How to Trace a DDOS AttackISPs, researchers outline steps to sleuth the sources of increasingly dangerous distributed denial-of-service attacks
At most any time of the day, there's a distributed denial-of-service (DDOS) attack underway somewhere on the Internet.
Yes, it's still true, despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be," says Rodney Joffe, senior vice president and senior technologist for Neustar, a directory services and clearinghouse provider for Internet industry. "They are usually to obscure what's [really] happening in the background."
Phishing and pharming are more lucrative for cybercriminals, he says. "So they are using DDOS strategically" instead of as the main attack mode, he says.
ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks. Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks. (See Report: Attacks on ISP Nets Intensifying.)
Just like botnets, DDOS attacks have become stealthier and tougher to trace than ever, with layers of bot armies disguising the original source. "Tracing a DDOS is a particularly vexing problem, with the whole notion of obfuscation and onion routing [techniques]," says Steve Bannerman, vice president of marketing and product management for Narus. (See ISPs Try on Anti-Botnet Services Model.)
And finding the origin of the attack is becoming more important than ever. Some DDOSes won't die if you don't really get to the source. "It's critical to ID the source in some cases -- not just because [you] want to know who's behind it, but [you] can't actually stop the attack" until you do, Joffe says.
But finding the source isn't as simple as identifying the IP addresses of the actual bots that sent the packets. "In a large-scale DDOS, you don't initially ID the source, because it's often innocent," he says. "It tells you these 25,000 machines worldwide are the source of this attack, but it's a giant problem to track the owners of all those machines and get them to stop. Almost without exception, they are innocent owners who have no idea -- and would not know how to turn [the attack] off."
There are three main stages of mitigating a DDOS attack. The key is for ISPs to stop the damage, while at the same time carefully peeling back the layers of the attack to be sure they actually get to the root of it.
Stage 1: The First Five Minutes
Like any attack, it's the first few minutes that are the most crucial to minimizing the damage -- and getting the victim organization back online if the attack has overwhelmed its connection. "This requires a well-oiled group to react -- to spot it and push mitigation in place in real-time," Joffe says.
Devices like Arbor Networks's IPS can filter out the bad traffic at the edge. "This allows you to push the attack back upstream through the major backbone providers, where you can once again begin to operate" normally, he says.
It's in this phase that the ISP can trace the direct attackers, usually the clueless, infected bots that launched the packets at the victim. But these decoys are just the first layer of the attack. "How do you contact those 35,000 machine owners somewhere in the world? That would take a few weeks," he says. "But the problem is in the first five minutes."
That's if you can trace the bots at all: Many sophisticated botnet operators hijack so-called "darknet" IP addresses -- the unused IP address space held by ISPs -- to make them more untraceable. "When you try to trace it back, you find the addresses were hijacked, so you don't know who the attacker is," Narus's Bannerman says. So Narus's system monitors traffic for so-called "hijacked prefixes," he says.
Still, the priority of the enterprise under siege isn't identifying the bad guy -- it's ending the attack. "They are less concerned about the source of the attack and taking any other [investigative] actions -- which lead into forensics and legal, which may be futile," says Cecil Adams, senior product manager for Verizon Business, which offers a DDOS service. "They look to us to stop the attack... We make sure all the links are not congested with it."
That means filtering out the malicious traffic, and also working with other ISPs. Verizon can identify if an attack is spoofed, or if it originated from another provider or a third party, Adams says. "Then we can close out the botnets generating the traffic," he says.
Stage 2: The First Hour
Once the attacking packets have been blocked and the victim is recovering, it's time to trace the command and control infrastructure behind the DDOS-attacking botnet. "This is not as easy as it used to be," Neustar's Joffe says. Botnets are increasingly using encrypted links and peer-to-peer connections rather than the more conspicuous Internet Relay Chat (IRC) channels that are often used for nefarious purposes.
"This [stage] requires a lot more resources, cooperation, and knowledge," he says.
It's in this stage that ISPs and researchers look at things from the point of view of the target of the DDOS. Who might be a logical attacker? A competitor? A crime ring that's been waging these attacks regularly?
Neustar lurks in underground chat sites to check for any hints or intelligence on the attacks or who might be behind them. And it tries to track how the bots are getting their orders, and over what communications channel.
"If we can disrupt that particular channel, it may have the ability to stop the attack more easily than trying to shut down 35,000 bot machines," he says. And that means going after the second layer of the command and control infrastructure. "They tend not to use their own machines in any part other than at the initial site to communicate," he says. "Ten or 15 machines actually operate as the controllers... We can contact those owners and ISPs can block those machines. That's more manageable."
Stage 3: The Investigation
Putting a face to the bad guys behind the attack is the stage where most ISPs prefer to defer to law enforcement and security researchers. They cooperate with law enforcement, but must be mindful of NDAs and privacy concerns with their customers.
"A lot of this doesn't get reported," Arbor's McPherson says. "Most of the time, network operators don't want to be party to that [law enforcement investigation]. ISPs typically aren't the actual target, and they [have to protect] customer data. And the victims don't want to report an attack because it could damage their reputation."
Not only that, but there's not one central place to report a DDOS attack, he says.
And even in the aftermath of a DDOS, it can take hours or days to determine the real objective of the attack, which is typically a diversion for a backdoor and a more dangerous targeted attack. "More often than not, you discover that what looked like the target really wasn't the end target," Joffe says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Arbor Networks Inc.
NeuStar Inc. (NYSE: NSR)
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio