Translated an article by Artus Lavlenov, an expert at the NATO Centre of Excellence for Coordinated Cyber Defence (NATO CCDCOE) in Tallinn, Estonia. The article believes that global distributed denial-of-service (DDoS) attacks are becoming more and more common, and the scale and bandwidth of attacks have hit new highs, posing a huge threat to the safe operation of the global Internet. The traditional thinking of dealing with DDoS attacks is becoming more and more difficult to work, and more participants must be introduced to jointly promote the governance of global DDoS attacks.
Abstract: Operators of the Internet’s global infrastructure have been battling distributed denial of service (DDoS) attacks for more than 20 years. This paper reviews the various current response strategies for reflective amplified DDoS attacks, and raises the issues that make the response less effective and need further research. This paper argues that efforts to effectively counter DDoS attacks should involve other actors, and analyzes the motivations and sources of motivation for their participation. A long-standing question in dealing with DDoS attacks has been whether abused protocols can be fixed faster than they can be deprecated, while keeping the device functioning properly throughout its life cycle. It now appears to be the case. The ability to launch DDoS attacks using Memcache protocol vulnerabilities was 319Mbps in May 2020, compared to 1.7Tbps two years ago. Therefore, this attack can be considered as fully repaired. This article will analyze the main reasons for the success of this type of attack response, and whether the method can be used to mitigate other frequently abused protocol attacks by using reflector capability measures. In contrast, the long-abused DNS protocol attack did not show a significant drop in attack bandwidth, hovering around 27.5Tbps.
Keywords: DDoS attack, DDoS attack capability, DDoS attack repair, reflector, amplifier
1. Introduction
The first-ever DDoS cyberattack occurred 20 years ago, and a reflective amplification DDoS attack followed shortly after, which has plagued the Internet ever since. While the number of reflectors discovered through Internet scanning projects has been steadily declining in recent years, their attack capabilities have continued to rise and set new records. A rational observer would think that our technological society is capable of solving this long-known technological challenge, and perhaps he would prefer to know why we have not.
This article will only discuss reflective amplification DDoS attacks, and while attackers expect the same effect on the victim and may appear frequently in different types of attacks, the response strategies are quite different. Direct attacks by botnets of compromised devices are increasingly attracting greater attention from law enforcement agencies, Internet Service Providers (ISPs), and industry groups.
Forged source IP addresses and the existence of a large number of reflectors in the network are the two fundamental reasons that make it difficult to eradicate DDoS attacks. An attacker who is able to lease or hack a poorly managed networked host can take advantage of the spare upload bandwidth and send packets to the public network using a fake victim IP address, which usually sends larger packets to the victim IP address as answer. The current countermeasure is to diffuse network configurations, ensure that only packets with legitimate source IP addresses can enter the Internet from various networks (BCP 38, BCP 84) and try to eliminate reflectors. Both the percentage of global addresses that can be spoofed and the number of reflectors being used by abusive protocols are decreasing, suggesting that the strategies described above are working, at least to a certain extent. Yet DDoS attacks continue to break new attack bandwidth records.
In 2020, addressing DDoS attacks has become more important than ever. The global COVID-19 pandemic has almost immediately moved the entire education system and jobs that can be done online to home. Access to different remote systems has become a necessity for all affected. In the past, DDoS attacks against many organizations could cause only limited negative impact and reputational damage, and employees and students could continue their daily work and learning on-premises or through locally accessible systems. Now, DDoS attacks can disrupt all work and education of remote users who depend on the attacked system. It’s already a reality: a high school student’s DDoS attack on an e-learning platform disrupted online classes for 170,000 users. If new record-breaking DDoS attacks continue to target the largest online collaboration tool, what will be the impact on the global economy?
2. Related research work
DDoS is a widely studied topic. It usually follows the typical path after emerging technologies, such as: software-defined networking (SDN), blockchain, artificial intelligence, and researchers apply it to DDoS problems, but often after the attack has reached the victim. The root causes of DDoS flooding are twofold: the ability to forge source IP addresses and the existence of a large number of reflectors on the Internet. Researchers are trying to focus on these aspects. The agency “Applied Internet Data Analysis Center” is running a long-term project called Spoofer to assess and monitor networks that allow the injection of packets with bogus IP addresses. Notification efforts are closely watched and the correlation between notification and response efforts analyzed to positively impact cybersecurity defense efforts, especially in the event of a reflective DDoS attack. Some research institutes have tried to filter packets with forged IP addresses by technical means without repairing a poorly managed network. Although these methods have shown high efficiency in a simulated environment, this method has not been widely adopted.
