DDoS QUICK GUIDEOctober 2020DISCLAIMER: This advisory is provided “as is” for informational purposes only. DHS/CISA does not provide anywarranties of any kind regarding any information contained within. DHS/CISA does not endorse any commercialproduct or service, referenced in this advisory or otherwise. Further dissemination of this advisory is governed bythe Traffic Light Protocol (TLP) marking in the footer. For more information about TLP, see POSSIBILITIES BY OSI LAYEROSI LayerProtocolData Unit(PDU)Application Layer(7)DataLayer DescriptionProtocolsExamples of Denial ofService Techniques atEach LevelPotentialMitigation Options for AttackImpact of DoSTypeAttackMessage andpacket creationbegins. DB accessis on this level.End-user protocolssuch as FTP,SMTP, Telnet, andRAS work in thislayer.Uses theProtocols FTP,HTTP, POP3, &SMTP and itsdevice is theGatewayPDF GET requests,HTTP GET, HTTP POST, website forms (login,uploading photo/video,submitting feedback)Reach resourcelimits ofservicesResourcestarvationApplication monitoring is thepractice of monitoringsoftware applications usingdedicated set of algorithms,technologies, and approachesto detect zero day andapplication layer (Layer 7attacks). Once identified theseattacks can be stopped andtraced back to a specificsource more easily than othertypes of DDoS attacks.PresentationLayer (6)DataTranslates the dataformat from senderto receiver.Use the ProtocolsCompression &EncryptionMalformed SSLRequests – InspectingSSL encryption packetsis resource intensive.Attackers use SSL totunnel HTTP attacks totarget the serverThe affectedsystems couldstop acceptingSSL connectionsor automaticallyrestartTo mitigate, consider optionslike offloading the SSL fromthe origin infrastructure andinspecting the applicationtraffic for signs of attackstraffic or violations of policy atan applications deliveryplatform (ADP). A good ADPwill also ensure that yourtraffic is then re-encryptedand forwarded back to theorigin infrastructure withunencrypted content only everresiding in protected memoryon a secure bastion host.Session (5)DataGovernsestablishment,termination, andsync of sessionwithin the OS overthe network (ex:when you log offand on)Use the ProtocolLogon/LogoffTelnet DDoS-attackerexploits a flaw in aTelnet server softwarerunning on the switch,rendering Telnetservices unavailablePreventsadministratorfrom performingswitchmanagementfunctionsCheck with your hardwareprovider to determine ifthere’s a version update orpatch to mitigate thevulnerabilityTLP: WHITECISA DEFEND TODAY, SECURE ny/[email protected] @cyber @uscert[email protected]

DDoS Quick GuideATTACK POSSIBILITIES BY OSI LAYEROSI LayerProtocolData Unit(PDU)Layer DescriptionTransport (4)SegmentNetwork (3)Data Link (2)Physical (1)ProtocolsExamples of Denial ofService Techniques atEach LevelPotentialMitigation Options for AttackImpact of DoSTypeAttackEnsures error-freetransmissionbetween hosts:managestransmission ofmessages fromlayers 1 through 3Uses theProtocols TCP &UDPSYN Flood, SmurfAttackReachbandwidth orconnectionlimits of hostsor networkingequipmentDDoS attack blocking,commonly referred to asblackholing, is a methodtypically used by ISPs to stop aDDoS attack on one of itscustomers. This approach toblock DDoS attacks makesthe site in question completelyinaccessible to all traffic, bothmalicious attack traffic andlegitimate user traffic. Blackholding is typically deployed bythe ISP to protect othercustomers on its network fromthe adverse effects of DDoSattacks such as slow networkperformance and disruptedservicePacketDedicated torouting andswitchinginformation todifferent networks.LAN orinternetworksUses the ProtocolsIP, ICMP, ARP, &RIP and usesRouters as itsdeviceICMP Flooding – ALayer 3 infrastructureDDoS attack methodthat uses ICMPmessages to overloadthe targeted network’sbandwidthCan affectavailablenetworkbandwidth andimpose extraload on thefirewallRate-limit ICMP traffic andprevent the attack fromimpacting bandwidth andfirewall performanceFrameEstablishes,maintains, anddecides how thetransfer isaccomplished overthe physical layerUses the Protocols802.3 & 802.5and it’s devicesare NICs, switchesbridges & WAPsMAC flooding –inundates the networkswitch with data packetsDisrupts theusual sender torecipient flow ofdata – blastingacross all portsMany advances switches canbe configured to limit thenumber of MAC addressesthat can be learned on portsconnected to end stations;allow discovered MACaddresses to be authenticatedagainst an authentication,authorization and accounting(AAA) server and subsequentlyfilteredBitsIncludes, but notlimited to cables,jacks, and hubsUses the Protocols100 Base-T &1000 Base-X anduses Hubs, patchpanels, & RJ45Jacks as devicesPhysical destruction,obstruction,manipulation, ormalfunction of physicalassetsPhysical assetswill becomeunresponsiveand may need tobe repaired toincreaseavailabilityPractice defense in-depthtactics, use access controls,accountability, and auditing totrack and control physicalassetsTLP: WHITECISA DEFEND TODAY, SECURE TOMORROW [email protected] @cyber @uscert[email protected]

