TheGrowingThreat ofApplication-Layer DDoSAttacks

(APPLICATION BRIEF)

The Growing Threatof Application-LayerDDoS AttacksHOW PEAKFLOW SP AND PEAKFLOW SP TMS CAN STOP THEM

The Growing Threat of Application-Layer DDoS Attacks

1

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Introduction to Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Types of Common Application-Layer DDoS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Why Application-Layer DDoS Attacks Are on the Rise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Business Impact of Application-Layer DDoS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Need for Intelligent DDoS Mitigation Systems (IDMS): Why Firewalls and IPS Devices Fall Short. . . . . . . . . . . . . . . . . . . . 6

Using Peakflow SP and Peakflow SP TMS to Stop Application-Layer DDoS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Introduction to Peakflow SP and TMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Peakflow SP TMS Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Three Real-World Scenarios: How Peakflow SP and TMS Block Common Application-Layer Attacks . . . . . . . . . . . . 10

Stopping a DNS Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Stopping an HTTP Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Stopping a VoIP/SIP Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Executive Summary

Distributed denial of service (DDoS) attacks have been wreaking havoc on Internet-based services for years. During this time,the size and frequency of these attacks have grown dramatically as attackers take advantage of botnets and other high-speedInternet access technologies to overwhelm their victim’s network infrastructure. This trend shows no signs of changing; in fact, it may be getting worse. Recent research from Arbor Networks’ sixth annual Worldwide Infrastructure Security Report1 hasshown that not only are DDoS attacks getting larger and more frequent, but they are also becoming more sophisticated as theypinpoint specific applications with smaller, more targeted and stealthy attacks. This means that organizations with Internet-facingservices must now be prepared to protect themselves from two very different types of DDoS attacks: 1) “Volumetric DDoSAttacks” that strive to overwhelm network infrastructure and servers with high-bandwidth-consuming flood attacks; and 2) “Application-Layer DDoS Attacks” that attempt to target specific well-known applications such as Hypertext Transfer Protocol (HTTP), domain name system (DNS) or Voice over Internet Protocol (VoIP).

When Internet-facing services go down due to DDoS attacks, the impact is usually severe and affects the business in multipleways. These include lost revenue and profit, lower productivity, higher costs due to penalties or breaches of service level agreement(SLA) contracts, and tarnished reputation or brand. Unfortunately, many security organizations are unsuccessfully relying on securityproducts such as firewalls and intrusion protection systems (IPS) to protect themselves from DDoS attacks. However, not only arethese security products not providing adequate protection from some DDoS attacks, they are at times the targets of DDoS attacks.The solution? An “Intelligent DDoS Mitigation System” (IDMS). Today’s security operations teams can turn to Arbor Networks’IDMS—the powerful combination of the Arbor Peakflow® SP solution (“Peakflow SP”) and Arbor Peakflow SP Threat ManagementSystem (“Peakflow SP TMS” or “TMS”)—for comprehensive DDoS attack detection, reporting and most importantly, mitigation.

This application brief describes the growing threat of application-layer attacks, the financial impact these attacks are having onorganizations and how the Peakflow SP and TMS solution can be used to detect and mitigate some common application-layerDDoS attacks.

Introduction to Application-Layer DDoS Attacks

Over the past few years, the size and frequency of DDoS attacks have grown dramatically as attackers take advantage of botnets and other high-speed Internet access technologies to overwhelm their target’s network infrastructure. In fact, accordingto Arbor’s sixth annual Worldwide Infrastructure Security Report, DDoS attacks broke the 100 Gbps barrier for the first time in2010. This represents a 102 percent increase in DDoS attack bandwidth over 2009 (49 Gbps) and a staggering 1,000 percentincrease over 2005 (10 Gbps).

To make matters worse, the report also highlights a growing new trend with DDoS attacks. Not only are DDoS attacks gettinglarger and more frequent, but they are also becoming more sophisticated as they pinpoint specific applications (e.g., DNS, HTTPor VoIP) with smaller, more stealthy attacks.


