Mounting Denial-of-Service (DDoS) attacks is undoubtedly an arcane tactic considering the evolutionary timeline of cyber-defenses, but ‘going old-school’ does pay off when one’s engaged in a fast-paced, counter-for-threat trade-off. Recently, Heimdal™ investigated a massive surge in DDoS-type attacks, proving the old adage: “there’s no retreat, we’re just advancing in another direction”. In this article, we’re going to take a closer look at the event and discuss in-depth defensive strategies.
Distributed Denial-of-Service (DDoS): A farewell to arms or Blatant Comeback?
Before we consider this topic, I want to clarify an aspect – volumetric, DDoS-based attacks such as ICMP flooding, IP/ICMP flooding, IPSec flooding, UDP flooding, or Reflection Amplification Attacks may be considered relict by today’s standards, but certainly not dead. Despite us lobbying for better anti-DDoS security, there are still many devices that are susceptible to volumetric attacks and, in some rare occurrences – as is this case – even the most advanced protection can falter. For security and confidentiality reasons, I will refrain from disclosing names, industries, post-DDoS effects, or any type of PII.
The context is as follows…
On the 16th of June 2022, Heimdal™ was solicited to investigate the anomalous timing-out of a WordPress-based stack. Having ruled out the usual suspects (e.g., coding errors, overloads, incorrect load balancing, misconfigurations), we proceeded to gather additional intel on the incident – Nginx backlogs, error logs, and crash logs which we later cross-referenced against the data retrieved from WordPress’ Wordfence security addition. The data our company was commissioned to process revealed that the client’s server downtime was not the result of arbitrariness, but a massive Distributed Denial-of-Service (DDoS) attack. Was it with purpose or was the client a victim of chance? Our analysis uncovered the following facts:
Unknown APT. The threat actor’s MO does not conform to any of the TTPs (i.e., Tactics, Techniques, and Procedures) associated with any known or thoroughly investigated threat actor.
Considering the attack’s high velocity and its effectiveness, we have concluded that a botnet was employed. Nginx backlogs revealed that 200+ dynamic IPs were used to flood the victim’s WP-hosted server. The subsequent digital forensics report stated that the attacking botnet successfully harvested and used 120K endpoints to flood an unknown number of victims.
‘Flooding’ client. The threat actor deployed a rudimentary Golang-written client to loop GET requests to the victim’s server. Despite not being able to sample the actual code, our analysis revealed that the client used to stage the attack came from an open-source repo and shares many similarities with tools such as Go-http-client and Go-http-client/2.0.
Single URL to trigger an unexpected response. The threat actor flooded a single URL in order to exhaust resources, thus decommissioning the WP-based server for a couple of minutes.
High-velocity attacks. Nginx backlogs indicated that the GET flooding occurred within a 2-second time frame.
‘Zombified’ machines. All IPs used in the attack have been traced to South-East Asia and Africa.
Brute-forcing. Wordfence correlated data suggests that brute-forcing techniques might have been employed during the attack in order to gain access to server-hosted resources.
Countering DDoS Attacks and Mitigating After-Effects
As with other types of volumetric attacks, the ‘recipe’ to preventing, countering, and mitigating the effects of a DDoS attack is a blend between IP blacklisting and load balancing. Reconfiguring your web browsers can also help you even the playing field. What can you do to protect your company and its assets against DDoS? Here are some tips to get you started.
‘Filtering’ our browsers. Attackers may employ ‘under-the-counter’ browsers in order to mount DDoS attacks. Tweaking the ‘allowed browsers’ function in your firewall can help you filter out most of the web browsers an attacker might leverage for malicious purposes. For instance, firewall custom rule-setting may enable your endpoints to receive/transmit requests from known (and secure) browsers such as Opera, Brave, or Firefox while rejecting transmission to and from less secure web browsers (e.g., Yandex, Baidu, Tor).
Know your enemy. Tzu’s famous line bodes well with cybersecurity. Knowing your DDoS can give you an edge when it comes to protection and mitigation. Here’s a quick list of attack sub-types and how to protect against them.
UDP flood. Enforce DIP (Deep-Packet Inspection technology) to filter out malicious UDP packets. Reconfigure firewall filters to discard malicious UDP packets.
ICMP (Ping) Flood. Disable ICMP function on routers and other devices that may be affected. Reconfigure perimeter firewall to block ICMP pings.
SYN Flood. Increasing the backlog queue to curb the number of half-open connections. Recycling half-open connections based on age. Configuring SYN cookies. Custom ruling in the firewall.
P.O.D (Ping of Death). Adjust packet size constraints. Implementing an overflow buffer to process larger packets. Implementing traffic filtering solutions. Adopting a hardware-based load balancer specifically configured to receive o nly complete HTTP-type connections. Using mod_reqtimeout function to enforce timeout for HTTP request bodies and headers.
NTP Amplification. Use a proprietary, open-source, or paid vulnerability scanner to inspect your NTP serve. Upgrading your NTP daemon. Disable monlist. Create a custom rule for receiving only requests coming from whitelisted sources.
HTTP flood. Custom WAF (Web Application Firewall) ruling. Setting the matching filed to URL in order to prevent credential stuffing. Blocking IP after a fixed number of failed attempts. Enforcing Strict Captcha and Captcha on your pages and setting custom action to ‘block’. Enforce strict cookie format rules. Enforcing geolocational-based IP block. DIP for abnormal HTTP packets.
Custom rulesets for your routers and firewalls. Consider reconfiguring your routers and firewalls to discard invalid IP addresses or nonessential comm protocols.
IDS (Intrusion-Detection Systems). These systems can greatly enhance your detection capabilities and automate defense responses in case of DDoS attacks.
Purchasing additional hardware and software resources. Because DDoS is all about volume, you may consider buying additional bandwidth or network devices in order to balance out the loads.
Riding out the storm. Unfortunately, in some cases, even with all the defenses in place, the attack will still happen. The best tactic would be to wait, assess the damage, get everything operational as soon as possible, investigate the incident, and come up with better strategies.