Evolution of DDoS in the last decade
1.1 DDoS Size Expansion
IP data source: The Zettabyte Era: Trends and Analysis
The past decade has witnessed a steady growth in the peak size of DDoS attacks, especially in 2013 when the reflection method was used by attackers on a large scale and the DDoS attack size expanded at an exponential rate. Meanwhile, the compound annual growth rate (CAGR) of global IP traffic stands at over 20%. The size of DDoS attacks virtually coincides with that of global network traffic. In nature, network attack and defense capabilities have iterated with the evolution of the Internet architecture, technologies, and infrastructure, and constant inputs. Naturally, with such evolution of resources and technologies as well as the growing scale and value of potential targets, cyber criminals are capable of and interested in launching increasingly massive attacks to garner more profits. As one of the biggest threats in the cybersecurity domain, DDoS followed a trend of explosive growth, which is an inevitable byproduct of Internet development.
The profit-seeking nature of the black industry chain of DDoS has a direct bearing on the size of DDoS attacks, as seen in DDoS attacks for cryptomining that are rampant when cryptocurrency prices soar.
Predictably, it is an irreversible trend that DDoS, as a regular weapon useful for hacking groups, will continue to rapidly grow in the size. Money-driven DDoS attackers, whose activities are affected by governance policies, will see more clearly who and how to attack. In other words, they will employ more effective methods to accurately hit targets and will have more options of evasion to maximize their illegal gains.
1.2 Evolution of DDoS Attack Techniques
1.2.1 Internet Technologies
DDoS attack techniques keep evolving because of the emergence and maturity of critical Internet technologies. These critical technologies give rise to a connected world in which people can communicate with one another conveniently and at the same time are relying more and more on the Internet. On the one hand, such a reliance makes networks, services, and hosts ideal targets for hacking groups, which can garner handsome profits once taking down these facilities. On the other hand, the technological development provides continuous technical input to the black industry chain, leading to fast iteration of attack techniques. Then, when the infrastructure of the Internet, which has grown at an unexpectedly fast pace, was first designed, security was not a much considered issue, inviting many security hazards. With the booming of the Internet, these security hazards have rapidly turned into vulnerabilities that are gradually exploited by money-driven hacking groups.
The preceding figure is a timeline showing when various technologies emerged and the development trend of the Internet that is represented by much talked-about techniques and terms. These keywords, to a great extent, present a big picture of the technical environment and industrial environment of cyberattacks and defenses. For the connections between the development of DDoS attack techniques and these keywords, please go on reading the following sections.
1.2.2 DDoS Attack Techniques
A. DDoS Attack Methods
According to a rough estimate, there are nearly 40 DDoS attack methods, indicating that underground cyber attackers have tried every means to exploit vulnerabilities in the network architecture, network protocols, and service facilities. From the perspective of the Open Systems Interconnection (OSI) model, DDoS attacks are divided into application-layer attacks, transport-layer attacks, and network-layer attacks. Application-layer attacks are mainly for the purpose of exhausting service resources. HTTP floods are a typical example of such attacks. Transport-layer attacks include SYN flood, ACK flood, and UDP flood attacks. Network-layer attacks are mainly ICMP floods. From the perspective of attack vectors, DDoS attacks are divided into direct attacks (various flood attacks such as SYN flood mentioned above) and reflection attacks. In a reflection attack, the perpetrator starts with requests that use the spoofed IP address of the intended victim as the source IP address, thus diverting response packets of the request services to the victim. The number of response packets is generally multiple times that of request packets. Therefore, this type of attack is also known as reflective amplification attack. Examples of reflection attacks are DNS reflection and SSDP reflection attacks.
Since its emergence, the TCP/IP protocol family has contributed a lot to the availability and robustness of networks for communication and directly accelerated the adoption of the Internet. However, at the time of protocol and architecture design, no effective governance and authentication mechanisms were deployed, thus exposing their vulnerabilities to attackers. Such activities and characteristics as TCP three-way handshake and connectionless UDP communication are vulnerable to various resource exhaustion attacks, including SYN floods, ACK floods, UDP floods, and ICMP floods, which always top the list of weapons used by hacking groups. Since web 2.0 was proposed in 2004, web applications that emphasize user-generated content such as social networks and blogs have undergone an exponential growth. Amid this trend, profit-driven hacking groups are busy launching more application-layer DDoS attacks, such as HTTP floods, to exhaust server-side computing resources for the purpose of extortion and unfair competition.