2

SMTP OtherDNSHTTP HTTPSSIP/VoIP

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Sur

vey

Res

pond

ents

Application-layer attacks are on the rise, according to Arbor’s sixth annualWorldwide Infrastructure Security Report

Layer 7 DDoS Attacks

1 www.arbornetworks.com/report


3

In other words, companies with Internet-facing services must now be prepared to protect themselves from two very differenttypes of DDoS attacks:

- Volumetric DDoS Attacks: These attacks try to overwhelm the network infrastructure (i.e., routers, switches, etc.) withbandwidth-consuming assaults such as Internet Control Message Protocol (ICMP) or User Datagram Protocol (UDP)floods. Alternatively, they can attempt to overwhelm servers, load-balancers and firewalls by using Transmission ControlProtocol (TCP) state exhaustion attacks such as TCP SYN floods and idle session attacks.

- Application-Layer DDoS Attacks: These attacks generally consume less bandwidth and are stealthier in nature whencompared to volumetric attacks. However, they can have a similar impact to service as they target specific characteristicsof well-known applications such as HTTP, DNS, VoIP or Simple Mail Transfer Protocol (SMTP).

Some real-world examples:

- BlackEnergy is a family of Russian malware that specializes in DDoS attacks. It supports both volumetric and applica-tion-layer attacks. The tools for creating custom BlackEnergy botnets have become widely distributed and are regularlyupdated; this kit has been described as providing DDoS “for dummies." As a result, there has been a proliferation ofDDoS attacks originating from various BlackEnergy-based botnets over the last few years.

- A more recent arrival to the DDoS scene is the Chinese malware dubbed YoyoDDoS. Like BlackEnergy, it also supportsa variety of volumetric and application-layer attacks. The YoyoDDoS botnets have been quite prolific throughout 2010.Over a 10-week period of time (Q3/2010), Arbor Networks Security and Engineering Research Team (ASERT)detected attacks against over 1,300 unique, victim IP addresses, hosted in 17 different countries—all originating fromYoyoDDoS botnets.

Types of Common Application-Layer DDoS Attacks

Common application-layer attacks can be subdivided into four categories:

1. Request-Flooding Attacks: These attacks send high rates of legitimate application-layer requests (e.g., HTTP GETs,DNS queries and SIP INVITEs) to a server in an attempt to overwhelm its session resources.

2. Asymmetric Attacks: These send normal rates of “high workload” requests. For example, a single request from a clientgenerates a large amount of work for a Web server. The objective of these attacks is to consume large amounts of serverresources such as CPU, memory or disk space in order to severely degrade the service or bring it completely down.

3. Repeated One-Shot Attacks: These send a high workload request across many TCP sessions. This is a stealthiermeans of executing request-flooding and asymmetric application-layer attacks, but the goal is still the same—to degradeor bring down the service.

4. Application-Exploit Attacks: These deliberately target vulnerabilities in applications—causing a fault in a server’s oper-ating system or applications and allowing the attacker to gain control of the application, system or network. Examplesinclude scripting vulnerabilities, buffer overflows, cookie poisoning, hidden field manipulation, cross-site scripting andStructured Query Language (SQL) injection.

There are many different types of attacks per well-known application family. Some of these attack types are in the table below:

Why Application-Layer DDoS Attacks Are on the Rise

The rise in application-layer DDoS attacks is being spurred by the following trends:

- Bypass One Layer of Security: In most cases, the applications that attackers are trying to exploit or target arewell-known and must be “allowed” through perimeter security devices such as firewalls or IPS devices. For example,by default, firewalls allow HTTP or DNS traffic. IPS devices are not much different as they enforce security policy byinspecting packets for signatures of known threats. DDoS attacks take advantage of the fact that firewalls and IPSdevices will pass legitimate traffic—thus eliminating one layer of security for the attacker.

- Follow the Money: Attackers see a major opportunity for extortion when applications are supporting high revenue-gener-ating services. For example, an online gaming company is far more likely to pay an attacker to stop a DDoS attack that iscosting millions per day in revenue than is an owner of a nonprofit Web site.

- More Bang for the Buck: Some attacks cause significantly more collateral damage than others. For example, a DNSattack that targets a single DNS service provider impacts not only that provider but all of its customers as well.


4

HTTP - HTTP Malformed Attacks: These attacks send invalid HTTP packets to Web servers in order to consume orobfuscate server resources. The Zafi.B worm is an example of an attack using malformed HTTP GET requests.