The study of reflectors is quantifiable. It scans the Internet for specific ports and protocols that can be used for reflection attacks. This approach can be taken when the protocol is beginning to be abused or the potential for future abuse is being investigated. Typically, such studies do not investigate what the abused device is, or its contribution to attack capabilities. Most research focuses on the consequences of an attack rather than understanding and addressing the underlying problem. Research has explored the state of DDoS attacks and suggested that a fundamental shift and more research is needed to address the issue while relying solely on response service providers reporting peak attack capabilities.
An assessment of the global DDoS attack capabilities can determine which abused protocols contribute the most and which regions are at the highest risk. The measurement method proposed by the research organization can identify the networks and regions that contribute the most and the least hosts. Comprehensive measurements of reflector capabilities in laboratory settings, while important for further understanding of global attack bandwidth, cannot cover all devices and network conditions on the Internet.
The participants and their motivations
Participants with a deep understanding of the Internet ecosystem can provide some clues to the problems we are struggling with responding to DDoS attacks. The average Internet user only wants to access the Internet services provided by the organization. Malicious actors have a wide range of capabilities and motivations, but their ultimate goal is to try to prevent users from accessing a particular service. Most of the published research so far has focused on these types of players, but there are others that might help address the problem or fix the impact.
3.1 ISPs and Transit Service Providers
Many transit service providers and some ISPs and data centers cannot filter large-scale application-layer DDoS attacks. The goal of such players is to provide network services to all customers while ensuring customer satisfaction and service levels. If the scale of the attack does not affect other customers, attack traffic may be passed on to the victim. Victims may or may not have the means to respond to an attack. If an attack is large enough to affect other customers, the transit service provider must try to reduce its impact, usually by implementing black holes in the network topology as far away from the victim as possible. An attack can be considered successful when the attacked service loses connectivity.
ISPs are externalizing the cost of having open reflectors on their networks. For it, even if there is a consumption of network bandwidth, there is no negative impact on its service. Networks that focus on specific user groups, such as urban cell users or data centers, often have unbalanced network bandwidth consumption and therefore have unused bandwidth capacity. When the reflector in the urban cell ISP network produces an amplification effect, it consumes this unused upload bandwidth capacity. As long as this consumption is relatively small and doesn’t affect other clients or network routers, there is no ill effect on the ISP, so there is no incentive to fix it.
DDoS attacks typically target commercial services hosted in data centers whose unbalanced nature makes the download bandwidth from the attack acceptable without adding any extra charge within the reserved bandwidth capacity. Attacks can be further mitigated if the available bandwidth capacity is large enough and the network has some filtering solution in place. The larger the data center, the greater the available bandwidth capacity of its network, which means greater attack traffic can be filtered. Some of the largest data centers in the world can indeed filter DDoS attacks for little or no cost, and can handle most attacks. Smaller data centers and ISPs could be overwhelmed by an attack.
If an ISP balances bandwidth by providing services to customers that generate and consume it, or by selling unused capacity as transport, it may gain an economic incentive to keep wasted bandwidth to a minimum. Technology solutions or network governance schemes and management can significantly reduce ISP bandwidth waste.
There is no legislation specifically addressing the presence of open reflectors on the network, and even if a DDoS attack from a particular set of reflectors causes provable damage, the responsibility may be shifted to the end client hosting those reflectors. Overall, ISPs in networks with a large number of open reflectors have no incentive to address this issue.
3.2 Response Service Provider
DDoS response services often suck up the biggest attacks on the internet. These service providers can specialize in other network services such as DDoS attack filtering or an accompanying Content Delivery Network (CDN). Its business model is straightforward: Have ingress bandwidth capacity that exceeds the maximum expected attack, deploy a filtering solution that forwards legitimate packets to the customer’s network while dropping attack traffic.
These response service providers publish technical reports whenever a new protocol is abused or a new record for the size of attack traffic is broken. These reports are heavily cited by academia, industry, and the media to exemplify the capabilities of DDoS and have become the largest source of attacks, making it an excellent source of free global marketing.
As long as expected attack traffic and its future growth are manageable and no record-breaking attack incidents occur, these response service providers are in a safe market position. They have the most professional insights into the current situation and what needs to be addressed first. However, it is not in its interest to completely remediate these attacks, as it will lose its competitive advantage and even its entire business model.
