DoS and DDoS attacks have become commonplace on the Internet, adversely affecting research and education institutions. It is important to note that there isn't one single way to deal with DoS and DDoS attacks, but here is some information about the types of attacks proliferating today, how AARNet deals with them and what AARNet customers can do to minimize or avoid impact.
What is a DoS or DDoS?
DoS - Denial of Service
A denial of service is an attack where a service or host connected to the internet is rendered unable to respond to connections from legitimate internet hosts due to its resources being overloaded by malicious requests.
The aim of a DoS attack is to overload the targeted server’s bandwidth or other resources. This will make the server inaccessible, blocking the website and or other legitimate resources hosted there.
DDoS – Distributed Denial of Service
A DoS attack coming from a number of source IP addresses, making it difficult to manually filter or drop the traffic from these sources, is known as a Distributed Denial of Service attack.
Instead of using one computer and one internet connection, a DDoS attack utilizes multiple computers and many connections to flood the targeted website or other services with malicious traffic requests, making online services unavailable. The source computers behind this type of an attack are often distributed across the globe and used without their owner’s consent due to infection by a virus or equivalent, and are known collectively as part of a botnet.
DDoS attacks usually take the form of the following:
- volume-based attacks
- application layer attacks
- low-rate attacks
- ICMP Flood
- Smurf Attack
- SYN Flood
- UDP Flood
- Teardrop Attack
- SIP Invite
- Encrypted SSL Attacks
- NTP Attacks
DDoS volume-based attacks
The most common attack on the internet today is the Volume-based attack. Volume-based attacks work by sending more data than a customer’s connection to the AARNet network can carry, thereby saturating the connection and making services unavailable. In certain cases, the AARNet connection can successfully carry the volume of malicious traffic, however the border firewall or router is unable to support the traffic, resulting in the same effect.
With the recent advent of cloud-based servers, which are well-connected to the internet, it is imperative that providers and users of these machines secure them. Their high speed connectivity can be utilized to attack a victim with greater effect than a traditional home internet-connected machine.
DDoS Application Attacks / Low-Rate Attacks
Application attacks are focused on rendering applications such as web servers unavailable by exhausting the web server resources. These attacks do not have to consume all of the network bandwidth to be effective. Instead they place an operational strain on the application server in a way that renders the server unavailable.
Specific services, which have specific vulnerabilities allowing attackers to take down the service with minimal bandwidth usage, are targeted, making it hard to identify the attack.
An example of this is the Slowloris attack, which keeps a number of connections open to a web server and sends occasional HTTP headers but doesn’t close the session, tying up the resource from other users attempting to access it.
Further examples of specific services targeted and attacked are:
Distributed Denial of Service Attack as a Service
Botnets enabling Denial of Service attacks can by purchased for a few dollars on the internet, or even tested briefly at no cost. These services are known as booter or stresser services, and their existence has led to the increased prevalence of DoS and DDoS attacks.
For more information
There is plenty of information on the internet regarding DoS and DDoS attacks.
See AUSCERT Resources for instance.
How does AARNet mitigate DoS and DDoS attacks?
AARNet deploys BCP38 on all customer connections
Best Current Practice 38 – RFC2827 for internet service providers recommends “anti-spoofing” measures: utilizing ingress traffic filtering on customer interfaces to drop traffic that is originating from any source IP address which is not registered to that client.
AARNet currently creates a BCP 38 filter on every AARNet4 customer connection, which only allows traffic that we expect that customer to be sending. This means that any traffic sent to AARNet that is not from the IP ranges registered by that customer with AARNet will be dropped at our router.
AARNet offers clients the ability to remotely trigger filtering of their traffic via a black hole route
Remote Triggered Black Hole Filtering – RFC5635 has been available to AARNet customers since early 2003.
If a customer detects DoS/DDoS traffic destined towards one or more of their IP addresses, they can announce specific routes corresponding to these IP addresses to their upstream AARNet router with a BGP community tag of 7575:6.
The AARNet network, upon receiving these routes, will drop the traffic destined to that IP address on all of the AARNet routers, stopping the traffic from reaching the customer’s network. The traffic is dropped by AARNet backbone routers as soon as it enters the AARNet network from our upstream internet transit providers.
Alternatively, an AARNet customer can contact the AARNet NOC via phone or email and request that DoS/DDoS traffic be black-holed manually.
The AARNet 24x7 NOC monitors network traffic. If they notice any abnormal traffic, they will investigate. Please note that given bandwidth capacity within the AARNet network, we may not detect all types of abnormal traffic.
What AARNet customers can do?
Prior to DDoS or DOS attack
- Deploy BCP 38 within your own network to protect your own network from the impact of attacks running within your network, even if they are being dropped by AARNet.
- Test and document tagging a BGP route with 7575:6 and make sure that AARNet is dropping the traffic destined to that IP address. Repeat this as a regular part of your Disaster Recovery and Change control processes.
- Ensure that all cloud-based servers hosted within your network are secured and monitored, so as not to be used as well-connected sources of outbound DoS/DDoS attacks.
- Ensure that all individual hosts, desktops, notebooks, servers and other appliances are protected from intrusion and compromize with on-going and timely software updates and the installation of other protection software.
During a DDoS or DOS attack
- Utilize Netflow/IPFix, an Intrusion Detection System or an Intrusion Protection System to identify when attacks are occurring and identify where possible the source IP addresses and ports.
- Use Remote Triggered Blackhole routing to mitigate the attack, or
- Notify the AARNet NOC (Network Operations Centre) that you are under attack: firstname.lastname@example.org or 1300 275 662. The NOC will investigate and have a network engineer discuss possible solutions to help deal with the DoS with you.