Since 2008, the concept of big data has gone viral around the world. In response to the need for processing big data and in the context of such techniques as virtualization, distributed computing, and large-scale storage coming to maturity, cloud computing has become the favorite computing model.
The preceding table shows top 5 DDoS attack types since 2012. The data in the table was sourced from analysis reports prepared by major security and data analysis agencies for the past few years. As the statistical region, granularity, and classification vary, the ranking and naming of attack types are also different, emphasizing different aspects but reflecting the overall annual trends of DDoS attack types.
It is worth noting that reflection attacks have taken up an increasingly large proportion in terms of the traffic volume since 2013. From the perspective of the working principle, the larger the amplification factor of a reflection protocol, the higher the traffic rate is. Then, the more reflection media, such as open DNS servers and exposed IoT assets, the larger the attack size is. Reflection attacks are nothing new. With the steady growth of available reflection resources, they will pose greater threats.
The following uses DNS reflection attacks as an example. There are a lot of DNS resolving devices on the Internet. These devices are either improperly configured, such as no traffic limit or no resource restriction, or unintentionally exposed on the Internet, making themselves easy targets for attackers to use as reflectors against victims. In 2013, the number of open DNS resolvers detected hit a record high of 20 million. While the size of DNS reflection attacks keeps expanding, governance measures targeting DNS resolvers are also gradually in place, resulting in a decrease in the number of DNS servers. Despite this fact, there are still around 10 million resolvers that can respond to DNS requests and are therefore potential resources exploitable for hacking groups.
In the process of processing big data, caches play an essential role. Memcached is an open-source, high-performance distributed memory object caching system widely used in distributed scenarios. However, open-source software services exposed on the Internet are often used as reflectors, posing a severe threat to cybersecurity. Since 2010, many improperly configured Memcached services that are exposed on the Internet via UDP ports have been leveraged by hacking groups. The amplification factor of Memcached is horrendously large. A 203-byte request could cause a server to return a response as large as 100 MB. In contrast, the maximum amplification factor of DNS and NTP services only ranges from 1000 to 2000. In March 2018, a Memcached reflective amplification attack was found to peak at 1.7 Tbps, a new record in the history of DDoS attacks. This attack attracted wide attention in the security community because of its potential huge impact.
From 2014 to 2017, the global IoT market size almost doubled to reach trillions of dollars. Unproportionate to the speed of more and more IoT devices connecting to the Internet, related security techniques and standards are yet to be mature, providing opportunities for hackers to make easy money by exploiting vulnerabilities in SSDP of the UPnP family. The UPnP architecture consists of a series of relevant protocols that implement device discovery, network mapping, and controls besides supporting devices’ connecting to the network. The Open Connectivity Foundation (OCF), an organization that developed UPnP, expressly stipulates that UPnP services must be restricted to intranets. However, in the course of UPnP implementation, device vendors may use older software development kits (SDKs), users may improperly configure devices, or some vendors even intentionally leave backdoors in their devices that invite command injection. All these pose great threats to the cybersecurity landscape. Based on UDP, SSDP services, once exposed, can be easily used as DDoS reflectors. This explains why reflection attacks keep increasing in the size and quantity year by year.
Besides reflective amplification attacks, hacking groups also use worms and viruses to infect large quantities of IoT devices, which are major participants of DDoS attacks. According to Dyn’s estimate, in the DDoS attack that disrupted the company’s service in October 2016, at least 100,000 Mirai-infected devices were involved as botnet members. According to a research conducted by the security posture rating company SecurityScorecard, from July to September 2017, a total of 34,062 IP addresses on the Internet displayed the symptoms expected from an embedded device infected with Mirai IoT malware. In the 12 months from August 1, 2016 to July 31, 2017, the number of IPv4 addresses of Mirai-infected IoT devices hit 184,258. This number is already staggering. But predictably, without a complete IoT defense system, as the IoT is rapidly adopted, IoT botnet armies will become even more gigantic.
Since 2011, great breakthroughs have been made in deep learning techniques, with the AI concept stealing the spotlight. Of course, hacking groups never miss such a good opportunity and they begin to employ these new techniques to boost the effect of current DDoS attacks. The concept of AI-based DDoS is proposed to implement human-free automatic attacks and enable perpetrators to change the type of vulnerabilities exploited and attack vectors based on defenders’ responses. New techniques, such as deep learning, keep lowering the technical threshold and cost of attacks. AI-based malware automation and attack automation methods are popular among hackers. Larger DDoS attacks powered by machine intelligence are looming large in the cybersecurity landscape.
