SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

DDoS attacks: what they are and how to protect against them

DDoS attacks: what they are and how to protect against them
06.12.2021

  |  Listen on Google Podcasts  |   Listen on Mave  |   Listen on Yandex Music  |   



Ruslan Rakhmetov, Security Vision


The news regularly reports about attacks on the websites of large banks, government services and various social networks, as a result of which these Internet resources become inaccessible to visitors. Despite the fact that such failures may be the result of incorrectly performed technical work or erroneous network settings, they are often caused by so-called Distributed Denial of Service (DDoS) attacks.


DDoS attacks are classified not only by the volume of malicious traffic (powerful DDoS attacks can reach hundreds of Gbps), but also by the level of abstraction attacked (software, hardware, network), by the target resource under attack, and by a number of other attributes. We will talk about the types of denial of service attacks, response to such cyber incidents and countering DDoS attacks in this article.


To begin with, any cyberattack is, in fact, a violation of one of the three basic properties of information security: confidentiality, integrity, and availability. In turn, DDoS attacks are aimed at violating the last of these properties of information security - its availability. Hence the main feature of DDoS attacks is their obviousness both for the attacked company and for its employees, clients, partners and counterparties. In a large-scale DDoS attack, legitimate, honest users cannot use the Internet service, which is busy processing the mass of false requests generated by the attackers.


Typical motives for DDoS attacks are:


- Competition: the inability of a company to generate profits due to the unavailability of its website and Internet services, as well as damage to the company's reputation by demonstrating the ‘unreliability’ of its IT services;

- Blackmail: threatening to conduct a large-scale DDoS attack, demanding a ransom to stop a DDoS attack;

- Concealment of other cyber-attacks: diverting the attention of SOC analysts from more covert cyber-operations that may be taking place during a DDoS attack;

- Countering cyber incident response: in the case of geographically distributed IT infrastructures and IS specialists working remotely, the effectiveness of countering cyber attacks will be directly affected by the network availability of network elements and the ability of employees to communicate with each other, organise video conferencing, remotely connect to affected IT assets and cloud-based security consoles;

- Hacktivism: hackers may spread messages about organised DDoS attacks and their demands or claims, including by advertising their illegal DDoS attack services;

- Disrupting key parts of the economy: State-sponsored cyberarmies can launch a large-scale DDoS attack against a major government agency or corporation to coerce it to perform certain actions, often politically motivated.


To give an example, a DDoS attack on a toy shop's website during the New Year's season could lead to bankruptcy and going out of business, as the largest share of revenue is generated by sales during such peak periods. Another example: a DDoS attack on the servers of an online game can slow down gameplay and therefore lead to player churn and financial losses for the game's creators.


But DDoS attacks can also lead to more significant financial and reputational losses: let's imagine that the processing centre of a large bank is unavailable - this will lead to the inability of customers to pay with bank cards at the cash desks of retail outlets that use the acquiring services of this bank. Inaccessibility of state Internet resources in the digital age can lead to a direct threat to the health and well-being of citizens: it is enough to imagine the impossibility to quickly make an appointment with a doctor or receive a necessary certificate in time.


Let's move on to the classification of DDoS attacks.

1. By volume of malicious traffic

The attacks launched in recent years against Internet giants and large cloud providers are considered to be the largest: their power reached more than 2 Terabits per second. Some researchers have moved to measuring the scale of DDoS attacks not by the speed of malicious traffic, but by the number of spurious requests per second (RPS, requests per second); by this metric, the largest DDoS attacks exceeded 20 million requests per second. The power of DDoS attacks grows every year as Internet bandwidth increases and the number of devices that can generate spoofed traffic increases. In most cases, these devices are virus-infected user devices: home PCs, smartphones, Internet of Things devices (smart cameras, video recorders, smart home elements), which are combined by hackers into botnets.

2. By the level of abstraction under attack

Modern web portals are designed for simultaneous access of thousands and millions of users, but it is worth considering that the speed of processing user requests and the susceptibility of the resource DDoS-attack is made up of various factors, such as:


- The width of the web portal hosting internet channel;

- The performance of hardware components (modern web resources work on a virtual infrastructure, in which the key point is the speed and reliability of the disc subsystem, as well as the amount of allocated RAM);

- Correct configuration of network equipment (e.g. routers and firewalls) to protect against spurious traffic;

- Correct configuration of the web server that serves Internet requests to the site;

- Optimising the logic of the site itself (setting up the CMS, web technologies and frameworks used, algorithms for web page elements, site search, results delivery, etc.).