3.3 Equipment Manufacturers
Often overlooked, the large number of reflectors are not essential public services, but residential and commercial devices with default configurations connected to the Internet. This problem is exacerbated by such router-capable devices with separate internal and external network interfaces. A user may require a service on the internal network interface, but this does not cause an open reflector problem; while a service on an external network interface may contain an open reflector, but this is usually not a feature necessary to provide the service to the user.
Residential user equipment manufacturers often strive to make their products as affordable as possible, sometimes by cutting corners; software quality and security are the first to be sacrificed. These devices are exposed to the Internet, with remote access to modify control panel configurations, default account passwords, or vulnerabilities in software that can be exploited to infiltrate and make these devices part of a botnet. Users of these devices may not even notice, or they may wonder why the need to enter CAPTCHA is becoming more frequent, or why internet access is sometimes slow. In more extreme cases, the user’s information could be stolen, or the device further exploited to take over other devices on the network. If a manufacturer’s device is exploited on a large scale with serious consequences for users, this will trigger negative publicity. Therefore, device manufacturers are encouraged to minimize the occurrence of such incidents and actively remediate the impact of the attack so that it does not happen again. A large number of devices used as open reflectors will not directly harm users, but the reputational damage will prompt device manufacturers to address the issue.
3.4 Policy makers and legislators
In all developed countries, carrying out DDoS attacks is already subject to certain criminal provisions. Malicious actors that cause reflective DDoS attacks are the most difficult to identify. The global nature of Internet and DDoS attacks may mean that a single attack against a company registered in one jurisdiction may affect services that are physically hosted in one or more other jurisdictions, and may be executed by a company located in another jurisdiction attackers in other jurisdictions, leveraging any number of bogus IP addresses and reflectors from other jurisdictions. While prosecuting criminals and influencing international law is a bigger challenge, legislative and regulatory bodies committed to improving the lives of citizens should be encouraged to take steps to combat DDoS attacks.
4. Responding to DDoS Attacks
The most obvious response is to find the source network where the open reflector is located and notify the administrator of that network. Other simple and easy solutions can also work.
4.1 Notify the network administrator
Many academic and industry organizations are actively scanning the Internet for known abusive services and notifying contacts on the network or abusing services. If the network is properly managed, these notifications are forwarded to the end customer and may even assist the customer with problem resolution. Some networks may have specific terms of service that require clients to limit or prevent their reflector behavior. A poorly managed network won’t even forward these notifications. While running the reflector honeypot system, we found a lot of forwarding notifications on some well-managed networks, but their effectiveness was limited.
The number of reflectors available for long-abused protocols appears to be decreasing, but it is unclear what role notification plays in this. There hasn’t been an in-depth study of this, so no reliable assertion can be made. A possible alternative explanation is that a device that can be abused exists on the Internet until the end of its life cycle or a change in network configuration, with repercussions that are completely unrelated to any efforts to remediate the attack.
The repetitive nature of notification emails, combined with the web’s lack of any perceived significant value, calls into question the effectiveness of the above approach. Calculating the potential waste of bandwidth capacity for each network can be used to assess the damage, which seems to provide some perceived value. Measuring the effectiveness of this notification approach is not easy, but by tracking the changes in link and bandwidth capacity behind a particular network over time, a detailed report can be provided to understand the effectiveness of the approach.
4.2 ISP and Net Neutrality
While net neutrality has been a hot topic for years, there is widespread precedent for ISPs to violate net neutrality in certain protocols for their own benefit. While deep packet inspection (DPI) and traffic shaping techniques for urban cells and mobile networks have been extensively studied, the little-known and measured practice of ISPs and data centers blocking or restricting specific ports has not been widely studied. Most commonly, ISPs and data centers have ports for email that are closed by default but offer opt-out opt-outs, and systems that do rate limiting or filtering. Why customers view the two cases differently is debatable, and one may argue that providing an opt-out option is sufficient.
Even before reflective DDoS attacks became the norm, spam was a problem. Because spam directly affects the productivity and security of users and businesses, cybersecurity professionals have developed various countermeasures, primarily spam filtering and blacklisting of infected hosts. However, spam filtering is difficult to be 100% accurate, and it is also difficult to shut down the IP addresses of all infected hosts. If the network administrator does not take action against the spam host, the same will happen to other spam hosts on the same network. Blacklisting or reducing the reputation of an entire network might seem like a reasonable measure to protect users, but since managing individual blacklists is time-consuming, many email services use a global blacklisting mechanism.