- HTTP Request Attacks: These flood Web servers with different types of legitimate HTTP requests (i.e., HTTPGETS, POSTS, etc.) in an attempt to consume server resources.

- HTTP Idle Attacks: An attack that opens HTTP connections but then goes idle without actually sendinga complete HTTP request. One particularly insidious variant of this attack is called “slowloris” and involvesindefinitely dribbling out a small number of bytes per packet to keep the connection from timing out, but whichnever manages to complete the request.

DNS - DNS Query/Answer Malformed Packet, DNS Query-Length Buffer Overflow, DNS Query Buffer Overflow(Unknown Request/Response): These attacks send or receive invalid DNS packets that can cause DNSinfrastructure to degrade or fail.

- Man-in-the-Middle, DNS Cache Poisoning Attacks: These attacks attempt to intercept DNS queries andplace erroneous information within the DNS infrastructure.

- DNS Amplification Attacks: These are based on the simple premise that a small spoofed DNS request(e.g., 128 bytes) can generate a large DNS response (e.g., 1500 bytes) to an unsuspecting target.

- DNS Dictionary Attacks: This attack consists of generating a massive number of requests to a DNS server inorder to extract information that approximates a full zone transfer. Basically, a large dictionary of words is used toexhaustively scan the name space of possible host names in the hopes of hitting most of the DNS records in thevictim server.

VoIP - SIP INVITE Flood Attacks: These attacks overwhelm the Session Initiation Protocol (SIP) registrar by sendingbogus SIP INVITEs.

- SIP Call Setup Request Attacks: These send a high rate of SIP call setup requests to a SIP proxy server in anattempt to disable it.

- SIP Malformed Packet Attacks: These send invalid packets to SIP devices in an attempt to disable them.

- Real-Time Transport Protocol (RTP) Flood/Quality of Service (QoS) Attacks: These flood RTP media—usedto transport the “voice” portion of a call—onto a network. Their objective is to impact the VoIP network as a whole.

SMTP - SMTP Error Denial of Service, Mailbox Denial-of-Service Attack (Excessive Email Size), SMTP Mail Flooding:These attacks attempt to overwhelm email servers.

- SMTP Buffer Overflow Attacks: Different SMTP commands can cause the SMTP server to crash or executearbitrary byte-code that could lead to a system compromise.

Application Type Attack Description

Business Impact of Application-Layer DDoS Attacks

When Internet-facing services are compromised due to DDoS attacks, the impact can be severe and have significant businessconsequences. The exact cost of downtime depends on the organization’s reliance on its online services. When determining thecost of downtime, organizations must take into consideration at least the following:

- Loss of Revenue and Profit: This is arguably the largest cost and easiest-to-calculate measure of downtime. Itsimpact depends on the nature of the business. For example, if an online retailer that makes 40 percent of its revenueand 100 percent of its profit in the last two weeks of the year suffers an outage two days before Christmas, thefinancial impact can be devastating.

- Lower Productivity: When online services go down, the productivity of employees and/or businesses that utilize orrely on these services can be drastically reduced. One can see how costs can quickly add up when using a simplecalculation such as: Cost of loss productivity = Number of employees using the application x Average hourly salary xHours of downtime.

- Penalties: Some organizations may face financial penalties if they fail to meet certain availability requirements. For example,a company that provides a service that is part of a complex supply chain could face stiff penalties for any delays that itcauses. Or a financial organization that is bound to a contractual obligation that requires transactions to be executed withina certain time frame could face industry or even regulatory penalties—easily costing hundreds of thousands of dollars.

- Tarnished Reputation or Brand: News travels fast in today’s age of information—especially when it comes to newsregarding service outages or security breaches. This negative media coverage could have a major impact on an organi-zation’s reputation or brand. If customers lack the confidence in a business’ ability to protect their confidential data ormaintain the ability of their services, they will surely seek alternatives—obviously costing the company an enormousamount of lost revenue and profit.

The bottom line: Organizations are beginning to realize that the power to rapidly stop application-layer DDoS attacks that targetInternet-facing services is imperative for business continuity and success.