At each of these levels of abstraction, attacks are possible: for example, at the network level, attackers can load the Internet channel with spurious connection requests (TCP flood attacks), incorrect ICMP packets (ICMP flood, Smurf attack) or mass sending of UDP-datagrams (UDP flood). In the latter case, a UDP amplification technique can also be used, in which the address of the DNS or NTP request sender is substituted by the attacker with the address of the attacked server, and many Internet servers respond to such a DNS/NTP request with multiple repetitions of the response. Not only common protocols (DNS or NTP), but also less popular ones such as DTLS, QUIC, QOTD, SSDP and others can be used as a ‘transport’ for such amplification. Note that attacks at the network level are quite easy to automate, and DarkNet has a whole illegal market of relevant DDoS services, which can be hidden under services supposedly stress-testing websites.


At higher levels - web server, website - attackers are already looking for vulnerabilities in the logic of web components, including those configured by default. For example, until relatively recently (mid-2010s), the popular Apache web server operated by default in Prefork mode, in which a process was created for each web request and hardware resources were allocated, which led to the possibility of launching a successful DDoS attack with just a few hundred web requests that could completely exhaust the Apache server's hardware resources. More modern Apache server modes (Worker, Event modes) use hardware resources more productively.


3. By target attacked resource

At the level of network equipment or hardware components, the organisation of a successful DDoS attack depends only on the attackers having comparable hardware capabilities and the number of devices in the botnet that can generate a significant amount of spurious traffic. At the level of business services and applications accessible from the Internet, vulnerabilities in application logic, software settings, and web portal code are already exploited. For example, a website of a shop selling home appliances may contain a large number of product articles with characteristics and photos of the goods; at the same time, if a user sets a broad search query, the output of all the results of such a search on one web page may well significantly load the web server and slow down the work of the site. If the site provides for sending user data in a POST request, an attacker can perform an HTTP slow POST attack, in which the attacker tells the web server that he intends to send a certain amount of information in a POST request, and then the specified amount of data is transferred very slowly (1 byte per several tens of seconds) - this can be compared to very slow typing in the ‘Comment’ field on the site. In such a scenario, the web server will maintain the established HTTP connection for a long time, wasting its hardware resources on a virtually inactive connection.


Another similar DDoS attack called Slowloris involves the attacker deliberately slowing down the sending of HTTP headers every few seconds to keep the connection active (but not completing the web request correctly), which also results in the exhaustion of the web server's resources. Note that the transition of most web servers to HTTPS protocol has led to an even greater load on hardware components, since building a TLS/SSL connection requires performing a number of rather computationally complex cryptographic operations.


It should also be noted that denial-of-service attacks are not only distributed DDoS attacks via the Internet from a large number of malicious or infected hosts on the network. Denial of service attacks can also include:


- Massive sending of SMS messages to flood the victim's mobile phone memory (SMS flooding attack) or to confuse the victim for further social engineering attacks;

- A large flow of spam calls to mobile/landline phones or Internet telephony in order to occupy the phone line and, as a result, make it unavailable for legitimate calls (TDoS attack, from the English Telephony Denial Of Service);

- Password brute force of domain users during an attack or as part of a pen-test, which leads to account lockout for some time and, as a consequence, to the inability of users to log in;

- Exploitation of vulnerabilities in a cloud service/application, resulting in excessive consumption of hardware resources when autoscaling is enabled and, as a consequence, in overconsumption of client funds (Yo-Yo DDoS attack);

- Exploitation of vulnerabilities in application software, resulting in the inability to perform legitimate operations due to excessive resource consumption by the attacked device (using 100% of CPU time, using all available RAM);

- Exploitation of vulnerabilities in the operating system or driver, resulting in rebooting, device freezing, system crashing/inoperable state (example - Ping of death attack);

- Exploitation of vulnerabilities in the device firmware leading to unauthorised re-flashing of the device (usually connected to the Internet and accessed with default or easily guessed credentials) and, as a result, to damage and failure of the device (PDoS attack).