If an ISP wishes to provide customers with the ability to send email directly without being rejected or classified as spam by most recipients, it must exclude itself from the blacklist. Whenever an abusive host appears on the network, quick action must be taken to stop it from sending spam by throttling the network connection or requiring the client to fix the problem. Otherwise, clients won’t be able to send email, so ISPs can only serve customers who don’t need the feature. Most ISPs choose to deal with spam to avoid being blacklisted.
Some ISPs choose to externalize the costs of network mismanagement and have little incentive to do otherwise. Convincing it to improve network management with a blacklist approach to combat spam could easily work, but it depends on the cost of being added to the blacklist. There needs to be other blacklists in addition to spam. Usually consists of a single machine (or small subnet) that is engaged in malicious behavior, such as spreading malware, active scanning, probing services, or brute-forcing security credentials. These blacklists are usually deployed by government departments or other organizations responsible for improving security. Surprisingly, this probably won’t touch the ISP at all, since non-abusive clients probably won’t get any throttling.Considering the reflector itself is not malicious, blacklisting it does nothing
The attacks discussed above will likely reduce the overall reputation of the network. Greylisting an entire ISP based on its reputation can be an effective approach, as this affects many customers. The brute force behavior of some hosts may cause websites that rely on web reputation to require all ISP users to always enter a CAPTCHA. Credit card transactions or other activities may be flagged as potentially fraudulent, must be processed manually, and transactions may be significantly delayed or fail by default. Customer satisfaction will drop as a result, prompting it to look for another ISP that offers financial incentives. For networks that allow forged IP address packets, and the corresponding forged IP address behavior is proven to be actively occurring, the above greylisting mechanism can be applied.
We may need a new DDoS greylisting mechanism and a way to penalize ISPs. This penalty should be related to DDoS issues. For example, the captcha (CAPTCHA) mechanism used by many DDoS response services can be used to penalize networks that are known to allow the sending of large numbers of packets using bogus IP addresses or contain a disproportionately large number of open reflectors.
Whenever new regulations are discussed that require a third party to implement, the question of cost always arises. This is often the case when national governments require ISPs to employ systems such as expensive Deep Report Inspection (DPI) or data retention systems. The basic solution to block packets destined for the reflector and IP address forgery is simple and cheap. For the ISP’s existing equipment, the difficulty of blocking all Internet packets to ports known to be abused is trivial and free. The only possible cost is to manage or provide self-service features that customers opt out of.
4.3 Equipment and regulations
Reducing open reflectors running on consumer devices is something we can tackle now. The California state legislature has passed a bill requiring internet-connected devices to take basic security measures to protect consumers. While this won’t directly affect consumers, requiring external interfaces to not provide any unwanted services by default, there’s no reason the legislation shouldn’t improve the overall security of the internet. If such regulations are reasonably introduced in at least one large-scale market, it would be more cost-effective for manufacturers of such devices to offer the same safety version to all markets.
While legislatures may also require ISPs to provide rudimentary firewalls with opt-out capabilities, it is difficult to make a big enough impact in other jurisdictions. Because consumer devices are rarely patched under the current business model, older devices may continue to contribute reflector capacity until end of life without ISP oversight.
To address this problem from a device perspective, we need to understand which classes of devices and manufacturers contribute the most to bandwidth capacity. The best known manufacturers can then be contacted directly and these facts brought to the legislature to justify action. Lobbying for international laws and rules is justified only when national legislation is proven effective.
5. Measuring DDoS Attack Capability
Understanding DDoS attack capabilities is necessary for developing and validating more effective response strategies, and this is one of the key pieces of information lacking in current DDoS research. We have measured two very different misused protocols – Memcache and DNS – using methods suggested by the research.
5.1 Memcache
Memcache has been the record holder for the size of DDoS attacks since 2018, with a reported attack bandwidth of 1.7Tbps observed in 2018. We observed an attack capacity of only 319Mbps in May 2020, with only 12 reflectors contributing these attack traffic, which may be a honeypot system deployed to attract attacks. The measurement method allows insignificant hosts to be excluded from the calculation. Therefore, attacks utilizing this protocol can be considered completely eliminated and may not reappear. Due to differences in how attack bandwidth is understood, policymakers and the public may mistakenly believe that the currently most-cited bandwidth numbers are relevant. How long has the protocol and attack size been mistakenly seen as major issues?