In 2017, IPv6 was officially included as a new Internet standard. Only one year later, the first IPv6-based DDoS attack was spotted. There will be more services and terminals supporting IPv6. We believe that IPv6 will become an important scenario for future DDoS attacks and attacks targeting IPv6 infrastructure will emerge as a major source of new threats.
B. DDoS Attack Vectors
Here, “vector” refers to the infrastructure that DDoS attacks rely on. Generally, the ultimate end of DDoS attack techniques is to expand the attack size to disable the services of victims by compromising such resources as the network bandwidth, computing capabilities, and service capabilities. From this perspective, DDoS attack vectors are characterized by (1) large quantities; and (2) high efficiency. Here, the attack efficiency can be seen as the attack size per resource unit or the quantity of target resources consumed. To maximize benefits, hacking groups try their best to expand the attack size by continuously updating their arsenal and resource pool. Major DDoS attack vectors are described as follows:
- Relatively stable botnet resources controlled by hacking groups are always a core vector of DDoS attacks. Currently, most notorious botnet families are under control of a few hacking groups. Hacking groups do not just stop there. They tend to infect as many machines as possible with custom worms and viruses to rapidly constitute a new botnet, achieving the plug-and-play effect. Particularly, in the context of IoT devices rising sharply but the IoT security mechanism yet to mature, the Mirai malware infected more than 100,000 IoT devices in 2016, which were leveraged by hackers to launch DDoS attacks, disrupting services of Dyn, an international Internet security company.
- Open services. The Internet abounds with DNS resolvers and NTP devices (for time synchronization). Vulnerabilities in these devices due to insecure configurations can be easily exploited by hackers to initiate reflective amplification DDoS attacks. Since 2013, reflective amplification DDoS attacks based on open services have risen to catch people’s eyes, raising the DDoS attack size to an unprecedented level beyond expectation of security professionals.
- Public cloud hosts. Since 2009, the cloud computing market has boomed. Public clouds speed up the maturity of the pay-per-use model of resources and constantly lower prices of computing, network, and storage resources. Some hacking groups can also use these cheap cloud-side resources to set up attack networks for DDoS attacks. Link11, an international anti-DDoS company, said that, in the 12 months from July 2017 to June 2018, one fourth of DDoS attacks in Europe used botnets that were based on public cloud servers.
- Packet senders. High-performance data senders maintained by hackers are mainly used to generate SYN floods with spoofed source IP addresses. They can guarantee the stability of attack traffic, types, and durations.
- Exposed intranet services. The rapid development of big data, IoT, and cloud computing boosts the technical capabilities of devices, software, and services. However, in the context of no effective security perimeters and secure deployment policies as well as lack of security awareness, many ports that are supposed to provide services only to intranets are exposed on the Internet, such as those providing Memcached services and SSDP services under the UPnP framework. These exposed service ports are used as reflectors that can amplify traffic by more than 10,000 times. Since 2018, such attacks have repeatedly generated record-high peak traffic.
Of all these infrastructures that DDoS attacks rely on, some are set up by attackers, some are zombies and infected IoT devices controlled by hackers, and others are various service resources exposed on the Internet. As computer and Internet technologies are developing at a fast pace, vulnerabilities in various network entities are gradually exposed and maliciously exploited.
DDoS attacks can be implemented because of the existence of attack vectors. Reducing the DDoS attack size and impact by first handling attack vectors requires a more appropriate software architecture design, effective security awareness training, a standardized security access mechanism, and a faster and more accurate threat awareness solution.
1.2.3 DDoS Defense Techniques
In the past few years, DDoS attacks have grown in both the size and quantity and become more destructive with an increasingly severe impact. In response, anti-DDoS techniques are also evolving. The following describes DDoS defenses from three perspectives: prevention, mitigation, and governance.
A. DDoS Attack Prevention
Conventional DDoS prevention techniques include packet filtering, overlay networks, honeypots, and load balancing as well as security awareness training.
In the new landscape and technical context of cloud computing, IoT, and blockchain techniques gaining momentum for rapid growth, DDoS defense techniques are also on a track of continuous evolution.
