Protecting Web Servers from DDoS Attacks

Distributed Denial of Service (DDoS) attacks on web servers and applications were one of the fastest growing threats in 2014. While 2013 saw a series of DDoS attacks from hacktivist groups like Anonymous, 2014 saw a tremendous growth in attacks from e-criminals and nation-states. The continued attacks on major US financial institutions allegedly from Iran, and other groups based in the Middle East, grabbed headlines for a major part of the year.

Undoubtedly, some of these attacks were highly sophisticated “reflection-style” and carried out by extremely motivated groups. But, news media can be biased towards reporting the larger attacks on more high-profile organizations and people. What has not been widely reported is the extent of small and medium businesses that found themselves a target of DDoS attacks in 2014. Many of these attacks against smaller organizations were conducted for fun and profit, not for ideology or revenge. What’s more surprising is the lack of sophisticated training many of the hackers who carried out these attacks actually have. LizardSquad, the group that orchestrated the DDoS attack against Sony PlayStation and Microsoft Xbox networks on Christmas were reported by Brian Krebs to be “a group of fame-seeking kids who desperately aspire to be like LulzSec, a similarly minded gang whose core members were busted and went to jail.”

So What is a DDoS Attack on a Web Server?

Consider you are on entertainer at center stage in a full stadium. An audience member stands up and begins to throw tomatoes at you in an attempt to shut down your show. This is similar to a DoS attack against a web server from a single source. Just as one rogue audience member is easy to single out, a single source DoS attack is easy to identify and shut down with the correct security measures in place.

Unfortunately for you, the rogue audience member decides to continue attempts to shut down your show, recruiting more audience members, and forming a group wearing the same colored shirts – they begin throwing tomatoes at you. While this is a stronger attempt to stop your show, similar to an organization’s IT security team, the event security staff easily identifies the group and quickly halts their attempts.

The rogue audience member now realizes he needs both numbers and stealth to stop your show. He converts innocent spectators who bend to his evil intentions (think the agents from “The Matrix” transferring themselves into other people). He also discovers a way to disguise the tomatoes as free event merchandise. With tomatoes in the hands of all audience members and nowhere to hide, your show is shut down.

This is what a DDoS attack looks like when the target is your web server and the attackers are an army of compromised machines on the Internet which are controlled by an attacker. Attacks targeting web servers are often called “Layer 7” attacks that mimic genuine web browsing to evade detection.

Types of DDoS Attacks on Web Servers

When such attacks are targeted at your web servers, they could take a few different forms:

• The first, Volumetric attacks, target the network leading to the web servers. These attacks send a barrage of requests to choke the network pipeline or the network stack of the server. These could be random page requests or TCP level SYN-Flood attacks directed at your web servers.

• The second category targets the processing power of your web servers by sending a large number of requests to specific pages that generate a heavy compute load on the web server, like search and login pages. The network is not choked but the compute capacity on the server is.

• The third category targets the memory capacity of the web servers. The attackers send specially crafted requests to the web servers that hog memory on the server and never release it, as in the Slowloris or R-U-Dead-Yet (RUDY) attacks. In this case, the network and compute capacity is available but memory isn’t.

In all the three cases, your websites are inaccessible and down. If your business depends on them partially or completely, revenues will likely be affected. If attackers demand ransom, you could do a business calculation of ransom vis-a-vis lost revenue over time and either pay or hold out for awhile. If it is someone having fun, you are at their mercy if you do not have a response plan in place.

How is the attack army assembled?

Like the agents in The Matrix, who get inside other “normal” people, the attackers (called botmaster) also recruit their army (called botnet) by installing malicious agents (malware) into the systems of “normal” Internet users.

Malware is spread through email, social engineering, phishing, and compromised web sites. Email providers, IT security companies, and awareness campaigns have defeated malware attachments to quite some extent; however phishing emails with links to malicious sites hosting malware still lure unsuspecting users into the bot trap.

Compromised websites (water hole attacks) are emerging as the most effective and stealthy attacks. Compromised websites consist of hidden links that covertly redirects your browser to malware hosting sites – without giving you any indication.

Malware found on such sites are known as browser exploit kits (e.g. blackhole), extensively profiling your browser and plugins, targeting them systematically for known and unknown (0-day) vulnerabilities. If your browser or any of the add-ons (e.g. Java, Adobe Flash, etc.) do not have the latest security patches, you are toast. Your browser is compromised and through it, your machine’s OS. The inflicted malware remains resident after reboots and can bypass most AV tools.

Even if you have the latest security patches, you could still be compromised by unknown vulnerabilities present in your browsers. Such vulnerabilities are not known or are not patched by the vendor, but have been found by attackers. In fact, there is a thriving underground market for such vulnerabilities which are available for purchase for only a few hundred dollars.

Once the malicious agents are installed on your system, it is now effectively connected to a botnet. The agents await instructions from the botmaster to carry out DDoS attacks, spam campaigns or to steal data from the compromised systems.

Cloud-based web servers are becoming attractive bot nodes to botmasters since they have large resources at their disposal. The attacks on US financial institutions came from several such compromised nodes. Mobile devices are also attractive bot nodes, as they are always on and hardly have anti-malware technology installed.

Rent-a-DDoS-Service Marketplace

2014 also saw an increase in the botnet-as-a-service or DDoS-for-hire businesses amongst cyber criminals and script kiddies, who maintain a botnet of hundreds-of-thousands of bot nodes. A DDoS “service” can be hired by anyone willing to pay. For less than fifty dollars per hour, you can rent a botnet of more than 1,000+ nodes – enough to take down a small or medium business.

Law agencies have a tough time tracking international cybercrime rings due to lack of international treaties against cybercrime. Attackers commonly use “bulletproof hosting” for their own control servers that command the botnets. Such services operate from countries that provide immunity against western law enforcement.

With increasing competition amongst such DDoS-for-hire services, the price for renting a DDoS service is becoming cheaper. There are even reports of one hacking gang launching a DDoS attack against another to retain business. It’s a lucrative market to be in.

Defending Against DDoS Attacks

Organizations seeking to defend their web servers should look for a solution provider who understands web applications and threats. A network layer solution is ineffective when protecting the web application layer. Choose a solution that has complete insight into web traffic, not just IP ports and addresses. The ability to rate-control individual or multiple sources should be a basic requirement.

The solution should be able to discern malicious requests that try to overwhelm the network stack, compute or memory resources of the web server. Integrated IP reputation intelligence to block out requests from sources of bad reputation is good to have, but could be tricky if the reputation criteria are not updated frequently enough.

Some solutions also provide dynamic client fingerprinting mechanisms that can detect suspicious clients like bots, TOR nodes, anonymizers, etc. using script injections and challenge such requests with a CAPTCHA. This can be a lifesaver when a botnet is very distributed, stays below the rate control radar, and its bot nodes have not been blacklisted.

Some cloud-based services are also available to defend against DDoS attacks. The mitigation is done by redirecting all the incoming traffic first to the cloud (via DNS manipulation), scrubbing the traffic, and then relaying it to the destination server. Such solutions promise easy setup and low maintenance. However, evaluate them carefully – some inject advertisements into your web traffic and require exporting your SSL keys to them. Persistent attackers can also bypass the cloud layer and target your servers directly, so an on-premises solution is indispensable.