Maya Canetti, Director of Product Management at Allot, a provider of network-based security and denial of service software, details the most common Denial of Service (DoS) and Distributed Denial of Service (DDoS) types of attacks to service providers and how to combat them.
In a previous article, we described two common types of threats generally faced by service providers: TOS and SYN floods. We defined both types of attacks and gave solutions for service providers to combat them. DDoS attacks are on the rise and service providers need to adopt a proactive cyber-security approach rather than a reactive state of mind. The boom in new technologies has given birth to new types of threats that can affect not only the end user but the network itself.
The number of large scale IoT projects doubled in the last year, according to Vodafone’s recent IoT Barometer report. The report also revealed that only 7 per cent of companies with 10,000 or more connected devices in operation said security was their top concern. Despite the shocking number of IoT attacks that have happened recently, it looks like the industry is not fully aware of the DDoS threat; choosing to focus more on the functionality side or IoT rather than the security of these devices. As we’ve already discussed two common types of attacks named TOS and SYN floods, let’s explore two others: Ping and DNS floods, and what service providers can do to stop them from endangering their network and business reputation.
Ping and DNS floods
Ping floods are a special type of attack that sends spoofed ICMP echo requests (Pings) packets at a high rate from random source IP ranges or using the victim’s IP address. This action leads to most devices answering this signal by default, sending a reply to the source IP address. Now imagine that this Ping is sent to several thousands or more devices and that all these reply automatically to the source IP address. The result is that the victim’s IP address is flooded with an incredible amount of replies that will plug the network. Consequentially, all the devices, computers and routers will slow down and can become unusable. With the stunning number of requests sent back to the victim’s IP address, it is easy to understand how brutal a Ping flood can be.
There are three kinds of Ping floods to be aware of:
– Targeted Local Disclosed Ping Flood: A single computer on a local network is targeted. In this case, the attacker is using your own specific IP address.
– Router Disclosed Ping Flood: The attacker targets routers, which plays havoc with all the computers on a single network. The attacker needs the internal IP of the local router for this, but if successful-all computers on the network would be affected.
– Blind Ping Flood: An external program is used to uncover IP addresses, or the attack uses random source IP addresses.
DNS floods are another type of DDoS attacks that can alter the Quality of Experience (QoE) of end users as the entire server is affected. The attack’s primary aim is to prevent the victim from using Internet access. The attacker sends a DNS request at a very high packet rate and from a very wide range of source IP addresses to the target network. This generally implies the use of botnets to distribute DNS requests. Following this action, the Open DNS solver that cannot detect any anomaly in these requests, responds to all of them. However, the number of requests being overwhelming, it inevitably has an impact on the amount of bandwidth or other network resources consumed. This type of attack uses a similar process to disrupt the network as Ping floods. However, the difference between this kind of flood and the others, is that by taking down just one DNS, many more websites and services are compromised.
Getting rid of Ping and DNS floods
It is crucial for service providers to be able to provide end users with an optimal Quality of Experience as Ping and DNS floods can easily become a barrier for their network. Black Nurse and Dyn are a good reminder of the effects that these types of threats can have if deployed at a high scale. In order to prevent Ping floods happening, the easiest solution is to reconfigure the firewall in order to block Ping requests coming from outside of the network. However, this approach isn’t ideal as it will not stop internal attacks. Moreover, this will affect the detection functions of Ping requests, which can endanger the network as well.
A more reasonable approach is to have a network-based security solution delivered by the service provider that unifies all security functions needed to control any device. This would provide a simple, scalable way to protect the network with a growing number of connected devices. The solution will need to have a good live usage monitoring and traffic control function and a reactive DDoS protection able to inspect in real time inbound and outbound packets, without affecting the network or the Quality of Experience. Even more than reactive, the solution should be proactive and be able to look for potential threats, alert the user if anything unusual happens on the network and mitigate potential attacks in a matter of seconds, even before these have a chance to affect your network.
