Understanding the DDoS Threat Landscape and Related Attack Scenarios

DDoS Threat Landscape

The latest DDoS threat landscape reports indicate that Application Layer DDoS attacks increased by over 80% year-over-year. DDoS attacks occur when multiple compromised systems flood the connectivity or resources of targeted systems. The attacker's goal is to render legitimate traffic ineffective, disrupting services for victims. Application-Layer DDoS attacks the layer of the services which end users interact with by inundating the services with far more requests (valid and invalid) than it can handle.

Cyber criminals gravitate towards these types of attacks since it takes very little resource cycles to craft and initiate requests compared to the resources that it consumes on the targeted systems for the response. Additionally, these requests resemble legitimate traffic, making them harder to detect.

There are several approaches used in Application-Layer DDoS attacks. One of the more common techniques is Flooding, which includes HTTP PUT/GET Requests and DNS Query Floods. These techniques have been used in some of the most damaging DDoS campaigns, such as Mirai. Mirai is an IoT botnet that can launch large-scale DDoS attacks by exploiting vulnerabilities of poorly secured IoT devices. Mirai's source code was released to the public in 2016 by its author, allowing anyone to create their own botnet anywhere. The code included ten types of attacks, each configurable through several variables.

HTTP GET, HTTP POST and DNS Query Flood Attacks

HTTP Flood attacks are difficult to detect because unlike other types of DDoS attacks, they do not require spoofing, malformed packets, delayed exchanges, or reflection techniques. Furthermore, malicious HTTP requests are difficult to distinguish from legitimate ones, increasing the detection challenge.

HTTP GET Flood is a very versatile attack with a high amplification factor. When launched directly on the running application using standard URL requests, it cannot be simply detected and blocked. Attackers repeatedly request legitimate HTTP content, overwhelming the target and preventing it from serving legitimate users and requests.

There is also an interesting amplification factor involved in HTTP GET attacks. A bot can trigger a significant amount of traffic from the target server with just a few bytes of HTTP GETs and their corresponding TCP ACKs (acknowledges received data).

HTTP POST is another flooding attack that tends to be more resource exhaustive. It may include parameters that trigger complex processing on the target server.

DNS Query Flood has also been used in damaging Mirai attacks quite effectively. These attacks are based on the premise that the target DNS server(s) will have to consume resources replying to these queries. The queries can target the DNS Recursive Resolver, and depending on deployed DNS infrastructure, this may impact more DNS servers. Since DNS infrastructure is inherently hierarchical, DNS Query Floods may impact not just a single nameserver but potentially many, disrupting internet-wide services.

DNS “Water Torture” attacks exploit this vulnerability by creating invalid requests. These requests force DNS infrastructure to exhaust more cycles and resources, ultimately causing denial of service for legitimate requests. These types of attacks may take many forms, including:

• Nonexistent DNS Pseudo Random SubDomain (PRSD). Mirai botnet was used to launch a type of DNS Query Flood called “DNS Water Torture” targeting DNS server(s), which are tasked with responding to their legitimate query workload in addition to a high rate of queries for a given domain prepended with a randomly generated subdomain.

• Nonexistent DNS domain. The nonexistent domains with many extensions may be queried which can result in further queries at the Root and Top-Level Domain (TLD) servers.

• Nonexistent reverse IP look up. In this type of DDoS attack, DNS “PTR” records are used to query for a name associated with a nonexistent IP address. PTR records are the inverse of “A” or “AAAA” record, used for nonexistent reverse IP look up.

Validating Cyber Defenses with DDoS Attack Emulations

Spirent CyberFlood includes Application-Layer Flood attacks, HTTP GET/PUT and DNS Query as part of Advanced Mix Traffic (AMT) Test Builder. Incorporating these DDoS attacks as part of AMT enhances flexibility and control for emulating various flooding scenarios.

For example, the AMT Traffic Mix Action Lists provide granular control over crafted requests (request sizes, ciphers, etc.) while the AMT Subnet Custom Load Specification allows granular control over the volume of generated malicious and legitimate traffic as well as the flexibility to define the bursty nature of DDoS traffic patterns.

Furthermore, users can specify the IP ranges corresponding to specific countries using the global IPs from a world view map to simulate DDoS vectors originating from various countries. A configuration and reporting example for traffic emulation is provided below, showcasing legitimate HTTP and DNS traffic alongside HTTP GET/PUT and DNS Query Fooding.

CyberFlood AMT reporting includes a granular load graph as well as a separate section for DDoS Protocols statistics:

To illustrate the flexibility of CyberFlood DDoS – AMT, we will focus on emulating the three categories of DNS Query Flood – Water Torture.

To configure nonexistent domains, we modify the DNS Query Flood Profile and Action List to include entries for nonexistent top-level domains. In this case, Action List Code generates randomly generated alphanumeric strings for subdomain (50 letters and 4 numbers) at run time. Sample Action List Code and PCAP is shown below:

To configure DNS Query Flood with PRSD Water Torture, we can modify the DNS Query Flood Profile and Action List to include nonexistent, randomly generated subdomains in the domain being attacked. Sample PCAP is shown below:

Finally, to configure nonexistent reverse IP look ups (DNS PTR Records), we update the DNS Query Flood Profile and Action List to target IP addresses that are currently not assigned. See sample PCAP for reference:

Learn how Spirent security testing solutions help assess the performance and security posture strength of your organization’s networks and network devices with the recently released CyberFlood DDoS in Advanced Mix Traffic test builder.