Unfortunately, many security operations teams rely on traditional security products such as firewalls and IPS devices for protection.But as this application brief details (in the following sections), these products are inadequate when it comes to DDoS attack pro-tection. In fact, they could make matters worse. Fortunately, there are dedicated Intelligent DDoS Mitigation Systems (IDMS) suchas the combination of Arbor’s Peakflow SP and Peakflow SP TMS that can protect businesses from both large-scale volumetricDDoS attacks and smaller, more pinpointed application-layer attacks. This document focuses specifically on the application-layerattack mitigation capabilities of the Peakflow SP and TMS solution.


5

INTERNET INTERNET DATA CENTER

Load Balancer

Load Balancer

IMPACT

IMPACT

TARGET

IMPACT

Attacker Botnet

Attack Traffic

Good Traffic

$

$

$

IMPACT

TARGET

Firewall IPS

Firewall IPS

Application-layer attacks provide attackers good potential for extortion and high impact

The Need for Intelligent DDoS Mitigation Systems (IDMS): Why Firewalls and IPS DevicesFall Short

There is no doubt that firewalls and IPS devices play a significant role in network and data-center security, but they have notbeen designed to stop DDoS attacks. In fact, firewalls and IPS devices are vulnerable to some specific types of DDoS attacksand have been the actual targets in some cases. And because of the in-line deployment model used by firewall and IPS prod-ucts, when they do fail, the impact to the services they are trying to protect is severe. This section briefly describes why firewallsand IPS devices cannot be used to mitigate DDoS attacks successfully. For a more thorough explanation, please refer to theArbor Networks white paper entitled The Growing Need for Intelligent DDoS Mitigation Systems (IDMS): Why ExistingSecurity Devices Fail to Meet the Need.2

Firewalls are policy-enforcement points deployed at the network or data-center perimeter. Their role is to establish and enforcethe rules that govern what traffic is allowed in and out of a network as defined by ports, protocols and destinations. Unfortunately,most firewalls “allow” the exact protocols (e.g., HTTP) that attackers use for application-layer DDoS attacks—thus allowing theattacker to easily bypass what is in many cases the first and only line of defense for an organization.

In order for stateful firewalls to work, they must maintain TCP state information for every connection flowing through them.Tracking state is one of the key workloads for any firewall, especially in busy data-center or Internet-facing environments. Addthe fact that firewalls are in-line devices, and they have the potential to be single points of failure on the network. Attackersknow this and routinely target firewalls with TCP state exhaustion attacks that degrade performance and ultimately deny accessto the services these firewalls are meant to protect. With this type of DDoS attack, operators must implement DDoS protectionupstream of the firewall (e.g., in the ISP’s network or “cloud” before traffic reaches the network/data-center-edge firewall), sinceby that time it is too late.

IPS devices are also not designed or positioned to protect against DDoS attacks. Most are designed to inspect packets andremove “known” network-born viruses and other malware through signature matching. But unfortunately, DDoS attack traffic willnot normally match a signature-based threat. And like firewalls, IPS devices are also deployed in-line and suffer from the samestate exhaustion problems, which make them another potential single point of failure at the network or service-access edge.

Some firewall and IPS products offer DDoS detection using techniques such as statistical anomaly detection or malformedprotocol detection. However, since firewalls and IPS devices conduct their detection on a per session basis, they have a verymyopic view of network traffic as they try to determine if a session is allowed. The very nature of a “distributed” denial of service(DoS) attack means that the attack traffic comes from different sources or network segments. To successfully detect and stopa DDoS attack like this, a security solution must be able to consider the traffic on multiple sessions, links and routers acrossa network so that attack traffic can be mitigated as close to the sources as possible. This is especially important for large“volumetric” attacks to prevent link saturation within the network.

Firewalls and IPS products cannot protect organizations from all DDoS attacks. The industry best practice of “layered defense”should be applied to deal with DDoS attacks. In addition to traditional security products such as firewall, IPS and anti-virusdevices, security organizations should also use an intelligent DDoS mitigation system (IDMS) that will detect and stop both volu-metric and application-layer DDoS attacks. The table on the following page describes the key features that an IDMS solutionshould have to succeed.


