A short word on DDoS attacks and mitigations

This article outlines Jade’s existing capabilities that will facilitate some protection against DDoS attacks on Internet exposed systems. It also considers other steps that could be employed, or be prepared to be employed, to provide additional relief in the event of an actual attack. 

In considering the options available, businesses may decide to take pre-emptive steps to further enhance their own starting position. The intention is to provide a degree of confidence that Jade will respond quickly and with a high level of expertise against an attack, and to prompt proactive discussion regarding other potential preparations. 

This article is intended for technical personnel who we expect will also be aware of the business and user context of their organisation’s web-based services. 

DDoS - a brief description 

DDoS (Distributed Denial of Service) attacks are created by orchestrating a flood of Internet traffic directed at a particular target. However, they can have some variation in their nature, including differences in: 

• the sources of the attack traffic 
• the nature of the attack traffic (protocols and ports) 
• the target of the attack (IP address, IP address range, DNS FQDN’s etc) 
• the sustained volume and peak traffic flows 

These possible variations all mean that a simple response procedure is not likely to provide the best outcomes in all cases, so in each event the options discussed in this document will be evaluated by the networking team and other 3rd level support staff in Jade to derive the best responses for an event. 

Depending on the exact nature of any attack, there could be negative impacts to either a single site, single customer, or to multiple sites and/or multiple customers. This makes the response for any actual event highly dependent on determining the full scope of the impacts prior to enacting any mitigation response. 

Mitigation Options 

This section contains options that can be implemented in advance but also covers conditional options that can depend on attack specifics that will be described with each option. 

Preamble: 

A current spate of DDoS attacks in New Zealand (Aug 2020) are characterised by details as set out in the cert advisory referenced in “Related Documents” below. As evidenced by this experience a highly motivated attacker may be working from information obtained well in advance of any protections that may have been more recently implemented. This can mean that protections implemented after, or close to an attack event have reduced effectiveness of their intended results. 

To achieve the best outcomes each of the following should be considered in the light of your specific requirements and current system topology. The more complete understanding of the whole environment can assist in determining the potential weak points and lead to better understanding of how a response might unfold. 

Understanding your Environment: 

The main components of any “Internet Exposed” service are:  

• Where the service is located 
• What service ports are open 
• Are the Clients to the service “well-known” or “anyone” 

But there are many other associated components that can have an impact on the level of protection or exposure. These include: 

• Is the network connection to the service through a single provider (ISP)? 
• Is the service location clearly identifiable by way of DNS lookups? 
• Are there related services attached to the same networks? (eg Website plus associated SFTP server) 
• Are there clearly identifiable subsets of system Users that have more critical access requirements than general Internet Users? 

DNS Issues and Mitigation 

Generally speaking, an attacker is likely to start their reconnaissance after identifying the company they want to target by doing some simple DNS lookups of typical domain names associated with that company, perhaps harvested from the target corporate website looking at links. 

A lookup of www.<companyname>.co.nz will reveal immediately if the origin server is directly exposed via IP address associated with the name(s), or if in fact there is a WAF or other “reverse proxy” service in front of the website. A WAF or reverse proxy would be characterised by the DNS lookup returning a CNAME or “alias” rather than an actual IP address. An attacker may decide that a CNAME indicating a front-end service such as Imperva/Incapsula WAF which has DDOS protection is indicating a target not worth immediately pursuing. 

An example of this might be: 

C:\ >nslookup secure.jadeworld.com 

Non-authoritative answer: 
Name:    cdhxd.x.incapdns.net                   <- indicates the use of Incapsula protection 
Address:  107.154.81.44                            <- this IP address does not offer clues as  
Aliases:  secure.jadeworld.com                         to the location of the origin server. 

There are still two main issues with the DNS lookups themselves: 

1. The attacker may look closer at the DNS servers that are authoritative for the domain and decide to launch a DDoS attack directly at those rather than focus on anything further along. This can result in a wider attack surface than simply targeting a single “site”. 
2. An attacker resolving a variety of names within the domain under reconnaissance may discover IP addresses belonging to a netblock that is used for critical services not necessarily websites, but associated, for instance an sftp service or mail services running in the same segment. They can then launch an attack on these names OR IP addresses with the knowledge that the attack will affect the “last mile”, and possibly even the ISP delivering that last mile if they don’t have the capacity to absorb the sheer volume. 

