It was the closest event to a cyber Pearl Harbor attack that had ever been conducted in history and it occurred first on Sept. 22, 2016 and then again with a vengeful brute force attack on Oct. 1. The weapon of choice was a malware strain or bot named “Mirai” which means “future” in Japanese. This was a classic massive Distributed Denial of Service (DDoS) attack with over 1 terabit per second (Tbps) that crippled millions of Internet-connected devices, servers and computers to almost half of the U.S. and parts of Europe. The intended target was Dyn, Incorporated – an Internet performance management company.
Almost immediately following the first event, a hacker with the pseudonym of Anna-senpai leaked the Mirai source code on the Hackforums web site. The bot will initially scan for all Internet-connected devices (i.e., Internet of Things (IoT), routers, IP cameras, etc.) and attempt to gain access and control of each device by assuming that each uses default usernames and passwords. The final step sees the bot installing malware on the open devices before bombarding the Doman Name Service (DNS) provider with multiple simultaneous requests.
There are three major categories of DDoS attacks:
- Application – exploits Layer 7 protocol stack weaknesses and is the most sophisticated and challenging to identify and mitigate). This type of attack simulates human behavior as if they are using the web. Examples include DNS attacks and HTTP Flood.
- Protocol – renders a target inaccessible by exploiting Layer 3 and 4 protocol stack weaknesses. Examples include Ping of Death and SYN Flood.
- Volumetric – massive traffic saturation and bandwidth consumption. Easy to generate by employing simple amplification techniques. The most popular attack with some industry sources claiming that 65 percent of DDOS attacks fall under this category. Examples include TCP Flood, DNS Amplification, UDP Flood and NTP Amplification.
There are many specific DDoS attack methods that specifically target certain vulnerabilities and weaknesses. The U.S. Computer Emergency Readiness Team (CERT) provides a DDoS Quick Guide as a valuable tool in anti-DDoS defense. Some examples include the following methods:
- SYN Flood: based on the synchronize message sent to a host machine to leverage the weakness known as a 3-way TCP handshake
- Ping of Death: sends the largest packets continuously until target shuts down
- Internet Control Message Protocol (ICMP) flood: bombard a target to degrade services and DNS
- HTTP Get Flood: similar to ICMP except that it is meant to mimic human web surfing
Cyber attacks and specifically DDoS attacks are very costly and can have serious consequences for any business or organization, especially data centers. For the data center manager, this means long-term damage to brand and reputation, contract breaches and violations, loss of revenue, loss of DNS services, customer loyalty and credibility.
What can the data center manager do to implementing anti-DDoS defense? Begin with the identifying attack vectors and key applications, which ports are open, network bottlenecks, bandwidth requirements and identification of a decentralized model.
Considerations for anti-DDoS defense include the following:
- First layer of defense:
- Logically and physically disperse all infrastructure assets
- Adaptive mitigation techniques to attenuate cyber attacks
- Endpoint Access Control Lists (ACL) to selectively permit or deny volumetric traffic
- Second layer of defense:
- DDoS mitigation hardware and software to focus on TCP-based attacks
- Third layer of defense:
- Upgrade to a stateful DDoS-grade firewall for TCP/UDP attacks
- Full virtualization (i.e., VPS, VMware, Hyper-V, AWS, Zen