6

2 www.arbornetworks.com/en/white-papers.html


7

The fully integrated combination of Peakflow SP and Peakflow SP TMS is an Intelligent DDoS Mitigation System (IDMS) thatprovides comprehensive DDoS attack detection, “surgical” mitigation (meaning only the attack traffic is removed) and reporting.The following section provides a brief introduction to the Peakflow SP and TMS solution, together with examples of how it canbe used to stop some common application-layer attacks.

Using Peakflow SP and Peakflow SP TMS to Stop Application-Layer DDoS Attacks

This section provides a brief introduction to Arbor’s IDMS solution—the combination of Peakflow SP and Peakflow SP TMS—andhighlights three examples of how the products can detect and surgically mitigate some well-known application-layer attacks.

Introduction to Peakflow SP and TMS

The Arbor Peakflow SP solution is a network-wide infrastructure security and traffic monitoring platform. By leveraging IP flow data(i.e., NetFlow, sFlow, etc.) and information from deep packet inspection (DPI), Peakflow SP provides pervasive and cost-effectivenetwork and application-layer visibility. As Peakflow SP gathers this information, it learns normal traffic and routing behavior acrosshundreds of routers and thousands of interfaces, and correlates the traffic patterns with the topology data to build logical datamodels. Armed with this information, Peakflow SP notifies network operations staff of significant changes to the network (a.k.a.network anomalies)—regardless of whether they are due to misconfiguration, equipment failure or a DDoS attack.

In the case of DDoS attacks, Peakflow SP can detect many kinds of threats, such as bandwidth-consuming attacks (e.g., ICMP/UDP floods), connection-layer exhaustion attacks (e.g., TCP SYN floods) or attacks that target specific applications, such asHTTP, VoIP or DNS. In fact, since a majority of the world’s Internet service providers use Peakflow SP, many consider it to bethe de facto standard for carrier-grade DDoS attack detection and surgical mitigation.

Non-Stateful The IDMS solution must be “stateless.” In other words, it must not track state for all connections. Aswith firewalls and IPS devices, a “stateful” device is vulnerable to DDoS and will only add to the problem.

In-Line and Out-of-BandDeployment Options

The solution must support both in-line and out-of-band deployment options for scalability and availabilitypurposes. In fact, the out-of-band deployment option eliminates a potential point of failure during attackand is a key difference between IDMS and firewalls/IPS devices.

Ability to Detect and Stop“Distributed” DoS Attacks

The distributed nature of DDoS attacks requires a distributed detection method. Firewalls and IPSdevices leveraging single segment-based detection will either miss some smaller DDoS attacks or beunable to cope with large attacks.

Multiple Attack Counter-Measures

The IDMS must have the ability to detect attacks using multiple techniques. These include statisticalanomaly detection; detection of protocol violations or malformed packets; customizable thresholds orability to detect security policy violations; and signatures of known or emerging threats that are basedupon network behavioral patterns, not binary patterns in packets.

Scalable DDoS Detectionand Mitigation

The solution must have the ability to easily scale mitigation from low-end attacks (e.g., deployed in thedata center for 1 Gbps application-layer attacks) to high-end attacks (e.g., deployed in the ISP networkfor large 40 Gbps network-layer attacks).

Industry Track Recordand Expertise

The attack vectors used within DDoS attacks are constantly evolving, with the countermeasuresneeded to deal with attacks requiring regular update. An IDMS solution should be proven and backedby a company that is a known industry expert in Internet-based DDoS threats.

Key Features of an Intelligent DDoS Mitigation System (IDMS)

In order for application-layer attack detection and surgical mitigation to occur, the Peakflow SP solution relies on the capabilities ofone of its most vital components—the Peakflow SP Threat Management System (TMS). Peakflow SP TMS is a robust application-intelligent system for multi-service converged networks that speeds remediation by coupling high-level threat identification withpacket-level analysis. In addition, Peakflow SP TMS provides visibility into critical applications running on the network (i.e., VoIP/SIP,DNS, HTTP, P2P, etc.) and can monitor key application performance metrics (e.g., packet loss, delay and jitter).

Peakflow SP TMS comes in a variety of models, each designed with different performance and deployment scenarios in mind.The chart below summarizes these different capabilities.