Defence against DDoS attacks 10-20 years ago was based, as a rule, on the expansion of the Internet communication channel, because even a sharply increased flow of legitimate visitors could ‘bring down’ a website - for example, due to quoting a company's name or specifying its web address in popular media. Currently, DDoS attacks are countered in accordance with the concept of echeloned defence with the involvement of anti-DDoS vendors:


- At the level of Internet connection, the IP address of the protected web resource is announced through the Internet routes of companies that provide traffic cleaning from parasitic DDoS requests;

- At the DNS service level, the site name is converted into an IP address on the side of companies providing DDoS protection, which makes it possible not to disclose the real IP address of the resource to attackers, as well as to clear traffic and balance the load during a DNS flood attack (an attack on a DNS server to disrupt its availability to users);

- At the web server level, the recommendations from the ‘best practices’ for DDoS protection for the selected product should be followed;

- At the site/service level, protective captcha codes (images that must be manually entered) can be set, cookies and HTTP Redirect can be used to filter out some of the attacking bots;

- At the level of web application business logic, filter dangerous and difficult to process requests, API and backend calls, and limit unauthenticated use of such functionality.


Application of IRP/SOAR solution Security Vision allows solving the following tasks of countering DDoS attacks within the framework of automation of information security processes and response to cyber incidents:


- Detection of anomalies in Internet traffic and operation of web services and applications using machine learning and Big Data processing mechanisms (e.g., by training Security Vision's IRP/SOAR solution on typical interaction of legitimate users with a web application with further detection of deviations from normal behaviour and subsequent robotic response);

- Reducing the time it takes to detect and respond to a DDoS attack by processing data from connected elements of the IT infrastructure and sending control commands to the protection tools (e.g., to promptly block connections from certain IP addresses and geographic locations from which spurious traffic is originating);

- Providing the ability to automatically respond to a cyber incident when, due to a distracting DDoS attack, SOC centre analysts are unable to quickly exchange information, remotely connect to affected hosts, or issue commands in cloud-based security consoles.


What are DDoS attacks?

DDoS attacks are malicious actions in which attackers attempt to overload servers, networks or applications, making them inaccessible to users. Typically, this type of attack is carried out using botnets - networks of computers taken over by hackers without the consent of their owners. These botnets send a huge number of requests to the target resource at the same time, overloading it and making it inaccessible.

How do DDoS attacks work?

The DDoS attack process can be broken down into several steps:

1. Botnet Takeover: Attackers take control of hundreds or even thousands of computers, creating a botnet. These computers may be infected with malware or vulnerable to attack.

2. Preparing for an attack: Attackers program the botnet to send multiple requests to the target server or application at the same time. These requests create an artificial load that overloads the infrastructure.

3- Attack: When the botnet is ready, attackers launch an attack by sending a huge number of requests to the target. Servers and networks face an incredible influx of traffic, resulting in slowdowns or even complete unavailability.

4- Detection and Response: Resource owners or their security teams must detect the attack and take steps to mitigate its effects. This may include filtering malicious traffic, load balancing, or temporarily shutting down the attacked resource.


Recommended

What the hell is Security Champion?
What the hell is Security Champion?
information security

07.11.2023

Principles of information security
Principles of information security
information security

09.01.2024

The Hive. Parsing an open source solution
The Hive. Parsing an open source solution
information security IRP SOAR

07.12.2023

What social engineering is and how to protect yourself from it
What social engineering is and how to protect yourself from it
information security

29.07.2024

Intelligent Compliance as a way to avoid cognitive distortions when building SMIBs
Intelligent Compliance as a way to avoid cognitive distortions when building SMIBs
information security

25.07.2024

OWASP Top 10 methodology attacks on web-based systems
OWASP Top 10 methodology attacks on web-based systems
information security

27.05.2024

How to manage a flock of sheep with one dog, or current approaches to configuring network equipment
How to manage a flock of sheep with one dog, or current approaches to configuring network equipment
information security

30.05.2022

Review of the publication NIST SP 800-40 "Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology"
Review of the publication NIST SP 800-40 "Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology"
information security

31.01.2022

How the technical side of data leakage protection is organised
How the technical side of data leakage protection is organised
information security

22.08.2022

Insider employees in the company and what threats to the company's data security they pose
Insider employees in the company and what threats to the company's data security they pose
information security SIEM

