The cybersecurity scene is locked in a constant arms race: as defenses are improved and bugs incessantly fixed, attackers are constantly scrambling to pry other pieces of network infrastructure loose.
This has finally occurred for even the most advanced DDoS protection, as attackers have grasped a new method of DDoS amplification.
Table of Contents
When a customer connects to your website, there’s a lot going on behind the scenes. Two components – the server and the client – engage in communication. A server is just a digital storage of websites and apps; the client is your customer’s device.
First, the browser checks the DNS server, matching up what’s typed into the search bar to a legitimate site. Then, the browser sends an HTTP request to that site, asking for a copy to show on your customer’s device. This request is funneled through TCP.
TCP is the primary way in which data is delivered to your browser. It was established in 1973, and encodes the very foundation of two-way data transmission.
The TCP Three-Way Handshake
- First, the requesting client sends the server a SYN packet with a unique, random number. This number ensures the data is transmitted in the correct order.
- When the server receives the segment, it agrees to the connection by returning an acknowledgement packet (ACK); this is created with the client’s sequence number plus 1. At the same time, it transmits its own sequence number to the client.
- Finally, the client acknowledges the receipt of acknowledgement by sending its own ACK packet; the server’s sequence number plus 1. Now, the client can begin transferring data to and from the server.
The Death of DDoS
Traditional DDoS attacks – though still on the rise, like all other cyberattacks – are pretty easy to prevent and circumvent.
The goal of a DDoS attack is to take your site offline for a period of time; the basic format is overwhelming the bandwidth of your website’s server. By weaponizing a group of clients all connected to the internet, an attacker can flood a specific website with a large number of HTTP requests, usually with random parameters included to make each request appear unique. The requests all come from different IP addresses – groups of remotely-hijacked zombie computers called a botnet.
A flood of TCP handshake requests sees the server scrambling to respond to each. Then it waits for the final acknowledgement that each client got its data: no acknowledgement comes. Finally – just before the connection times out – the malicious client will send another SYN request. Repeat ad infinitum, as the server is left in the limbo of retrieving data and waiting for the final confirmation.
One specific type of DDoS attack is reflection: here, an attacker spoofs the source IPs of the intended victim. Response traffic is now directed at the victim, despite the attacker having made the requests.
Though firewalls cannot block the requests – as each is from a different, unique computer – the traditional responses to DDoS attacks have been to scale up bandwidth. This is a fairly instantaneous fix, though expensive.
Amplification Via Content Blockers
To boost the destructive potential of a DDoS attack, attackers are increasingly turning to an amplification vector. The focus, here, is to send small queries that result in large responses.
Middleboxes are in-network devices that sit between the communicating client and server. These monitor and filter streams of data in-flight. Many corporations and restrictive governments (specifically, the Chinese government) use middleboxes to censor online content. However, middleboxes do not conform to the original TCP handshake. This is because they scan the data in-transit with deep package inspection (DPI) tools.
Middleboxes then inject traffic from the server’s perspective, responding back to the spoofed victim with a ‘request denied’ page. This is a more demanding response for the server than just loading the page. With this amplification method, one SYN packet with a 33 byte payload will then trigger a 2,156 byte response.
TCP DDoS attacks used to be limited only to the attackers with the biggest, beefiest botnets. Now, however, the barrier for entry is far lower and less expensive.
Middlebox amplification became known in August 2021. Since then, it’s already been unleashed at a number of companies in the gaming, legal and tech industries. In the face of the oncoming DDoS deluge, It’s becoming increasingly vital to have a DDoS protection solution.
This protection solution could have a number of aces up its sleeve. For example, middleboxes are a double-edged sword: though it’s possible for misconfigurated middleboxes to become weapons of mass destruction, server-deployed middleboxes can also use DPI to assess dangerous incoming traffic.
DDoS attacks – once underway – can be limited through sinkholing. Once the attack target has been identified, traffic on its way to the targeted IP address can be diverted to a discard interface which sits at the network edge. This can shake off total TCP saturation, though can still allow performance to be disrupted network-wide.
SYN cookies are a simple but powerful form of verifying the legitimacy of a connection before the server allocates the necessary resources. Here, the SYN packet is assigned an extra sequence number, matching the IP address of the client. This is included in the client’s response, and it’s only after matching the two that the server allocates the memory for the connection.
Finally, not only will DDoS protection services help mitigate and prevent the havoc wreaked by an attack – they will outright undermine it. If the attacker’s intent is to force your website offline, then many service providers will use an Anycast DNS routing mechanism.
This process essentially crowdsources servers: any for an IP address can be answered not by a single server but by any other on the network. This way, even if one server becomes overwhelmed, others can chip in to keep your business up and running.
In the same way that attackers are looking for small queries to create large, unmanageable floods of data – a solid defense against a DDoS attack is the cumulative effect of small but powerful solutions.