Peakflow SP TMS Deployment

The following two pages outline how the Peakflow SP TMS appliance can be deployed in two modes:

1. Diversion/reinjection; and

2. In-line.


8

Per

form

ance

(Gbp

s)

DeploymentSMALL PROVIDERDEDICATED CUSTOMERSMALL POPS

40

30

20

10

9

8

7

6

5

4

3

2

1

0

LARGE PROVIDERREGIONAL SCRUBBING CENTER

LARGE POPS

3100 and 3110 3100 10 Gbps, 3U, 2 x 10 GigE ports

3110 10 Gbps, 3U, 2 x 10 GigE ports + 10 x 1 GigE ports

4000 4 x APM (40 Gbps)3 x APM (30 Gbps)2 x APM (20 Gbps)

8 x 10 GigE ports, 6U, 1 x APM (10 Gbps)

2500 2.5 Gbps, 2U, 6 x 1 GigE ports, NEBS certified

1200 1.5 Gbps, 1U, 4 x 1 GigE ports

3050 5 Gbps (software upgrade to 10 Gbps), 3U,

2 x 10 GigE ports + 10 x 1 GigE ports

Peakflow SP TMS deployment

Diversion/Reinjection Deployment

In diversion/reinjection mode, TMS is deployed within the network and is not in-line of normal traffic flow. When a mitigation isinitiated, a Border Gateway Protocol (BGP) route is announced, which must be preferred by the network, so that traffic matchingthe route is diverted through the TMS appliance. TMS then removes the attack traffic and good traffic is re-injected back intothe normal network path for delivery to the customer/service.

The diversion/reinjection mode is a key differentiator from firewalls and IPS devices as it provides the following benefits:

- Since the solution is not in-line, it avoids the potential for being a single point of failure in the network during aDDoS attack.

- In most cases, return path traffic is of higher volume. Since Peakflow SP TMS can ignore this traffic, the overallscalability of the solution can be increased.

- Initial deployment of the solution is greatly simplified since services do not need to be interrupted.

In-Line Deployment

Peakflow SP TMS can also be deployed in-line for application-layer attack mitigation. In this deployment scenario (see diagram,page 10), the TMS appliance is always in-line of traffic, not just when mitigation needs to occur. TMS has several fault-toleranceand high-performance features designed to minimize latency and maintain the flow of network traffic. The in-line deploymentmethod offers multiple benefits:3

- This is a much easier deployment for smaller data centers that may not have the network environment or expertise toaccommodate the diversion/re-injection configuration.

- This method allows mitigation to be closer to the attack target. Sometimes during pinpointed application-layer attacks,having the ability to quickly enable, disable and tweak attack countermeasures as close to the attack target as possibleis the ideal way to stop an attack.

- When a customer requests a dedicated DDoS attack protection service, in-line deployment may be more suitable andcost-effective.


9

Target Applicationsand Services

LOCAL ISP

SCRUBBING CENTER

DATA CENTER

IDMS

ISP 1

ISP n

ISP 2

Firewall IPS

Peakflow SP TMS diversion/reinjection deployment

3 www.arbornetworks.com/en/peakflow-sp.html

Three Real-World Scenarios: How Peakflow SP and TMS Block Common Application-Layer Attacks

As stated earlier, application-layer DDoS attacks are on the rise due to several factors. To stop application-layer DDoS attacks,Peakflow SP TMS utilizes what is known as “attack countermeasures.” Peakflow SP TMS has a number of attack countermea-sures that can be used in any number of combinations to mitigate multi-vector attacks. The following sections describe howPeakflow SP and Peakflow SP TMS can be used to stop DNS, HTTP and SIP attacks.

Stopping a DNS Attack

DNS infrastructure is a favorite target for attackers since it has many vulnerabilities and the impact of a successful attack canbe large. As noted previously, DNS amplification, DNS dictionary and DNS cache poisoning attacks are some examples of well-known DNS attack types. This section provides examples of how Peakflow SP and TMS can be used to stop an application-layerattack against DNS infrastructure.