15.07.2024

Review of NIST Publication SP 800-184, Guide for Cybersecurity Event Recovery
Review of NIST Publication SP 800-184, Guide for Cybersecurity Event Recovery
information security IRP SOAR

27.06.2022

Situational awareness in cyber security
Situational awareness in cyber security
information security

13.09.2021

Recommended

What the hell is Security Champion?
information security

07.11.2023

What the hell is Security Champion?
Principles of information security
information security

09.01.2024

Principles of information security
The Hive. Parsing an open source solution
information security IRP SOAR

07.12.2023

The Hive. Parsing an open source solution
What social engineering is and how to protect yourself from it
information security

29.07.2024

What social engineering is and how to protect yourself from it
Intelligent Compliance as a way to avoid cognitive distortions when building SMIBs
information security

25.07.2024

Intelligent Compliance as a way to avoid cognitive distortions when building SMIBs
OWASP Top 10 methodology attacks on web-based systems
information security

27.05.2024

OWASP Top 10 methodology attacks on web-based systems
How to manage a flock of sheep with one dog, or current approaches to configuring network equipment
information security

30.05.2022

How to manage a flock of sheep with one dog, or current approaches to configuring network equipment
Review of the publication NIST SP 800-40 "Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology"
information security

31.01.2022

Review of the publication NIST SP 800-40 "Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology"
How the technical side of data leakage protection is organised
information security

22.08.2022

How the technical side of data leakage protection is organised
Insider employees in the company and what threats to the company's data security they pose
information security SIEM

15.07.2024

Insider employees in the company and what threats to the company's data security they pose
Review of NIST Publication SP 800-184, Guide for Cybersecurity Event Recovery
information security IRP SOAR

27.06.2022

Review of NIST Publication SP 800-184, Guide for Cybersecurity Event Recovery
Situational awareness in cyber security
information security

13.09.2021

Situational awareness in cyber security

Other articles

Security of transfers and payment for goods via SBP. Part 2
Security of transfers and payment for goods via SBP. Part 2
information security

14.06.2022

Don't trust and check seven times: how Zero Trust works
Don't trust and check seven times: how Zero Trust works
information security

18.09.2023

FSTEC Threat Model
FSTEC Threat Model
information security MITRE

19.02.2024

Review of the Bank of Russia Standards. Security of financial (banking) operations
Review of the Bank of Russia Standards. Security of financial (banking) operations
information security

12.10.2021

Security Vision announces the release of a new version of the Security Vision UEBA product
Security Vision announces the release of a new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

IDE for development of no-code security features
IDE for development of no-code security features
information security SOAR SIEM

06.06.2024

TIP and TI (Threat Intelligence or Cyber Intelligence), what it is
TIP and TI (Threat Intelligence or Cyber Intelligence), what it is
information security

04.10.2021

Open software supply chain attack reference (OSC&R)
Open software supply chain attack reference (OSC&R)
information security MITRE

02.05.2024

Information security tools - types and description
Information security tools - types and description
information security IRP SOAR

15.04.2024

Other articles

Security of transfers and payment for goods via SBP. Part 2
information security

14.06.2022

Security of transfers and payment for goods via SBP. Part 2
Don't trust and check seven times: how Zero Trust works
information security

18.09.2023

Don't trust and check seven times: how Zero Trust works
FSTEC Threat Model
information security MITRE

19.02.2024

FSTEC Threat Model
Review of the Bank of Russia Standards. Security of financial (banking) operations
information security

12.10.2021

Review of the Bank of Russia Standards. Security of financial (banking) operations
Security Vision announces the release of a new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

Security Vision announces the release of a new version of the Security Vision UEBA product
IDE for development of no-code security features
information security SOAR SIEM

06.06.2024

IDE for development of no-code security features
TIP and TI (Threat Intelligence or Cyber Intelligence), what it is
information security

04.10.2021

TIP and TI (Threat Intelligence or Cyber Intelligence), what it is
Open software supply chain attack reference (OSC&R)
information security MITRE

02.05.2024

Open software supply chain attack reference (OSC&R)
Information security tools - types and description
information security IRP SOAR

15.04.2024

Information security tools - types and description

This website uses cookies to ensure you get the best experience.