Volume-based DoS attacks are the big, showy attacks that tend to make the news because the traffic can be measured in terabytes per second and the networks launching DDoS attacks can include hundreds of thousands of robotic soldiers. Volume-based DoS attacks are blunt instruments that can be very effective — and the splatter from a successful attack can have an impact on other customers of the ISP and network provider, no matter how large they may be.
How it works:
Because of the sheer volume of traffic required for a successful volume-based attack, two techniques — reflection and amplification — are used in most of these attacks. They typically use protocols like DNS or NTP — essential protocols for resolving addresses and synchronizing time on the network — to do their dirty work.
Reflection and amplification take advantage of the fact that the response to an inquiry on address resolution or time tends to be much longer than the initial inquiry itself. So the attacker sends a request to an innocent third-party with the victim's address spoofed as the source. The response is sent to the victim which, having not requested anything, is confused and has to deal with this unwanted information.
The result is that a 10-byte attack can result in a 500-byte hit on the victim. Multiply that by a half-million attacking bots, and the impact of the attack is far greater than the investment in the attacking network.
There are other ways to launch a DDoS attack, including simply sending vast quantities of UDP traffic from ephemeral ports (those that aren't strictly defined, like port 80 for HTTP) against a target. Ultimately, the edge router for the victim can't deal with all the traffic and begins refusing additional connections. If the attack continues, the back-up can shift upstream and have an impact on more customers of the network provider.
How to defend against it:
Protecting from this type of attack is as brute-force as the attack itself. Third-party protection is based on a process that is, essentially, an authorized man-in-the-middle attack to shunt attack traffic to safe servers and keep traffic flowing to the legitimate applications. Other solutions have included forklifts and trucks as servers are moved to different providers and networks to escape attacks on hosting providers.
There are many ways to deny service to a legitimate company. These weeds, though they may be ingenious and advanced, can be cut short by understanding what they do, how they do it — and how the same protocols can be used to protect the network.
- The 20 Worst Metrics in Cybersecurity
- Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
- New Attacks (and Old Attacks Made New)
- Modern Technology, Modern Mistakes
- 7 Reasons You Need Security at the Edge