10

DNS Client DNS AuthoritativeName Server

DNS Resolver

auth-ns(example.com,foo.com, bar.com)

src: resolver; dst auth-ns: q » www.example.com?2src: client q » www.example.com?1

src: auth-ns; dst: resolver: Answer www.example.com A 192.168.0.1

3

src: resolver; dst: client: Answerwww.example.com A 192.168.0.1

4

src: client, dst: www.example.com5

www.example.com192.168.0.1

Typical DNS network environment

Load Balancer

Target Applicationsand Services

LOCAL ISP DATA CENTER

IDMS

ISP 1

ISP n

ISP 2

Firewall IPS

Peakflow SP TMS in-line deployment

Let’s assume that an attacker is using a botnet to attack the DNS resolver using multiple attack vectors. The network operations center (NOC) or security operations center (SOC) is starting to get calls from customers unable to reach certain network destinations.

One potential starting point for the security operations person investigating the outage is the alert displayed in the Peakflow SPconsole, which provides a single user interface for all attack detection, mitigation and reporting functionality.


11

Botnet

DNS Client

Attack Traffic

DNS AuthoritativeName Server

DNS Resolver

Botnet attacking DNS resolver

Peakflow SP DoS alerts screen


12

From the alert screen, the user would configure a mitigation that starts the diversion of all traffic through the Peakflow SP TMS appliance.

After some investigation using Peakflow SP as well as other tools, the security operations person confirms that this is a multi-vector DNS attack. Using the real-time mitigation dashboard of Peakflow SP (page 13), the user can enable, configureand see the effect of multiple Peakflow SP DNS attack countermeasures.

Botnet

DNS Client DNS AuthoritativeName Server

DNS Resolver

Peakflow SP TMS

Traffic diversion through Peakflow SP TMS for a DNS attack

Using a Peakflow SP TMS appliance for mitigation


13

For example, the screen above shows that the following DNS attack countermeasures are in use to stop this multifaceted DNS attack:

- Black/White List: This is a simple countermeasure that uses a list of IP addresses, IP address blocks and ports todetermine what traffic will be blocked or allowed to pass.

- DNS Authentication: This countermeasure can be used to stop spoofed DNS attacks using unsophisticated attacktools. DNS authentication works to ensure that sourced queries to a DNS server, resolver or authoritative servers are infact coming from a valid host.

- DNS Rate Limiting: This countermeasure protects against attacks from legitimate hosts (e.g., a host that passes theDNS authentication countermeasure). Peakflow SP TMS drops offending hosts that send DNS queries faster than theconfigured limit. One can also download a list of blocked hosts for further investigation.

- DNS Malformed: This countermeasure looks for and drops malformed/illegal DNS packets possibly caused by crudeattack-generation tools.

From this point, the user can monitor the attack and make real-time modifications to the countermeasures as needed. Once theattack stops, the mitigation can then be disabled to allow network traffic to return to its normal path.

Real-time mitigation dashboard showing results of DNS attack countermeasures


14

Stopping an HTTP Attack

HTTP is arguably the most utilized protocol on the Internet. As a result, perimeter-based security products such as firewalls andIPS devices tend to “allow” this traffic to flow—essentially making them useless when it comes to stopping some HTTP-basedattacks. Attackers know this and commonly try to exploit the HTTP protocol to wreak havoc on Web-based services. As notedpreviously, there are many HTTP attack vectors. Some of the most popular involve sending malformed HTTP packets or floodinga Web server or specific URL with a high rate of HTTP messages. In both cases, the objective is to overwhelm the Web serverand ultimately bring down the service. The following is an example of how Peakflow SP and TMS can be used to mitigate suchHTTP attacks.

After the security operations person is alerted to the HTTP attack via the Peakflow SP console or some other means, he or sheconfigures and starts a mitigation using a TMS appliance. Inbound traffic is then diverted through the TMS appliance for theWeb server under attack.

After some investigation, the operator determines that the attacker is targeting a specific URL (e.g., www.target_site.com)with a high rate of packets. As in a real-world scenario, the attack traffic is also intermixed with legitimate HTTP traffic(e.g., www.goodsite.com). By utilizing the “packet capture and decode” feature of the TMS appliance, the operator can easilysee the packet contents.

Botnet

HTTP Client Web Server

Hosting multiple URLs(www.goodsite.com,www.bad_site.com)

Peakflow SP TMS

Traffic diversion though TMS for a HTTP attack


15

A unique feature of the decode display of Peakflow SP TMS (noticeable in the screen shot above) is the ability to see the sourceand destination country of each packet. This is useful information for attack mitigation. In fact, “GeoIP attack countermeasures”can be used to block or rate-limit traffic coming from specific countries.

