DDoS Defense
Categories:
DDoS Defense
Two kinds of DoS attacks:
- Crash the service
- Congest the network
Attack Types
| Attack Type | Attack Method | Countermeasure |
|---|---|---|
| Distributed DoS | Multiple independent-IP machines begin attacking simultaneously | 1. Degrade service 2. Blacklist 3. Shut down network equipment |
| Yo-yo attack | Against services that can auto-scale resources, attacks during the small window when resources are shrinking | Blacklist |
| Application layer attacks | Target specific functions or features; LAND attacks fall into this category | Blacklist |
| LANS | Specially crafted TCP SYN packets (normally used to open a new connection) cause the target to open a null connection whose source and destination are both its own IP, continuously self-responding until it crashes. Different from SYN flood. | Blacklist |
| Advanced persistent DoS | Anti-reconnaissance / pinpoint targets / evasion / long duration / high compute / multithreaded | Degrade service |
| HTTP slow POST DoS | After creating legitimate connections, send large amounts of data at very low speed until server resources are exhausted | Degrade service |
| Challenge Collapsar (CC) attack | Frequently send standard legitimate requests that consume heavy resources (e.g., search engines use lots of RAM) | Degrade service, content identification |
| ICMP flood | Mass ping / bad ping / Ping of Death (malformed ping packets) | Degrade service |
| Permanent denial-of-service attacks | Attack on hardware | Content identification |
| Reflected attack | Send requests to third parties, spoof source address so replies go to the real victim | DDoS scope |
| Amplification | Exploit some services as reflectors to magnify traffic | DDoS scope |
| Mirai botnet | Leverage compromised IoT devices | DDoS scope |
| SACK Panic | Manipulate MSS and selective acknowledgement to cause retransmission | Content identification |
| Shrew attack | Exploit weaknesses in TCP retransmission timeout with short synchronous bursts to disrupt TCP connections on the same link | Timeout discard |
| Slow Read attack | Like slow POST: send legitimate requests but read extremely slowly to exhaust connection pools by advertising a very small TCP Receive Window | Timeout disconnect, degrade service, blacklist |
| SYN flood | Send large numbers of TCP/SYN packets, creating half-open connections | Timeout mechanism |
| Teardrop attacks | Send malformed IP fragments with overlapping oversized payloads to the target | Content identification |
| TTL expiry attack | When packets are dropped due to TTL expiry, the router CPU must generate and send ICMP Time-Exceeded responses; generating many of these overloads the CPU | Drop traffic |
| UPnP attack | Based on DNS amplification, but uses a UPnP router that forwards requests from an external source while ignoring UPnP rules | Degrade service |
| SSDP reflection | Many devices, including home routers, have UPnP vulnerabilities that let attackers obtain replies to a spoofed target on port 1900 | Degrade service, block port |
| ARP spoofing | Associate a MAC address with another computer or gateway (router) IP so traffic directed to the legitimate IP is rerouted to the attacker, causing DoS | DDoS scope |
Protective Measures
Identify attack traffic
- Disrupt service
- Inspect traffic content
- Congest service
- Log access times
- Disrupt service
Process attack traffic
- Drop attack packets
- Ban attacker IPs
- IPv4 addresses are scarce, blacklists easy to build
- IPv6 is plentiful, blacklists harder; can use CIDR blocks but risks collateral blocking
- Control access rate
Open-source Tools
Attack Tools
https://github.com/palahsu/DDoS-Ripper- 162 forks, 755 stars
- https://github.com/MHProDev/MHDDoS
- 539 forks, 2.2k stars
- MHDDoS – DDoS attack script with 40 methods
- https://github.com/NewEraCracker/LOIC
- 539 forks, 1.9k stars
- C#
- network stress tool
- https://github.com/PraneethKarnena/DDoS-Scripts
- 165 forks, 192 stars
- C, Python
- https://github.com/theodorecooper/awesome-ddos-tools
- 46 stars
- collection of DDoS tools
Defense Tools
- https://github.com/AltraMayor/gatekeeper
- GPL-3.0 License
- 159 forks, 737 stars
- C, Lua
- Gatekeeper is the first open-source DoS protection system.
https://github.com/Exa-Networks/exabgp- Apache-like license
- 415 forks, 1.8k stars
- Python
- The BGP Swiss-army knife of networking
- https://github.com/curiefense/curiefense
- Apache 2.0 License
- 60 forks, 386 stars
- Application-layer protection
- protects sites, services, and APIs
- https://github.com/qssec/Hades-lite
- GPL-3.0 License
- 24 forks, 72 stars
- C
- Kernel-level anti-DDoS driver
- https://github.com/snort3/snort3
- GPL-2.0 License
- 372 forks, 1.4k stars
- next-generation Snort IPS (Intrusion Prevention System)
- C++
Traffic Monitoring
- https://github.com/netdata/netdata
- GPL-3.0 License
- 5.2k forks, 58.3k stars
- C
- https://github.com/giampaolo/psutil
- BSD-3-Clause License
- 1.2k forks, 8.2k stars
- Python, C
- Cross-platform lib for process and system monitoring in Python; also for network monitoring
- https://github.com/iptraf-ng/iptraf-ng
- GPL-2.0 License
- 22 forks, 119 stars
- C
- IPTraf-ng is a console-based network monitoring program for Linux that displays information about IP traffic