It is imperative to work out such preventive measures as response authentication, service port hiding, and resource isolation to protect cloud services and cloud computing providers from DDoS attacks. For DDoS attacks targeting the IoT, a mature edge computing architecture is expected to fill up the gap in the IoT device security landscape, delivering unified authentication and authorization and standard network access for hardware. Edge computing can, on the one hand, harden security perimeters of IoT devices, and on the other hand, provide central governance at network edges, thus putting edge devices under better protection. Blockchain techniques can also mitigate the impact of botnets, such as the Mirai botnet that consists of tens of thousands of IoT devices infected with malware. Some malware remotely accesses devices with login credentials that are easy to crack. By storing identity/public key pairs on the blockchain, we have public keys encrypted to replace default login credentials. In this way, public keys are hard to crack, allowing only device vendors to install firmware on devices.
B. DDoS Attack Mitigation (Detection, Response, and Fault Tolerance)
(1) DDoS Detection
DDoS attack detection methods mainly include signature matching, anomaly detection, and attack source identification. Signature matching is to discover DDoS attacks with known signatures, which are extracted from real-time traffic and included in a statistical learning model or rule/signature base, by matching packets with existing signatures and classifying events accordingly. Anomaly detection is to spot possible DDoS attack traffic by comparing current traffic with baselines established based on learning of normal traffic. Attack source identification is to check the legitimacy of the data at the data source end and detect malicious traffic by using IP address traceback and link management methods.
The development of software-defined networking (SDN), cloud computing, big data, IoT, artificial intelligence (AI) and blockchain techniques brings new scenarios and solutions for DDoS detection.
Proposed in 2011, the SDN technology has been used for network optimization in WANs by Internet giants, such as Google. The core idea of SDN is the separation of the control plane from the data plane in the network. The centralized control plane provides great opportunities for the global network control and monitoring. Some scholars have used the available measurement resources in the entire SDN network to adaptively balance the coverage and granularity of attack detection. Its architecture and related algorithms can quickly locate potential DDoS victims and attackers by using a small number of traffic monitoring rules.
Deep learning has been used to deal with various types of tasks to improve the automation level and detection accuracy. For DDoS detection, related techniques based on the deep neural network (DNN) have also been proposed and applied in experimental environments.
(2) DDoS Response
The DDoS attack response mainly includes packet filtering and rate limit technologies. After being migrated to the cleaning device, DDoS traffic can be filtered out and then dropped, and legitimate traffic can be retained.
The virtualization network technology of cloud computing provides flexible network isolation and routing policies, so that DDoS traffic can be switched to other devices for processing in a more timely manner.
The content delivery network (CDN), together with the smart DNS system, helps mitigate DDoS attacks. Smart DNS disperses attack traffic from different locations, which makes CDN nodes regional traffic absorption centers, thereby diluting the traffic. The source website is protected as follows: After being distributed to CDN nodes, the traffic can be cleaned at these nodes, with only normal traffic being injected back to the source website.
The blockchain technique provides a brand new insight for the current traffic cleaning solutions. Traditional systems use a centralized server to receive massive DDoS traffic. However, the nature of DDoS attacks makes the bandwidth a bottleneck for processing so much data. Relevant agencies have proposed to build a system based on blockchains so as to rent their idle bandwidth for receiving malicious DDoS traffic and reduce attacks. The automatic DDoS attack response system has come to maturity in the cloud computing environment, and the rapid rise of artificial intelligence provides new solutions for more intelligent DDoS response techniques. For example, DDoS threats and attack sizes can be predicted by learning historical data, making it possible to take more refined response measures.
(3) DDoS Fault Tolerance
The fault tolerance mechanism for DDoS attack response mainly includes the congestion control policy and fault tolerance. The congestion control policy is to remediate the vulnerabilities of the TCP/IP protocol stack in DDoS scenarios by implementing congestion control algorithms against DDoS attacks between network devices. Fault tolerance emphasizes that related services should have backup and expansion capabilities to maintain the service continuity in the context of large-scale DDoS attacks.
C. DDoS Attack Governance
Behind DDoS attacks, there are complex relations of economic interests in the underground industry. Therefore, effective governance needs to start from multiple dimensions, including policies, industries, resources, and techniques. This section dwells upon how to mitigate DDoS attacks from the following perspectives.
(1) Upgrading the Network Architecture and Technology
During the development of the computer technology and Internet, congenital and acquired deficiencies in the architecture and technology provide the hotbed of DDoS attacks.