DDoS Quick GuidePOSSIBLE DDoS TRAFFIC TYPESHTTP HeaderHTTP headers are fields which describe which resources are requested, such as URL, a form, JPEG, etc. HTTPheaders also inform the web server what kind of web browser is being used. Common HTTP headers are GET,POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and canmake them communication specific. DDoS attackers can change these and many other HTTP headers to makeit more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate cachingand proxy services. For example, is it possible to ask a caching proxy to not cache the information.HTTP POST FloodAn HTTP POST Flood is a type of DDoS attack in which the volume of POST requests overwhelms the server sothat the server cannot respond to them all. This can result in exceptionally high utilization of system resourcesand consequently crash the server.HTTP POST RequestAn HTTP POST Request is a method that submits data in the body of the request to be processed by the server.For example, a POST request takes the information in a form and encodes it, then posts the content of theform to the server.HTTPS Post FloodAn HTTPS POST Flood is an HTTP POST flood sent over an SSL session. Due to the use of SSL it is necessary todecrypt this request in order to inspect it.HTTPS POST RequestAn HTTPS POST Request is an encrypted version of an HTTP POST request. The actual data transferred backand forth is encryptedHTTPS GET FloodAn HTTPS GET Flood is an HTTP GET flood sent over an SSL session. Due to the SSL, it is necessary to decryptthe requests in order to mitigate the flood.HTTPS GET RequestAn HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL, it is necessaryto decrypt the requests in order to inspect it.HTTP GET FloodAn HTTP GET Flood is a layer 7 application layer DDoS attack method in which attackers send a huge flood ofrequests to the server to overwhelm its resources. As a result, the server cannot respond to legitimaterequests from the server.HTTP GET RequestAn HTTP GET Request is a method that makes a request for information for the server. A GET request asks theserver to give you something such as an image or script so that it may be rendered by your browsers.SYN Flood (TCP/SYN)SYN Flood works by establishing half-open connections to a node. When the target receives a SYN packet to anopen port, the target will respond with a SYN-ACK and try to establish a connection. However, during a SYNflood, the three-way handshake never completes because the client never responds to the server's SYN-ACK.As a result, these "connections" remain in the half-open state until they time out.UDP FloodUDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it iseasy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.ICMP FloodInternet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchangedata between systems. ICMP packets may accompany TCP packets when connecting to a sever. An ICMP floodis a layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network'sbandwidth.MAC FloodA rare attack, in which the attacker sends multiple dummy Ethernet frames, each with a different MACaddress, Network switches treat MAC addresses separately, and hence reserve some resources for eachrequest. When all the memory in a switch is used up, it either shuts down or becomes unresponsive. In a fewtypes of routers, a MAC flood attack may cause these to drop their entire routing table, thus disrupting thewhole network under its routing domain.TLP: WHITECISA DEFEND TODAY, SECURE TOMORROW [email protected] @cyber @uscert[email protected]

