What You Need to Know
On March 21, 2024 Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint distributed denial-of-service (DDoS) attack guidance for federal, state, local, tribal, and territorial government entities to serve as a comprehensive resource to address the specific needs and challenges faced by government agencies in defending against DDoS attacks.
Distributed denial-of-service attacks typically originate from multiple sources, making them difficult to trace and effectively block the attacking internet protocol (IP) addresses. If successful, they can stop employee access to network resources, block external facing website ecommerce transactions and shut down access to customer support. All of this can have a harmful impact on your organization’s critical operations, your profits, and your brand and reputation. |
The MS-ISAC guide provides an overview of the denial-of-service (DoS) and DDoS landscapes, including attack types, motivations, and potential impacts on government operations, as well as practical steps on implementing preventative measures, and incident response for each of the defined DDoS and DoS technique types. Additionally, it highlights why it is important for organizations to focus their planning efforts on emerging DDoS trends and technologies to better defend against malicious DDoS activity.
Dos and DDoS are Not the Same
A DoS and a DDoS attack are similar in that they both aim to disrupt the availability of a target system or network. However, there are key differences between the two.
DoS Attack: A DoS attack involves a single source used to overwhelm the target system with a flood of traffic or resource-consuming requests. The malicious actor typically uses one computer or a small number of computers to generate the attack. The goal of a DoS attack is to render the target system unavailable to its intended users and deny them access to resources or services.
DDoS Attack: A DDoS attack involves multiple sources. Often, a multitude of computers, assembled into groups known as botnets, are coordinated to launch the attack. Each machine in the botnet sends a flood of traffic or requests to the target system simultaneously to amplify the follow-on impact. Due to the distributed nature of a DDoS attack, defending targeted networks has increased difficulty compared to a DoS attack. The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent. DDoS attacks can also employ various techniques, such as IP spoofing, which involves a malicious actor manipulating the source IP address and botnets to disguise the origin of the attack and make it more difficult to trace it back to them.
In terms of impact, both DoS and DDoS attacks can disrupt the availability of a targeted system or network, leading to service outages, financial losses, and reputational damage.
Types of DDoS Techniques
Volume-Based Attacks: These attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic. The goal is to saturate the network or exhaust the target’s resources, rendering it unable to handle legitimate requests.
Protocol-Based Attacks: These attacks exploit vulnerabilities in network protocols or services to disrupt the target. By focusing on weak protocol implementations, the malicious actor can degrade the target’s performance or cause it to malfunction. Protocol-based DDoS attacks typically target Layers 3 (network layer) and 4 (transport layer) of the Open Systems Interconnection (OSI) model.
Application Layer-Based Attacks: These attacks target vulnerabilities in specific applications or services running on the target system. Instead of overwhelming the network or system resources, application layer attacks exploit weaknesses in the targeted application, consuming its processing power or causing it to malfunction. Application-based DDoS attacks target Layer 7, the application layer, of the OSI model.
These categories are not mutually exclusive, and malicious actors can combine multiple techniques to launch sophisticated DoS and DDoS attacks. Additionally, new attack methods and variations constantly emerge as malicious actors adapt and evolve their tactics, techniques, and procedures (TTPs).
Recommended Mitigations for DDoS Attacks
The Multi-State Information Sharing and Analysis Center (MS-ISAC) discusses the common methods and techniques which cyber threat actors (CTAs) use to generate an effective DDoS attack. The MS-ISAC also provides recommendations for defending against a DDoS attack.
The following generic recommendations for DDoS mitigation can reduce the impact of attempted DDoS attacks and enable a faster response when successful DDoS attacks occur.
- Establish and maintain effective partnerships with your upstream network service provider and know what assistance they can provide you in the event of a DDoS attack. In the case of a DDoS attack, the faster a provider can implement traffic blocks and mitigation strategies at their level, the sooner your services will become available for legitimate users.
- Consider also establishing relationships with companies that offer DDoS mitigation services.
- If you are experiencing a DDoS attack, provide the attacking IP addresses to your upstream network service provider so they can implement restrictions at their level. Keep in mind that Reflection DDoS attacks typically originate from legitimate public servers. It is important to ascertain to whom an IP belongs when examining network logs during an attack. Use tools such as the American Registry for Internet Numbers (ARIN) (https://www.arin.net) to look up the source IPs involved in the attack. Otherwise, you may block traffic from legitimate networks or servers.
- Enable firewall logging of accepted and denied traffic to determine where the DDoS may be originating.
- Define strict “TCP keepalive” and “maximum connection” on all perimeter devices, such as firewalls and proxy servers. This recommendation assists with keeping SYN Flood attacks from being successful.