For example, the lack of effective methods of address identification and traceability leads to the wide use of various attack methods with address spoofing as the core. In the existing network architecture, spoofed addresses can hide the identity of attackers and are used as sources of request packets to launch reflection attacks.
In addition, the lack of unified network traffic controls leads to delayed DDoS attack detection, warning, and response, expanding the scope of impact. Large-scale distributed DDoS attacks make it difficult for existing heterogeneous and complex network architectures to detect their early signs in time. When a DDoS attack is launched across the board, it is difficult to quickly isolate malicious traffic and target devices.
Fortunately, with the development of the network technology and computing technology and the establishment of related standards, the preceding problems have been greatly mitigated. For example, the solution of separating the network data plane from the management plane represented by software-defined networking (SDN) technology lays a critical foundation for the global and intelligent management of network traffic and network nodes; the core capabilities of cloud computing (such as resource virtualization) provide support for the isolation, fault tolerance, and restoration of cloud-based network resources. The new algorithms and standards developed for packet labelling and filtering help effectively reduce the transmission paths of packets with a spoofed address.
(2) Managing Exposed Services
As mentioned above, reflective DDoS attacks are usually launched by exploiting open public services in the Internet or accidentally exposed intranet services. The number of potentially exploitable service resources exposed to the Internet is enormous. For open services, such as DNS and NTP services, it is necessary for relevant departments and asset owners to investigate the service vulnerability, strengthen the control of response policies, and deploy effective detection mechanisms, so as to prevent malicious use. For accidentally exposed intranet services and protocols, such as SSDP, Memcached, and intranet DNS, relevant enterprises should enhance network isolation measures and improve their personnel’s security awareness, in a bid to prevent accidental exposure of intranet services.
Botnets are always the main force for launching DDoS attacks in the underground industry. By dropping various worm viruses and malware samples, attackers can infect and control a large number of zombies. To dismantle botnets, on the one hand, we need to start with malicious samples by analyzing attack methods to strengthen protection measures at each stage of the kill chain; on the other hand, we need to improve proactive protection policies, monitor botnet trends, and provide early detection, alerting, and traceback of DDoS attacks. For example, we can use honeypot and honeynet techniques to proactively obtain malicious samples and capture malicious traffic behaviors and make correlative analysis to identify attackers’ attack intentions, defeat their attack methods, and break their attack chains.
1.3 Anti-DDoS Products of NSFOCUS
Since the launch of NSFOCUS Anti-DDoS System (ADS, 100M) in 2001, NSFOCUS has been releasing proprietary anti-DDoS products for different industries, with different models meeting varied requirements. NSFOCUS ADS can distinguish between malicious and normal traffic in real time and then quickly filter out malicious traffic, thereby protecting the operation of normal services. NSFOCUS ADS can be easily deployed in various network environments. NSFOCUS ADS has the largest share on China’s DDoS attack market for 4 straight years, namely, from 2014 to 217.
NSFOCUS Anti-DDoS System Management (ADS M) works with NSFOCUS ADS and NSFOCUS Network Traffic Analyzer (NTA) to constitute an integrated anti-DDoS solution. It has such main functions as centralized management, report integration, region-specific management, and self-service portal. By exercising centralized management of detection devices and cleaning devices and performing data aggregation, ADS M provides complete traceback of DDoS attack events, helping customers to improve the cleaning efficiency and simplify O&M.
Based on the long-term technical accumulation in the anti-DDoS area, NSFOCUS has developed DDoS Cleaning Cloud to provide comprehensive DDoS protection by introducing advanced diversion techniques such as smart DNS and can clean traffic from multiple links at the same time. Meanwhile, local Anti-DDoS devices (such as NSFOCUS ADS, NTA, and WAF) can automatically collaborate with NSFOCUS DDoS Cleaning Cloud to provide comprehensive anti-DDoS services.
In a word, from the development of DDoS attacks and DDoS defense techniques in recent years, we can see that the development of computer and Internet technologies and architectures not only brings market opportunities, but also provides technical support for malicious gangs. An important aspect of network attack and defense is the constant competition of attack and defense techniques. A new technology or industry can be a strong shield in the hands of defenders, but a sharp spear in the hands of malicious gangs as well. The information asymmetry between attackers and defenders requires that cybersecurity defenders continuously draw on the latest technological achievements and architecture advantages to enhance their awareness, prevention, mitigation, and governance capabilities against DDoS threat. Only in doing so, can we effectively protect the cyberspace from DDoS attacks.