Interested in learning more? Preview our image
optimization capabilities in the Playground
Contact Sales