DDoS Quick GuideGLOSSARYDenial of ServiceThe core concepts of cyber security are availability, integrity, and confidentiality. Denial of Service (DoS)attacks impact the availability of information resources. The DoS is successful if it renders informationresources unavailable. Success and impact differ in that impact is relative to the victim. For example, if anactor DoS's a website belonging to a company that relies on e-commerce to drive their business operations, thecompany may experience financial losses if the DoS is sustained for a period of time. The risk, threat, andimpact levels for DoS activity are determined on a case by case basis.Layer 3 and Layer 4DDoS AttacksLayer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure Layer 3(network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slowdown web server performance, consume bandwidth, and eventually degrade access for legitimate users. Theseattack types typically include ICMP, SYN, and UDP floods.Layer 7 DDoS AttackA Layer 7 DDoS attack is an attack structured to overload specific elements of an application serverinfrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemblelegitimate website traffic. Even simple Layer 7 attacks--for example those targeting login pages with randomuser IDs and passwords, or repetitive random searches on dynamic websites--can critically overload CPUs anddatabases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack,making it more difficult to detect and mitigate.itsoknoproblembroThe name given to a suite of malicious PHP scripts discovered on multiple compromised hosts. The mainfunctionalities appear to be file uploads, persistence, and DDoS traffic floods. The itsoknoproblembro toolkitincludes multiple infrastructure and application-later attack vectors, such as SYN floods, that cansimultaneously attack multiple destination ports and targets, as well as ICMP, UDP, SSL encrypted attack types.A common characteristic of the attacks is a large UDP flood targeting DNS infrastructure. Uniquely, the attackingbotnet contains many legitimate (non-spoofed) IP addresses, enabling the attack to bypass most anti-spoofingmechanisms.PHP Shell, PHPWebshellA script in the PHP language that can execute commands, view files, and perform other system administrativetasks. PHP shells are often used to take control of web servers via web application vulnerabilities.ProxyA proxy is a network device which terminates incoming traffic and then creates a new communication sessionwhich is used to send the traffic to the actual destination. The proxy fits between the requestor and the serverand mediate all of the communication between the two. Examples of proxy technologies are content switchesand load balancers. Proxy servers are most often used for the DNS requests, HTTPS, and HTTP. When HTTPS isbeing proxied, the proxy server itself must have copies of the public certificate which includes the public keyand the private key so it can effectively terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks issometimes carried out using proxies.Infrastructure DDoSAttackAn infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amountsof bandwidth, for example by making excessive connection requests without responding to confirm theconnection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by usingcryptographic hashtags and SYN cookies.DNS AmplificationAttackA Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), inwhich attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic.The primary technique consists of an attacker sending a DNS name lookup request to an open DNS serverwith the source address spoofed to be the target’s address. When the DNS server sends the DNS recordresponse, it is sent instead to the target.TLP: WHITECISA DEFEND TODAY, SECURE TOMORROW [email protected] @cyber @uscert[email protected]

DDoS Quick GuideMITIGATING LARGE SCALE DoS/DDoS ATTACKSDEVICELAYEROPTIMIZED FORDOS PROTECTIONSFirewall4-7Flow Inspection, Deep InspectionScreen, Session Limits, Syn CookieRouter3-4Packet Inspection, Frame InspectionLine-Rate ACLs, Rate LimitsSome DDoS Mitigation Actions and Hardware Stateful Inspection Firewalls Stateful SYN Proxy Mechanisms Limiting the number of SYNs per second per IP Limiting the number of SYNs per second per destination IP Set ICMP flood SCREEN settings (thresholds) in the firewall Set UDP flood SCREEN settings (thresholds) in the firewall Rate limit routers adjacent to the firewall and /2008/09/801003 s.pdf flooding 7 gov/ncas/alerts/TA13-088ATLP: WHITECISA DEFEND TODAY, SECURE TOMORROW [email protected] @cyber @uscert[email protected]

DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legiti