Projects Fight to Turn Back DDoS Attacks

Tuesday, February 21, 2017 @ 01:02 PM gHale

This past October, attackers took over Internet-connected devices to form a botnet in order to launch a series of distributed denial of service (DDoS) attacks.

These October DDoS attacks targeted Dyn — a domain name system (DNS) host that transforms the word-based Internet addresses of domains to their numeric Internet protocol (IP) addresses — which rendered numerous popular websites, including Twitter, PayPal, Shopify and The New York Times unavailable. These targeted attacks had an impact on millions of users across the world.

NIST Cybersecurity Practice Guide Released
Working To Fight Advanced DDoS Attacks
Stronger, Secure Wireless for Safer Driving
Working to Hack Proof RFID Equipment

To counter these DDoS attacks, the DHS Science and Technology Directorate’s Homeland Security Advanced Research Projects Agency’s Cyber Security Division (CSD) is funding research projects.

Until recently, most major DDoS attacks were reflections. However, using Mirai — malware that turns computer systems into remotely controlled “bots” — hackers now can access a wealth of infected IoT smart devices such as closed-circuit TV cameras and DVD players with weak default passwords to create huge botnet armies.

As a result, over the past six months there has been an exponential increase in the intensity and frequency of DDoS attacks.

One case in point came in September last year, there was a 620 gigabyte (Gbps) per second attack on cybersecurity blog KrebsOnSecurity and another attack which was a 1.1 terabit per second (Tbps) assault on OVH, a French Internet Service Provider, that may have reached 1.5 Tbps.

A Dyn official said they, “observed 10s of millions of discrete IP addresses” during the attack. In a postmortem several days later, Dyn said many of them were legitimate user attempts to connect to a website. A more troubling aspect of growth in size of DDoS attacks is it is not clear current network infrastructure can withstand larger-size attacks, experts have said.

CSD’s Distributed Denial of Service Defense (DDoSD) project is spearheading a three-pronged approach to shift the advantage to network infrastructure defenders. The project’s two primary focuses are on increasing deployment of best practices to slow attack scale growth and defending networks against a one Tbps attack through development of collaboration tools that can end up used by medium-size organizations. A third part of the project addresses other types of denial of service attacks such as attacks against 911 and Next Generation 911 emergency management systems.

“The goal of the DDoSD project is to build effective and easily implemented network defenses and promote adoption of best practices by the private sector to bring about an end to the scourge of DDoS attacks,” said Program Manager Daniel Massey. “Our performers are developing exciting new defense approaches that will help organizations defend against very large-scale DDoS attacks.”

The DDoSD project encourages universal adoption of Internet Best Current Practice 38 (BCP 38) — issued by the Internet Engineering Task Force. BCP 38 slows attack scale growth by blocking forged packets at or near the source of an attack. The University of California San Diego (UCSD) has developed the Open Source Spoofer Toolset, which provides organizations the capability to test whether their network is deploying BCP 38 correctly as well as assisting in correcting and identifing issues or vulnerabilities. Using this free tool, system administrators and individuals can test whether the network they use allows spoofing.

While BCP 38 is solid, no one tool or defense can stop every attack. That’s why the DDoSD project is reaching out for several research initiatives.

In a significant research initiative supported by CSD, a team at Galois, a Portland, OR-based tech firm, is working on a solution called DDoS Defense for a Community of Peers.

The solution is a dynamic, peer-to-peer network of collaborating service providers across the Internet. When a node suspects an attack is underway, it publishes this information to its peers. Each peer then examines its data flows for suspicious traffic. If an attack ends up identified, the peer nodes contributing to the attack can shut down the flow, thereby shutting down — or limiting — the attack before it takes the target offline.

Other research teams are ramping up defenses against the growing size of attacks. Five teams of researchers demonstrated the capability to withstand a 250 Gbps attack and are working toward defenses for a one Tbps attack.

Leave a Reply

You must be logged in to post a comment.