Network Security, Network Security

Six network protocols that signal an incoming DDoS attack

They may not all be the 2.3 Tbps DDoS attack on Amazon Web Services in February 2020, but today’s columnist, Vince Hill of cPacket Networks, says security pros can leverage network visibility, replication forwarding services, and a packet capture storage capability to mitigate rising DDoS attacks. (Photo by Sean Gallup/Getty Images)

With ransomware attacks grabbing headlines, does that mean we are finished with DDoS attacks? Security pros know the answer is “no.” DDoS has been on the rise, with the DDoS Attack Trends for 2020 report from F5 Networks finding that DDoS attacks increased by 55% between January 2020 and March 2021. Kaspersky Labs backed up this trend, finding a quarter more DDoS attacks in 2020 compared to 2019. While malware attacks (ransomware in particular) have overshadowed DDoS in the news, both the volume and frequency of DDoS attacks have increased significantly in the last 18 months.

Fortunately, it’s possible for security operations (SecOps) and network operations (NetOps) teams to detect the warning signs of an incoming DDoS attack by monitoring certain types of network traffic. Here are six network packet types and protocols commonly abused in DDoS attacks, along with the potential warning signs NetOps should watch for:

  • UDP (Memcached): Many DDoS attacks use different types of User Datagram Protocol (UDP) packets, such as the memcached protocol, because they are sessionless and connectionless. An attacker can send a valid UDP request packet to a server listing the target’s IP as the UDP source. The server will send a much larger packet to the target’s IP in response, amplifying the volume of traffic the attacker has at their disposal. Another attacker tactic is to use packet sizes over 1500 bytes (since ethernet MTU is 1500), forcing packet fragmentation and more amplification. These attacks are often quite powerful; memcached abuse was behind the DDoS attack against CloudFlare in 2018 that reflected amplification/flooding of up to 51,200x. NetOps should monitor for unusual volume of memcached traffic on UDP port 11211 to detect these attacks.
  • Connectionless Lightweight Directory Access Protocol (CLDAP): CLDAP stands as another UDP protocol that has been used for amplification/flooding attacks. It was used in the notable 2.3 Tbps DDoS attack against AWS in Feb. 2020, which had an amplification factor of 56-70 and peaked at 2.3 terabytes per second. Monitoring for UDP traffic outside of normal levels on port 389 will let NetOps team know when a CLDAP attack is occurring.
  • Domain Name System (DNS): DNS uses two types of packets: DNS Response and DNS Request. In a DNS flood attack, the number of DNS Request packets will significantly outpace the number of DNS Response packets – quite simply, the attacker floods DNS with too many requests.
  • Transmission Control Protocol Synchronize (TCP-SYN): This attack floods systems with enough TCP SYN packets (the initial packets from client to server that establish a session) to consume available server resources, rendering them unresponsive to legitimate traffic. Monitoring for spikes in TCP SYN packets will show an incoming flood.
  • Application Flooding: Application attacks target layer 7 in the OSI model rather than network infrastructure. These attacks, such as an HTTP flood, are effective because they consume both server and network resources and because it requires less overall traffic to cause disruption. These attacks are difficult for NetOps to detect and require using deep packet analysis or behavioral analysis to see if visitors are behaving strangely or establishing an IP reputation database to track and block abnormal activity. 
  • Internet Control Message Protocol (ICMP): ICMP Address Mask requests and ICMP Type 9 and Type 10 protocols are common vectors for DDoS attacks, as well as man-in-the-middle exploits. To mitigate, IT should disable ICMP route discovery, and then use digital signatures to block all type 9 and type 10 ICMP packets. Monitoring the overall ICMP packet throughput and count will provide early warning of ICMP flooding attacks, as well as unrelated internal issues.

Setting rules and alerts to monitor these six traffic types will help organizations detect and mitigate DDoS attacks. Organizations will also need packet brokers and TAPs set up to route traffic to security tools for observation and analysis. But keep in mind that getting a full picture of a DDoS attack, including how it began and unfolded, will usually require a packet capture and storage system that saves a rolling buffer of packet data – a week or more into the past – for forensic analysis and incident response. That said, even a week’s worth of packet data can take up gigabytes of space, making the storage requirements considerable. The storage capacity will also need to keep pace with network usage gains and network speed upgrades, but a high-quality packet capture solution can help mitigate these storage issues with filtering and deduplication.

While DDoS attacks are on the rise, it’s entirely possible for security pros to monitor and catch the warning signs. Appropriate network visibility, replication forwarding services to feed packet data to security tools, and packet capture storage capability are all critical to maintaining performance and security in the face of these attacks.

Vince Hill, technical marketing engineer, cPacket Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.