From the decode display, the operator can clearly see the packet contents and use the “HTTP regular expression (REGExp) coun-termeasure” to simply configure Peakflow SP TMS to block any packets destined for the target URL (e.g., www.target_site.com).

Packet capture and decode capabilitiesof Peakflow SP TMS

HTTP/URL regular expression countermeasure

Let’s say the attack is not directed towards a specific URL. Instead, the attacker is trying to overwhelm the Web server by usingthe botnet to send an excessive number of HTTP requests to the Web server. This is a common type of HTTP DDoS attack thatcan be easily detected and stopped using the “HTTP rate-limiting countermeasure” of Peakflow SP TMS, as shown below.

Stopping a VoIP/SIP Attack

VoIP is a popular Internet-based phone service utilized by millions of people today. When VoIP services are down, the impact rangesfrom annoying to potentially life-threatening. It is imperative that VoIP service providers have a means to protect their services fromattackers who are known to exploit weaknesses in the various protocols that are utilized for VoIP—for example, the Session InitiationProtocol (SIP). One such well-known attack sends a high rate of SIP requests (e.g., INVITE, Response and REGISTER) to a SIPproxy server, eventually overwhelming it and disabling VoIP services. The diagram on the following page depicts an example of howPeakflow SP and TMS can be used to stop such a SIP attack.

After being alerted to the attack via the Peakflow SP console or some other means, the security operations person configuresand starts a mitigation using a TMS appliance, at which time all inbound traffic toward the SIP proxy server is diverted throughthe TMS appliance.


16

HTTP rate-limiting countermeasure


17

In this case, the operator can use the “SIP request-limiting countermeasure” to limit the number of SIP request messages per second that are sent to the SIP proxy server. Once the operator enables this countermeasure, packets from IP addresses(called hosts) exceeding this rate are dropped and the hosts are blacklisted.

Botnet

SIP Client (User Agent) SIP Client (User Agent)SIP Proxy Server

Peakflow SP TMS

Traffic diversion though TMS for a SIP attack

SIP Request Limiting countermeasure


18

Conclusion

As DDoS attacks increase in frequency, size and complexity, they will continue to pose a serious threat to any organization thatrelies on Internet-based services. Protecting these services from DDoS attacks is imperative since the impact on revenue, profitand reputation can be devastating.

Relying upon traditional security products such as firewalls or IPSdevices is not enough to stop all DDoS attacks. For comprehensiveDDoS detection, mitigation and reporting, organizations should deployan Intelligent DDoS Mitigation System (IDMS) such as the ArborPeakflow SP and Peakflow SP TMS solution.

For more information regarding Arbor’s DDoSprotection products and services, please visitthe Arbor Web site at www.arbornetworks.com.

Copyright ©1999-2011 Arbor Networks, Inc.All rights reserved. Arbor Networks, the

Arbor Networks logo, Peakflow and ATLASare all trademarks of Arbor Networks, Inc.All other brands may be the trademarks

of their respective owners.

AB/ALDDoS/0211

Corporate Headquarters

6 Omni WayChelmsford, Massachusetts 01824

Toll Free USA +1 866 212 7267T +1 978 703 6600F +1 978 250 1905

Europe

T +44 208 622 3108

Asia Pacific

T +65 6299 0695

www.arbornetworks.com

About Arbor NetworksArbor Networks, Inc. is a leading provider of network security and management solutions forconverged carrier networks and next-generation data centers, including more than 70 percentof the world’s Internet service providers and many of the largest enterprise networks in usetoday. Arbor’s proven network security and management solutions help grow and protectcustomer networks, businesses and brands. Through its unparalleled, privileged relationshipswith worldwide service providers and global network operators, Arbor provides unequalled insightinto and perspective on Internet security and traffic trends via the Active Threat Level AnalysisSystem (ATLAS®). Representing a unique collaborative effort with 100+ network operatorsacross the globe, ATLAS enables the sharing of real-time security, traffic and routing informationthat informs numerous business decisions.

Documents

TheGrowingThreat ofApplication-Layer DDoSAttacks