What is a distributed denial-of-service (DDoS) attack?
A distributed denial-of-service (DDoS) attack is when multiple entities are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large scale attacks. Attackers take advantage of security vulnerabilities to control numerous devices using command and control software.
What is the goal of a DDoS attack?
To exhaust network bandwidth, server resources, or applications in such a way that legitimate users cannot access a site. The purpose for such attacks, however, can vary widely.
How does that compare to a denial of service (DoS) attack?
ADoS (denial of service) attackis an attempt to make a computer resource unavailable for its intended users by a single attack entity. For example, a DDoS attack may flood website servers with bogus traffic, causing a website outage. People launch these attacks for many reasons—to extort money, seek revenge, gain a competitive edge, destabilize a government or stage a social or political protest.
What are three types of DDoS attacks:
Volume-based/Volumetric Attacks: use connectionless protocols such as UDP to congest site bandwidth.
Protocol Attacks: seek to overwhelm specific devices, including web servers, firewalls and load balancers. These connection-based attacks typically work by exhausting the number of concurrent sessions that a device can handle.
Application/Layer 7 Attacks: target specific applications or servers by establishing a connection and exhausting resources.
Can firewalls prevent DDoS attacks?
Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack, because:
Firewalls can be easily overwhelmed and rendered useless. When you consider that the average size of a DDoS attack, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.
Firewall rules can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls.
Not all targeted assets are behind a firewall. Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets.
What are volumetric and protocol attacks?
They feature a large volume of traffic, often from botnets, and attempt to overwhelm a network or service.
What are common protocols?
AMT – Automated Multicast Tunneling Protocol
ARP – Address Resolution Protocol
BGP – Border Gateway Protocol
BOOTP – Bootstrap Protocol
DHCP – Dynamic Host Configuration Protocol
DNS – Domain Name Service Protocol
FTP – File Transfer Protocol
GRE – Generic Routing Encapsulation
HTTP – Hypertext Transfer Protocol
HTTPS – Hypertext Transfer Protocol Secure
ICMP – Internet Control Message Protocol
IMAP – Internet Message Access Protocol
MVRP – Multiple Registration Protocol
NNTP – Network News Transfer Protocol
NTP – Network time protocol
OSPF – Open Shortest Path First Routing Protocol
PIM – Protocol Independent Multicast
POP – Post Office Protocol
PPOe - Point to Point Protocol Over Ethernet
PPP – Point to Point Protocol
PTP – Precision Time Protocol
RADIUS - Remote Authentication Dial In User Service
RTPS – Network interoperability protocol
SFTP – Secure File Transfer Protocol
SMTP – Simple Mail Transfer Protocol
SNMP – Simple network management protocol
SSH – Secure shell
SSL – Secure Socket Layer
TCP – Transmission Control Protocol
Telnet – Telephone Network Protocol
TLS – Transport Layer Security
TTL – Time To Live
What is a Simple Service Discovery Protocol (SSDP) attack?
This amplification attack uses the protocol designed to advertise and find plug-and-play devices as an attack vector.
How does an amplification attack work?
Amplification attacks begin with the attacker spoofing the target’s IP address. This is one reason that the majority of amplification attacks target services that use UDP, as it is a connectionless protocol that does not validate the source IP address. In the next step, the attacker sends a small query to a server or resource that generates a very large response forwarding that response to the target.
What are common techniques of Layer 7 attacks:
Cross-site scripting (XSS) is a form of injection in which an attacker injects malicious script into a web application. The end user will have no idea that a hacked site should not be trusted.
Cross-site request forgeries (CSRF) trick end users into executing state-change actions on a web app with which they are authenticated. Such attacks can instigate actions such as transferring funds or changing email addresses.
SQL injections are a well-known exploit in which SQL data is inserted into a query response from a client.
What are characteristics of ransomware?
Used in completely opportunistic attacks, affecting individuals’ home computers, as well as targeted strikes against organizations
Attempted with little risk or cost to the adversary involved
Successful, with no reliance on having to monetize stolen data
Deployed across numerous devices in organizations to inflict bigger impacts and command bigger ransoms
What types of attacks should a DDoS Mitigation solution, protect against?
WannaCry is a ransomware cryptoworm targeting machines running certain older versions of the Microsoft Windows operating system. One characteristic that made this exploit dangerous was the variety of different elements that it contained, including a transport mechanism used to spread through a network.
Why do amplification and reflection attacks appear together?
Reflection and amplification attacks often come as a pair, though they serve two different but often compatible purposes. By spoofing source addresses, attackers can hide their identity by “reflecting” requests off a third party. Amplification attacks add to this by taking advantage of processes in which a small query will have a large — sometimes very large — response. Amplification attacks are, by nature, always reflection attacks as well.
What is the difference between bots and botnets?
Bots are programs that perform an automated, often repetitive, task. Botnets are a group of connected devised that run a bot or multiple bots. Botnets are commonly used in a DDoS attack.
What types are tactics used to detect a DDoS attack:
Anomaly Based Detection
Hybrid Attack Detection
Passive Log Review Detection
Pattern Based Attack Detection
Real-time Anomaly Detection
Does having web applications increase our risk of a DDoS attack?
Web applications are increasingly seen as part of DDoS attacks, in which the goal is not to bring down the target, but to smokescreen a vulnerability assessment of web applications.
What does a Web Application Firewall do (WAF)?
A WAF is a security solution that is utilized to monitor, filter or block inbound and outbound web application traffic.
What is Neustar UltraDDoS Protect?
Neustar UltraDDoS Protect is a DDoS mitigation service. UltraDDoS Protect scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure.
What is Neustar UltraWAF?
UltraWAF is a cloud-provider, hardware and CDN agnostic security solution, making it compatible anywhere applications are hosted. Integrated with Neustar’s always-on DDoS mitigation service, the combination provides a comprehensive, layered protection stack that proactively prevents bot-based volumetric attacks, as well as threats that target the application layer, such as SQL, XSS, CSRF, session hijacking, data exfiltration and zero-day vulnerabilities.
Are UltraDDoS Protect and UltraWAF PCI Compliant?
Yes. Neustar maintains PCI DSS Level 1 compliance for it’s UltraWAF and UltraDDoS Protect solutions. Neustar is audited annually by a third-party Qualified Security Assessor QSA. Neustar's Attestation of Compliance (AoC) is available upon request.
Why is a low Time to live (TTL) important for DNS redirection?
With a low TTL, your DNS changes will take effect faster throughout the Internet. The TTL determines how long recursive servers cache your records. The lower the TTL, the sooner these servers seek new answers from your authoritative DNS server. Generally, the TTL default is 86400 seconds—24 hours, way too long when you’re under a DDoS attack. Neustar recommends that you set your TTL for DNS A records to 300 seconds (five minutes). Your changes will happen more quickly, ensuring you can redirect and protect your traffic.
What is an HTTP Flood attack?
An HTTP flood attack is a volumetric, application layer attack designed to overwhelm a server with HTTP requests
What is a Network Time Protocol (NTP) attack?
It is a DDoS attack that targets the NTP server – flooding it with traffic so that is can not respond.