Go back

DDoS – A Losing Battle of Wits

by Mark Harris Jul 12, 2017

We are caught in the dark ages of cyber security where DDoS (Distributed Denial of Service) attacks are taking offline. Even the most well-designed and managed networks are vulnerable to DDoS attacks now. It appears we are in a constant cat-and-mouse chase since we are unable to efficiently respond to the increased volume of DDoS attacks.

The trend for DDoS does not look good. Firstly, the BBC was taken down by 602 Gbps attack and then DDoS upgraded itself to 1.2 Tbps taking off Dyn. Both the Miria and Leet Botnets were the two main culprits. These attacks are not going away anytime soon thereby increasing volume by the month. Combine the unsecured fabric of the Internet with the introduction of millions of unsecured IP-enabled IoT objects. It provides a pretty reckless launchpad, enabling a new era of Terabyte scale attacks.

The severity of what is yet to come would surely be gigantic in terms of magnitude, than what we have already seen. This level is not something that we have been able to cope with and the existing solution mechanisms would dramatically fall short.

What do we need?

We need a solution that fully integrates, it not just about detection and mitigation. The final piece of the puzzle is the end-to-end troubleshooting. Team collaboration is equally as important as the sophisticated machine learning algorithms employed for advanced anomaly detection.

The entire process of mapping out a network and troubleshooting DDoS attacks need to be application programming interface (API) driven to both detection and mitigation to form one complete solution. This is the only way to combat DDoS attacks efficiently.

What is a DDoS?

The flavors of DDoS come in many different disguises, some operate lower in the stack while others higher at Layer 7. Many of the newer styles of DDoS attacks work in parallel with a combination of attacks at different layers of the OSI model.

More than often they are never single sided and act merely as smoke brewing a separate more dangerous backdoor attack. An example of such an attack could be a heavy volumetric attack further confusing the operation teams, filling up the pipes while a more deadly slower Hypertext Transfer Protocol (HTTP). attack does all the damage in the background.


Regardless of the type of DDoS, they all serve the same purpose — to take the target service offline so it cannot respond to legitimate connections. Attacks are always visible even the initial tasks of the BotNets carrying out the scanning can signal detections in the system.


A BotNet (also known as zombie army) is a number of compromised Internet-connected devices used to launch a destructive DDoS attack. Unknowingly, the compromised machines are pooled together to form one large fabric of DDoS attack. The Mirai botnet consists of thousands of unsecured IoT (Internet of Things) devices such as poorly secured routers and IP cameras that hits mega volumes.

BotNets can do nothing by themselves and need to connect to a command through hidden channels and control the servers (C2/C&C) to obtain a list of actions. The infected clients connect to the server to receive a list of commands such as HOLD, TCP, UDP or JUNK and use a payload generator switching between these commands, making it hard to detect. Recently, a new Mirai BotNet launched an application attack against an unmanned US College server. The average traffic flow was 30,000 requests per second (RPS) peaking at 37,000 RPS.

Who is amplifying DDoS attacks?

Who is behind these attacks and why are they doing it? There are two primary goals – one is for political or ideological beliefs known as Hacktivism, Vandalism, or Cyberwarfare. The other is purely motivated by financial reasons known as DDoS-for-hire, Extortion and Ransom.

DDoS Digital Map

The DDoS Digital Map displays the DDoS attacks happening at the moment and in real-time. Attacks are colored based on type – TCP Connection, Volumetric, Fragmentation, and Volumetric. It also displays the most participating countries based on Source and Destination as dotted lines.

Primary Causes?

