What’s a (D)DoS “(Distributed) Denial of Service” and how to protect against such an attack – technical.

January 22, 2024

Introduction

The topic “Denial of Service” (DoS) and “Distributed Denial of Service” (DDoS) is always a hot topic because it could happen at any time for any Service at any Layers. To understand what a (D)DoS is, let us explain what a “service” is, what possible attacks are available and why such a denial of service attack could happen at any time for any service.

This is the second or technical part of the first part: What’s a (D)DoS and how to protect against such an attack – non technical.

Picture

The goal of a (D)DoS is to deny the delivery of the service to the end user.

This can happen in many different ways as we will see in this article when I explain it with the different layer. But an easy example would be to just shut down the HTTP Endpoint which is serving the website. So the end user can’t reach the service.

An easy example for a DDoS would be (if we assume a service which can take n requests per second) to create n requests per second from different devices,so no capacity is left for others to use the service..

Key difference between DoS and DDoS: DDoS has a lot of distributed infrastructure on the attacker side and it always has a “bruteforce” aspect in overloading the service.

The picture tries to highlight the different aspects of a (D)DoS attack. You can see here the target which should come down, the different devices and controller, IT and human, and some involved technologies. 

In the picture you can see on the left hand side the people who want the service  to not be working, which is the main goal for a (D)DoS. The people manage the “Command and Control” part which controls the different devices in the “Devices for DDoS Attacks” Box. All devices are mostly connected via the internet to attack the target service. The attacked service could implement different defense strategies which will be shown in the next article covering the (D)DoS topic.

Technical

Overview

Here is now the technical part, which is the most discussed part in the IT World about the (D)DoS topic on the Internet. The list shows the different layers from the technical point of view.

  • Network Attack vector from Network point of view
  • Attack vector from TLS (old SSL) point of view
  • Attack vector from Application point of view
  • Person

The picture shows the different layers of an application request and therefore also an attacker’s request. As you can see, the TLS Protocol is a additional  layer underneath the application protocol like HTTP or some other protocols.

Source: D. SSL/TLS Overview – wolfSSL Manual

Attack vector from Network point of view

From a network point of view can the attack happen on all layers from the TCP model. The network attacks can happen on any network layer.

For IP is one of the attacks, the IP source address spoofing which tells the target that the attacker has another IP then the real IP of the attacker. 

The Network is one of the lowest attack levels. As you can see in the picture above there are some lower levels available but I start with the IP/TCP/UDP layers. Nowaday the most connections are based on IP and TCP or UDP. Of course there are more protocols out there but I think this is the widest used combination in the consumer world nowadays .

There are enormous possibilities to attack IP, TCP and UDP. I will not go into all possible attacks as there are several other good resources about this topic out there.

One example of an network attack vector is Border Gateway Protocol (BGP) Hijacking which is on the level of network and routing. BGP is one of the most used routing protocols which is necessary for the Network traffic routing to reach the target autonomous system (AS). BGP works with prefix announcements so that the network neighbors know how to reach the destination autonomous system (AS). When an attacker now sends an announcement with a shorter network prefix will the traffic be sent to the hijacked system instead of the real target system.

Possible Protection

There are several possible protections against IP Spoofing like a firewall, network routers and some other solutions. At the end is the protection level here on the network component level, even when you use a Software-defined network (SDN) is the attack on the network level.

The Resource Public Key Infrastructure (RPKI) is one of the options to protect against BGP Hijacking attacks. I’m pretty sure that the network guru on your site has much more protection knowledge as this blog can tell you so my suggestion is to ask the experienced persons what other options in your network setup are possible.

Attack vector from Application point of view

This is one of the commonly known levels because a lot of services are on this level like BGP, SMTP/IMAP (E-Mail), HTTP, PostgreSQL client Protocol and many more Protocols. 

From my point of view is this the weakest level because on this level “everybody” wants to be part of it, something similar to Parkinson’s law

Let me explain why I think that the Application Layer fits into Parkinson’s law. The Business Layer is the reason why all the setup exists, from my point of view. Due to that fact there are business requirements or Ideas which come from everyday usage of the application, there are always security requirements and the used technologies, libraries and tools get newer Versions and should be updated. Now the big discussion will be done for the business requirement but the discussion for updating of the used libraries will be short or not even done because only a small group of people have the knowledge for deeper discussions. This leads to the fact that the libraries and tools are very seldom updated which opens the door for the widely known Log4J Vulnerability CVE-2021-44228.

In “The Weak part” are all the “famous” attacks like “SQL Injection”, Parameter overloading and all other known and unknown attacks. To “fix” the problem security should be built in from the beginning of the development, test and run process. There is a Group which have specialices for websecurity called Open Worldwide Application Security Project (OWASP) and there is a nice Top Ten list of common non mitigated security risks.

Possible Protection

There are several Tools out there which are able to protect the Application against some attacks like HAProxy, Nginx and some commercial Products. Let me explain here the protection options from the OpenShift Router which is the default Ingress controller for OpenShift.

With the OpenShift Router is it possible to set up some “rate-limit-connections” via Route-specific annotations.This protection only works if the OpenShift Route is on the edge to get the client IP Address of a possible attackers, or the Edge Router send the Client IP via Proxy Protocol to HAProxy. This could be also configured into the OpenShift Container Platform Ingress Operator.

The TLS Encryption is the first line of defense for the Application layer but not the only one or enough to protect the Application. From my point of view, one of the best protection is the Input Validation at the earliest possible time in the application. The difficult part is to define what a valid input for the specified application is. Another valid protection is a Web application firewall (WAF) which could be a good protection but from my experience a lot of organizations just put the WAF in front to have the security ✅(tick) but does not configure it to protect the application.

Another mitigation for Application attacks, from my point of view one of the most important and easiest parts, are frequent updates of the used libraries and tools and this is, from my experience, the most unwanted part in Enterprise Setups nowadays.

Person (OSI Layer 8)

This layer isn’t really technical but I wanted to highlight that the Peoples are involved in several levels of a (D)DoS attack and also in the technical level. The section Social in the first part of this two-part series describes the attack on this level.

Conclusion

As you have seen in this blog post the topic (D)DoS is not only a technical topic but also a business and social one. That’s one of the reasons why I think that security is not only a topic for some people of a company or community, it’s the topic for all people from top to down, down to top, left to right and right to left.