Have you ever wondered which types of DDoS attacks are hardest to stop? There are many different types of Distributed Denial of Service attacks, but not all of them are hard to block, so we’ve put together the Top 3 from a DDoS protection provider’s perspective. Generally speaking, it’s always tough to stop DDoS attacks that mimic the legit traffic of the application they target, but there are a few attacks particularly hard to stop.
1. Direct Botnet Attacks
A botnet is a number (ranging from 10 to 100,000+) of infected PCs, servers, or more recently also IoT devices, that can be controlled by the attacker from a so-called C&C (command and control) server. Depending on the type of botnet, an attacker can use it to perform a variety of different attacks. For example it can be used for layer 7 HTTP attacks where the attacker would make each infected PC/server send HTTP GET or POST requests to the victim’s website until the web server’s resources are exhausted.
Generally botnets establish full TCP connections during an attack, which is what makes them so hard to block. It’s basically layer 7 DDoS that can be modified to do as much harm as possible to any application, not just websites, but also game servers and any other service. Even if the bots are unable to mimic the target application’s protocol, they can still just establish so many TCP connections that the victim’s TCP/IP stack is unable to accept more connections and therefore becomes unresponsive.
Direct botnet attacks can be mitigated by analyzing the connections from the bots and figuring out how the payloads they send differ from legit connections. Connection limiting can also help, but it all depends on how exactly the botnet behaves and that can be different every time. It’s often a manual process to identify and stop direct botnet DDoS.
2. Layer 7 HTTP DDoS
HTTP based layer 7 attacks, such as HTTP GET or HTTP POST flood, is a type of DDoS attack that imitates website visitors by sending lots of HTTP requests to a web server in order to exhaust its resources. While some of these attacks have patterns that can be used to identify and block them, such as WordPress XML-RPC DDoS that we recently covered, there HTTP floods that can’t be identified that easily. They are not rare and can be very pestilent to webmasters, as they constantly evolve to bypass common detection methods.
Mitigation approaches for layer 7 HTTP attacks include HTTP request limiting, HTTP connection limiting, blocking of malicious user agent strings and using a web application firewall (WAF) to identify malicious requests by known patterns or source IPs.
3. TCP SYN/ACK Reflection Attacks (DrDoS)
A TCP reflection DDoS attack is when an attacker sends spoofed packets to any type of TCP service to make it appear that it originated from the victim’s IP address, which makes the TCP service send a SYN/ACK packet to the victim’s IP address. For example the IP that the attacker wants to hit is 18.104.22.168. To target it, the attacker sends a packet to any random web server on port 80 where the header is faked in a way that the web server thinks the packet originated from 22.214.171.124, where in fact it did not. This will make the web server send back a SYN/ACK to 126.96.36.199 in order to confirm it received the packet.
TCP SYN/ACK reflection DDoS is hard to block because it requires a stateful firewall that supports connection tracking. Connection tracking usually requires some resources on the firewall device depending on how many legit connections it has to track. It would check whether a SYN packet has been actually sent to the IP that it receives the SYN/ACK packet from in the first place.
Another mitigation approach is to block source ports used during the attack. With our example case, all SYN/ACK packets would have the source port 80, which legit packets usually don’t have (unless there is a proxy running on the victim’s machine), so it could be safe to stop this attack by blocking all TCP packets with source port 80.
The better the attacker imitates the actual protocol and behaviour of the users of the application he targets, the harder it becomes to stop the DDoS attack. Sometimes differences between legit an bad traffic are very hard to spot, which makes it tough for security experts to craft methods of filtering those DDoS attacks, especially without affecting any of the legit traffic. It’s mostly impossible to relay on off the shelf solutions to block such complex DDoS attacks and requires manual analysis of the attack by an expert.