Mitigations: 

To provide some mitigation on a DNS domain under attack, several possibilities arise: 

1. If it is just one domain being attacked, an initial response would be to move that domain to either an isolated external DNS server, or to a DNS service provider with the capacity to sink the attack traffic while allowing legitimate traffic to still resolve records as required. Jade can entertain either solution for Domains under direct management but could work with customers where domains are under their own control. Route53 is one such external DNS provider with DDoS protections built into the service depending on subscription. 
2. Taking into consideration points raised above in “Understanding your environment”, it may transpire that it is not critical to the business that all “Internet DNS name resolution” is working acceptably, as long as relevant names can be resolved by key Users or identifiable and contactable groups of Users. A solution under these circumstances might be running a duplicated DNS domain service on private or un-advertised nameservers (such as the use of Split DNS) or silent secondaries. 
3. Key Users might also be advised to temporarily use HOSTS files or similar in order to ensure name resolution regardless of availability of external nameservers. The content of any such recommendations should be such that traffic generated by their use is directed to an access circuit that is unaffected by the DDoS attack itself. 

For items 2 and 3 above, Jade can advise on individual cases as required. 

IP address space protection 

Aside from a direct attack against a “DNS named” service, it has been reported that early reconnaissance of a target may have resulted in the identification of a vulnerable IP address (or address block). 

The identified address can be targeted with attack traffic relevant to the open ports, but it can also be targeted with traffic intended to use up available bandwidth regardless of whether there is an open port or not. A firewall may be simply dropping such traffic, but if it is flooding the access circuit the DoS can still be achieved. 

Mitigations: 

For attacks against an intentionally open port are difficult to counter, however attacks against unused ports on specific addresses may be able to be blocked by the ISPs further out from the last mile access circuit. 

A more general solution is to reroute traffic that is going to addresses under attack to a destination away from the circuit that is providing access to the end service. If the attack is only against the IP space, then updating DNS to point at an address not under attack may result in normal access being restored. Jade have sufficient external address space to be able to implement this for all but the most massive (classful address space) attacks. 

Of course updating the external DNS may alert the attackers of such an attempt to subvert the attack, so an option for key Users is to advise them privately of the new service IP addresses and have them reconnect to the services they’re using by the “unadvertised” new IP addresses. 

On the service provider side, Jade have direct control over the advertisement of registered address space by way of granular control (down to /24 CIDR) out several independent ISP links. There are other network tools available to Jade to assist with rerouting User traffic to links isolated from attacks. 

System Protection 

Jade are experienced with hosting physical servers (and virtual server hosts) in NZ data centres, but also with the rapid deployment and configuration of Cloud-hosted servers and services.  This provides a further set of options for businesses that involves changing the geographical location of servers as well as the IP addressing and hence the network access. 

Well-documented BAU and DR procedures will assist in the restoration of services should any production system be compromised in situ. 

Incapsula WAF and DDoS protection 

Businesses already using Incapsula services will have some protections available immediately, and more sophisticated add-on protection available at additional cost. 

A capability available to business accounts with Incapsula is to implement Geo-Blocking via a flexible and granular filter. This can be implemented for BAU network access, or might be specified as a set of geo-locations to be blocked only in the event of a real attack. 

Rate limiting of new connections can also be achieved by setting a connection threshold over which client connections are issued a CAPTCHA challenge, and so automatically generated traffic will not be delivered to the origin server. This does add another step for legitimate Users but is not an onerous task and may be acceptable to the business under such circumstances. 

The ability to change the IP address of the origin server quickly, and without affecting associated DNS records also means that if the origin IP itself is under attack, Jade can update that to point to an IP that is not compromised, and simply redirect traffic to the actual origin as it reaches the Jade network. 

For full DDoS inspection and elimination of bad traffic while continuing to pass good traffic, Incapsula require an add-on service subscription.   They have removed the service bands from this option, so provide “unlimited” bandwidth capability with associated SLAs. 

Setting up new Incapsula sites is a relatively quick process as well, so if this or the full DDoS add-on is of interest, Jade can provide more details on request. 

Summary

DDoS attacks are a real and serious threat to businesses maintaining any sort of Internet presence.  The best defence is to be prepared in advance, however those preparations are not just network, software, appliance or subscription based solutions, but also include the availability of a rapid response team who have the skills and experience to react to evolving situations in a timely and effective manner. 

We have long been aware of the possibilities and have had direct experience supporting our customers, so have put in place as many mitigations as possible including making sure that experienced support staff will be available on an “as-required” basis to address any future events. 

We welcome a discussion with you to further define any further mitigations or preparations for your particular circumstance. If you wish to do this please contact our Network Manager, David Bonne at dbonne@jadeworld.com  

Related documents