- Consider having the organization’s upstream network service provider implement port and packet size filtering.
- Establish and regularly validate public-facing websites’ baseline traffic patterns for volume and type.
- Apply all vendor patches after appropriate testing.
- Configure firewalls to block, at a minimum, inbound traffic sourced from IP addresses that are reserved (0/8), loopback (127/8), private (RFC 1918 blocks 10/8, 172.16/12, and 192.168/16), unassigned DHCP clients (169.254.0.0/16), multicast (224.0.0.0/4) and otherwise listed in RFC 5735. This configuration should also be requested at the ISP level.
- Tune public-facing server processes to allow the minimum amount of processes or connections necessary to conduct business effectively.
- Configure firewalls and intrusion detection/prevention devices to alarm on traffic anomalies.
- Configure firewalls only to accept traffic detailed in your organization’s security policy as required for business purposes.
- Consider setting up Out-of-Band access, internet and telephony, to an incident management room to ensure connection in the event of a DDoS attack that disrupts normal connectivity.
- Ensure all software is up to date, as vulnerabilities that could allow your servers to be used for attacks against other victims are often patched by software updates.
As always, using tools such as Infoblox Advanced DNS Protection can stop DDoS attacks in their tracks.
Stopping DNS Targeted DDoS Attacks With Infoblox Advanced DNS Protection
In 2020, as a significant number of the workforce transitioned to remote work, there was a significant surge in Distributed Denial-of-Service (DDoS) attacks. The Domain Name System (DNS) is one of the top targeted services for DDoS as it is a critical service that ensures businesses remain accessible online. When an external DNS server experiences an outage, it effectively disconnects your entire network from the Internet. Essential IT applications such as email, websites, VoIP, and Software as a Service (SaaS) are disrupted or rendered inaccessible. Beyond the technical impact, successful DDoS attacks can have severe financial repercussions, costing organizations hundreds of thousands of dollars to perhaps millions in lost revenue each month. The damage to brand and reputation can also represent a substantial liability associated with a successful DDoS attack.
Infoblox Advanced DNS Protection delivers the widest range of protection on the market for guarding your vital DNS services from attack and helping to ensure high availability. It provides centralized visibility on attacks, and details about the attack to ensure a rapid response.
Advanced DNS Protection blocks attacks such as volumetric attacks, NXDOMAIN, exploits and DNS hijacking, while responding only to legitimate queries by using constantly updated threat intelligence, without the need to deploy security patches.
Attack Name | Type | How it Works |
DNS reflection/DDoS attacks | Volumetric | Using third-party DNS servers (open resolvers) to propagate a DoS or DDoS attack |
DNS amplification | Volumetric | Using a specially crafted query to create an amplified response to flood the victim with traffic |
TCP/UDP/ICMP floods | Volumetric | Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic |
NXDOMAIN | Volumetric | Flooding the DNS server with requests for non-existent domains, causing cache saturation and slower response time |
Random sub-domain (slow drip attacks), domain lock-up attacks, phantom domain attacks | Low-volume stealth | Flooding the DNS server with requests for phantom or misbehaving domains that are set up as part of the attack, causing resource exhaustion, cache saturation, outbound query limit exhaustion and degraded performance |
DNS-based exploits | Exploits | Attacks that exploit vulnerabilities in the DNS software |
DNS cache poisoning | Exploits | Corruption of the DNS cache data with a rogue address |
Protocol anomalies | Exploits | Causing the server to crash by sending malformed packets and queries |
Reconnaissance | Exploits | Attempts by hackers to get information on the network environment before launching a large DDoS or other type of attack |
DNS hijacking | Exploits | Attacks that override domain registration information to point to a rogue DNS server |
Data exfiltration (using known tunnels) | Exploits | Attack involves tunneling another protocol through DNS port 53, which is allowed if the firewall is configured to carry non-DNS traffic — for the purposes of data exfiltration |
To Learn More About the CISA, FBI, MS-ISAC Guidance on DDoS
https://learn.cisecurity.org/ms-isac-guide-to-ddos-attacks
To Learn More About Infoblox Solutions
To learn more about Infoblox Advanced DNS Protection (ADP):
https://www.infoblox.com/products/advanced-dns-protection/
To learn more about Suspicious Domains and DNS early detection:
https://www.infoblox.com/threat-intel/
To learn more about BloxOne Threat Defense:
https://www.infoblox.com/products/bloxone-threat-defense/
To learn more about Threat Insight:
https://insights.infoblox.com/resources-datasheets/infoblox-datasheet-threat-insight