  • Push to the cloud: We are witnessing an era where applications are in rapid flux while flying towards the cloud age. Companies are taking advantage of the cloud’s pre-build global footprint thereby moving to the software as a service (SaaS) approach to I.T with software packages such as Office 365. While moving critical services to the cloud, offers cost benefits, agility, reduced latency and traffic administration. It changes the security paradigm and requires a reevaluation of security.
  • Security Perimeter: The model of the cloud changes the security perimeter and opens up new avenues for attack penetration. The security perimeter is no longer static or confined to a local particular area. It is spread to a new 3rd party thereby split-opening a new door and attacking surface for DDoS.
  • IoT: IoT enables everyday objects to communicate with each other. It is referred to as the next industrial revolution and will undoubtedly change the culture of our communication. IP-enabled objects would make our individual lives and cities more efficient. Unfortunately, many of the newly IP-enabled devices have little or no security. A small object like a light bulb is so lightweight that it’s not going to have too much security attached. Regular patching of far-flung devices that automatically sleep will also pose challenges. Combining millions of IoT objects, with little or no security into a huge Botnet will bring DDoS to a new level.
  • License to Rule: The Art of networking introduces numerous different types of network designs. There is no license or rule that leads to some networks designed with excellent security. This leaves critical components such as DNS proxies wide open as a doorway for an attacker to penetrate and use as a launchpad. More commonly we notice the home user’s gateway and open DNS proxies are used to launch DNS Amplification attacks. DNS relies on unequal packet sizes, a small DNS query and large responses. This offers a perfect playground for an attacker. An attacker can send a number of smaller packets from spoofed hosts getting the DNS server to respond with bigger DNS packets overwhelming the unexpected host.

A Losing Battle?

If we look closely, we will find potholes in the security everywhere. The problems lie in the foundations of networking and how it’s secured. The Internet is based on global accessibility and the protocols that build its fabric were initially designed without security in mind.

Global accessibility means to have authority to the IP address of someone positioned in a far-off location. This is the base of communication and unfortunately, if you have the IP address of someone then you can also steer an attack at their system. This puts the attack surfaces on a very large global platform where anyone can plan an attack if one wants to.

The security mechanisms added later only act as kludges to the network thereby increasing the complexity. IPsec is a Swiss army loaded with features that come with a lot of baggage that could be abstracted.

How are we coping?

So what are the changes that can be made in both network and security to ease the pain of these outages? Well, there are many new interesting mechanisms in the area of DDoS detection and mitigation side that can fill the gap. Let’s check a few mechanisms that have been devised to confine the attacks.

Advancement in DDoS Mitigation

On the mitigation front, new concepts such as security disaggregation introduce new techniques to remove the state from mitigation devices. Removing the state enables adequate protection for this scale and beyond. Having state in a mitigation device appliance degrades the performance to a level where it is unable to protect.

To have state anywhere in the network inhibits performance but especially to have it in an appliance that doesn’t need it to forward packets, doesn’t make sense. Security disaggregation moves the state outside of the appliance external to the actual forwarding.

Advancement in DDoS Detection

On the detection front, advanced machine learning techniques are helping in quick detection. Current anomaly based detection systems are restricted and unable to detect the newer type of attacks. Machine learning techniques such as Navies, Bayes, C4.5, SVM, KNN, K-means and Fuzz offer an advanced way to detect attacks. Are these changes to solutions going to be enough?

The Need for Efficient Troubleshooting

All these new mechanisms are interesting but useless if you can’t effectively troubleshoot the problem on time. Troubleshooting is not just a technical operation; it’s a company-wide resource combining many teams together into a streamlined process.

The most advanced detection solution can signal an event in seconds but if it takes a couple of hours to troubleshoot you might as well not have a detection system. Similarly, in the case of a high-performance mitigation solution, if you can’t troubleshoot, there is no point having all the horsepower in your network.

The advances in DDoS detection and mitigation are crucial but we need to also move away from the manual approaches to network mapping and troubleshooting in order to refrain from dragging the entire DDoS solution down.

Closing Comments

We are losing the DDoS battle and we will continue to lose unless we tie all components together. A complete solution needs to address the security from all angles. It is not just from the mitigation or detection appliance’s point of view but also the company’s troubleshooting process is required to stop a DDoS attack efficiently.