11

According to this article, ProtonMail was the victim of a very sophisticated DDOS attack.

"At 2pm there was a dramatic escalation," said Yen. According to Yen and Gargula the attackers smacked 15 different ISP nodes simultaneously, then attacked all the ISPs going into the datacenter using a wide range of sophisticated tactics. "This was not your standard DDoS anymore," Yen explained, "in fact most of the experts we spoke with had never seen anything like this."

"First we moved the BGP IP prefix," said Gargula as he detailed the attack, "I tried to isolate legit human traffic from bot traffic and not to mix it up. We sacrificed one of their three BGP uplink layers as a 'canary' to test the sophistication of the attack. Then we changed the configuration for the IP uplink."

How does moving the BGP IP prefix help? From what I understand, as long as the MX record can be resolved to an IP, attacker can flood the IP with packets which will be routed to the new AS. If it cannot be resolved, legitimate users will also not be able to access the service.

And also, what other sophisticated DDOS techniques are there?

techraf
  • 9,141
  • 11
  • 44
  • 62
limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • 2
    Related: https://security.stackexchange.com/questions/115168/weird-log-record-from-researchscan1-eecs-berkeley-edu-169-229-3-91-is-this-a/115210#115210 - check out the grant topics the folks are working on. – Deer Hunter Mar 24 '16 at 18:00

2 Answers2

3

"First we moved the BGP IP prefix," said Gargula as he detailed the attack, "I tried to isolate legit human traffic from bot traffic and not to mix it up. We sacrificed one of their three BGP uplink layers as a 'canary' to test the sophistication of the attack. Then we changed the configuration for the IP uplink."

"How does moving the BGP IP prefix help?"

I believe they are refering to a sinkhole--a sacrificial router, in this case a BGP router, since BGP may not require much authentication. By configuring the sinkhole to "advertise routes with bogon destination addresses, you can set up a central trap for malicious traffic of all types" [Hacking Exposed 7: Network Security Secrets and Solutions, 2012]. Lists of bogon addresses can be found online: www.cymru.com/Bogons, slides

"And also, what other sophisticated DDOS techniques are there?"

There are a number of sophisticated DDoS techniques. DDoS leverages DoS methods using a distributed attack surface. Most of us probably know about SYN flood, where a syn packet is sent with a spoofed source address and the receiving system tries acknowledge it does not receive a response and is left with partial connection in a short queue that is easily disabled by flooding. Similarly, a UDP flood is designed and source IP addresses are often spoofed to target DNS servers which rely on the UDP protocol.

Reflective amplification is another DDoS attack (DRDoS) that again uses spoofing. Often botnets send the packets, the source address is the victim IP address, and the packets are sent to machines that try to respond to the victim simultaneously, generating a flood of packets sent to the victim. For example, DNS servers respond to small requests with a large amount of information and DNS amplification can overwhelm the victim's system.

Application-layer DDoS attacks use the same ideas at a higher level, such as the web level, rather than the transport or communication level. Here the goal of the attacker is to find an easy and short request that generates lots of work in the victim's API. For example, a single-word search request can eat up lots of cycles on the victim's machine. Or a database-driven site, might have pages that trigger database queries when the URL is requested. Now, the attacker can use just a few queries per second, either making the requests in a distributed manner or not, and bring the victim's machine grinding to a halt.

There is also a low-rate DoS attack where the attacker causes a TCP connection to enter a retransmit state. If enough connections enter this state, the victim's machine suffers declining performance.

See Hacking Exposed 7: Network Security Secrets & Solutions for more discussion of DDoS attacks. See Wikipedia for more attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack

  • SYN floods and reflective amplification alone aren't sophisticated. In fact, the wikipedia source that you linked to has a section on APDoS that mentions that the sophistication arises from the recon, tactical execution and use of multiple attack vectors and the capability to sustain the attack. – limbenjamin Apr 03 '16 at 01:32
0

In my opinion only!

There is no sophistication in Denial of Service attack but in DDOS the only sophistication is that you can lunch an attack at the same time from more targets. So .... If (brain) {no big deal}.

How does moving the BGP IP prefix help?

Well there are two things you could do with BGP to defend yourself against DDOS:

1. RTBH - Remotely-Triggered Black Hole (the radical one)

Blackhole (stop traffic) for the IP getting attacked. Downside: The IP being targeted is no longer reachable. Benefit: The rest of your network stays up.

2. Source-Based RTBH (The second option builds on the first one)

RTBH can also be used (in certain configurations) to block traffic coming from specific IPs (in a real DDoS that wouldn't help much as traffic would come in from thousands of IPs).

In your case you could get all prefixes for the AS from a Routing Database like RADB and block these with Source-Based RTBH. Traffic would still hit your network at the border though.

When you use "simple" RTBH the advantage is that you can send these RTBH routes to your Upstream ISP (if they support it) who could then block the traffic in their network already so you don't have to handle it.

Short answer:

You have A, B, C, D servers on the same network (different IP's) ... A is under attack! A is taken down by DDOS and also B, C, D go to sleep because thy use the same network. You kill move A out of the DDOS reach and you wake up B, C, D.

Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
  • 1) Seems to work only for the most rudimentary attacks that use hardcoded IPs. If attacker constantly resolves the MX records, then it won't help. 2) As you have mentioned, does not work on a real DDoS with many disparate IPs. – limbenjamin Mar 26 '16 at 23:11
  • Yeah but it depends on the DoS/DDoS type... but it could work if the DDoS is actually very rudimentary. – Lucian Nitescu Mar 27 '16 at 12:26