Six network protocols that signal an incoming DDoS attack

August 25, 2021
They may not all be the 2.3 Tbps DDoS attack on Amazon Web Services in February 2020, but today’s columnist, Vince Hill of cPacket Networks, says security pros can leverage network visibility, replication forwarding services, and a packet capture storage capability to mitigate rising DDoS attacks. (Photo by Sean Gallup/Getty Images)
  • UDP (Memcached): Many DDoS attacks use different types of User Datagram Protocol (UDP) packets, such as the memcached protocol, because they are sessionless and connectionless. An attacker can send a valid UDP request packet to a server listing the target’s IP as the UDP source. The server will send a much larger packet to the target’s IP in response, amplifying the volume of traffic the attacker has at their disposal. Another attacker tactic is to use packet sizes over 1500 bytes (since ethernet MTU is 1500), forcing packet fragmentation and more amplification. These attacks are often quite powerful; memcached abuse was behind the DDoS attack against CloudFlare in 2018 that reflected amplification/flooding of up to 51,200x. NetOps should monitor for unusual volume of memcached traffic on UDP port 11211 to detect these attacks.
  • Connectionless Lightweight Directory Access Protocol (CLDAP): CLDAP stands as another UDP protocol that has been used for amplification/flooding attacks. It was used in the notable 2.3 Tbps DDoS attack against AWS in Feb. 2020, which had an amplification factor of 56-70 and peaked at 2.3 terabytes per second. Monitoring for UDP traffic outside of normal levels on port 389 will let NetOps team know when a CLDAP attack is occurring.
  • Domain Name System (DNS): DNS uses two types of packets: DNS Response and DNS Request. In a DNS flood attack, the number of DNS Request packets will significantly outpace the number of DNS Response packets – quite simply, the attacker floods DNS with too many requests.
  • Transmission Control Protocol Synchronize (TCP-SYN): This attack floods systems with enough TCP SYN packets (the initial packets from client to server that establish a session) to consume available server resources, rendering them unresponsive to legitimate traffic. Monitoring for spikes in TCP SYN packets will show an incoming flood.
  • Application Flooding: Application attacks target layer 7 in the OSI model rather than network infrastructure. These attacks, such as an HTTP flood, are effective because they consume both server and network resources and because it requires less overall traffic to cause disruption. These attacks are difficult for NetOps to detect and require using deep packet analysis or behavioral analysis to see if visitors are behaving strangely or establishing an IP reputation database to track and block abnormal activity. 
  • Internet Control Message Protocol (ICMP): ICMP Address Mask requests and ICMP Type 9 and Type 10 protocols are common vectors for DDoS attacks, as well as man-in-the-middle exploits. To mitigate, IT should disable ICMP route discovery, and then use digital signatures to block all type 9 and type 10 ICMP packets. Monitoring the overall ICMP packet throughput and count will provide early warning of ICMP flooding attacks, as well as unrelated internal issues.
prestitial ad