How fast are the protocol attacks cleared? Utilizing a single measurement of attack traffic at a particular network peak and a single point in time is essentially no different. The solution is to have the system continuously measure the attack capability of each abused protocol, so that newly detected abused protocols can be added quickly.
The protocol is a notable case not only for its record-setting attack scale, but also for differences in how quickly it was eliminated and deployed. Most of the abused protocols have long existed on low-power consumer devices accessible on the Internet. The Memcache protocol is typically deployed in enterprise environments where each host can have 1Gbps bandwidth over a 10Gbps connection. The protocol is used to provide high-performance services, which means that software is not a bottleneck either. Each reflector can be used to fill up the available bandwidth capacity, which will negatively impact its primary function, which can be used by administrators to spot anomalies. Notifications provide timely reminders to responsible administrators who are motivated and capable of taking action. As the agreement affects DDoS attack response service providers, which are actively involved in the response.
5.2 Domain Name Protocol (DNS)
Responses to DDoS attacks utilizing DNS vary significantly. It was one of the first protocols to be abused on the internet for reflection amplification DDoS attacks and remains unfixed to this day. In May 2020, global traffic using DNS protocol for attacks reached 27.5Tbps (1Gbps per country based on the 80% minimum response rate requirement; see Figure 1). This type of Display is common for flow estimates and provides more detailed information than pure open reflector statistics. As shown, China and the United States are listed as the largest traffic contributors, followed by developing and developed countries with high-speed internet connections.
Figure 1 DNS reflection attack traffic (by country)
This figure is very close to our August 2018 measurement of 37.6Tbps. While it appears that attack traffic has decreased significantly, network transitions, the location of measurement points in the network topology, and the lack of effective ways to address network measurement errors must be considered. Even if we assume that the measurements are comparable and that the measurement error is small, the change over time relative to the completely cleared Memcache protocol-based attack traffic is small.
According to Cloudflare’s statistics, the first two networks that send Memcache packets by reflection are OVH and Digital Ocean, both of which participated in the response work, and may have set up network firewalls on the reflector ports or made direct contact with client users. These networks remain the major contributors to abusive DNS protocol traffic, with measured DNS reflector traffic of 1.4Tbps and 200Gbps, respectively. These two networks provide data center and colocation services and should pay attention to their outgoing bandwidth traffic, while understanding the impact of these illicit traffic, as they are prime targets for attacks themselves. This suggests that the type of ISP where the reflector is located is not, or the only, determinant of the response. Differences in response results may be due to a combination of factors – low number of reflectors, high connection bandwidth, or, in the case of the Memcache protocol, localization in non-residential networks. This may greatly motivate some participants, but there is currently no empirical evidence to support this theory.
6. Results and Discussion
We already know the two basics for implementing a reflective DDoS attack and for a targeted technical response—eliminating open reflectors or fake IPs, or both. But we cannot immediately begin to implement these measures universally. Quantitatively, effective repair is challenged by the ever-increasing bandwidth capacity on two fronts. We need to continually improve the response strategy, starting with improvements that require the least amount of effort, which will not encounter any resistance, to progressively achieve positive results. We discussed some of the other actors who could be involved in the response strategy, including ISPs, device manufacturers, and legislators, but still lack the incentives and incentives to do so. For all of these players, the biggest impediment comes from a lack of understanding of attack capabilities, making it impossible to measure the significance of improvements and assess the effectiveness of any new measures taken. DDoS attack response service providers currently have a monopoly on this knowledge and have little incentive to improve the situation. We have confirmed through measurements of attack traffic that comprehensive remediation of highly abused protocols such as Memcache is possible within a reasonable time frame, something not observed for other protocols. In contrast, exploiting DNS for remediation has been stagnant over the past two years from an attack traffic perspective.
We propose a number of scenarios that can be addressed by thoroughly studying the root causes of DDoS attacks rather than attempting to eliminate their effects. Attack traffic research and analysis is key to measuring the effectiveness of response efforts and validating recommendations for possible future remediation strategies. We need to measure the contribution of specific ISPs and device manufacturers to eliminating attack traffic in order to include it in future announcements that demonstrate the impact of their contributions. We also need reliable and independent data to demonstrate the effectiveness of any legislative effort.
The Links: CXA-P1212B-WJL LM151X2-C2TH
