Rotors of M-209 cipher machine.

DDoS — Distributed Denial of Service

DDoS (Distributed Denial of Service)

This page is part of the Availability cybersecurity collection

Google has built a live all-Internet visualization of DDoS attacks. Also see Gizmodo's description of the tool. It's an interesting page, although it's very resource hungry.

DDoS is awfully hard to fight because you can't tell where it's really coming from. The very short description of the amplification type of attack is:

  1. The attacker is at home on their control system.
  2. The attacker gains access to a number of trigger systems, each on a network which allows source IP address spoofing. That is, the trigger system's ISP does not do sanity checking, and in particular egress filtering.
  3. A program running on each trigger system sends forged packets to a number of amplifier systems. The forged source IP address of these packets is that of the target. For a system to be an amplifier there must be a UDP service running with some combination of outdated software, misconfigured software, and/or missing or misconfigured packet filtering between the server and the Internet.
  4. Each packet requests information to be sent from the amplifier to the apparent sender, which is the target in a DDoS attacker. The amplification effect is caused by the logic of the abused protocol making the response much larger than the request. The amplification effect is up to 8× in DNS, 206× in NTP, and 650× and higher in SNMP.

These traffic graphs are from a victim organization that had all three of their GigE ISP links completely saturated with an NTP amplification attack.

Traffic graphs for NTP amplification DDoS attack on three 1Gbps ISP links.

The forged packets were from UDP ports 80 and 443, so the amplified flood was directed to those ports. Only one ISP would implement an ACL to block UDP/80 and UDP/443 to them, the other two would only blackhole the six IP addresses being attacked. As two of those blackholed IP addresses were DNS servers, they could no longer talk to the root servers or any other DNS servers and so external name resolution was completely broken.

Another organization I talked to was cut off when 3 Gbps of NTP traffic was directed at their 1 Gbps ISP link.

For good explanations of DDoS attacks in more detail see Cloudflare's introductory paper:
Understanding and mitigating NTP-based DDoS attacks
and the more detailed and specific
Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
Earlier, they wrote
Deep Inside a DNS Amplification DDoS Attack
and
The DDoS That Almost Broke the Internet
and before that and at a more basic level,
How to Launch a 65Gbps DDoS, and How to Stop One

Also see Krebs On Security:
The New Normal: 200–400 Gbps DDoS Attacks

More recently, Arbor Networks reported a 50× increase in DDoS attack size over the past decade, with a 400 Gbps attack in December 2014.
10th Annual Worldwide Infrastructure Security Report

SSDP, the Simple Service Discovery Protocol, was the top mechanism for DDoS attacks in early 2015.

Akamai reported on RIPv1 reflection attacks in mid 2015.

NTP amplification was behind late 2015 DDoS attacks.

The Register described a November 2015 attack on the DNS root servers, many of which were hit with 5 million queries per second.

Anna-Senpai,
the Mirai
worm author

The Krebs on Security site was knocked off the Internet by the Mirai botnet for almost four days in September 2016. See Brian Krebs' great investigation of who was behind the attack.

In July 2016 Arbor announced that a study of the first half of 2016 included a peak attack size of 579 Gbps, and 274 attacks over 100 Gbps. That's about two per day. The average attack size in the first half of 2016 was 986 Mbps, projected to grow to 1.15 Gbps by the end of the year. This means that the average DDoS attack can knock most organization off-line.

October 2016 DDoS Attack

A DDoS attack on Dyn, a DNS provider, started at 0710 EDT on 21 October 2016. The attack used a botnet of "Internet of Things" devices including cameras, surveillance cameras, baby monitors, home routers, and other devices. The result cut off access to many popular web sites, especially from the eastern U.S.

The botnet was made up of devices based on components from Hangzhou Xiongmai Technology. The devices use well-known Telnet passwords as listed here. They are "white label" goods, produced by an unbranded company for third-party companies. The original manufacturer has no way of knowing which companies have rebranded and sold the insecure devices, preventing a recall.

Wikipedia on
the attack
Dyn's analysis
of the attack
Flashpoint on
the attack
The Daily Dot on
the attack
Brian Krebs on
the attack
Brian Krebs on
the manufacturer
The Atlantic,
"When the Entire Internet ..."
The Atlantic,
"How a Bunch of Hacked DVR ..."
Wired,
"What We Know About ..."
The New York Times,
"Hackers Used New Weapons ..."
Vice,
"Blame the Internet of Things ..."

2018 — Attacks Get Worse

Attackers started abusing exposed memcached database caching daemons for an amplification effect of 51,000. This delivers DDoS volumes above 500 Gbps.

Arbor Network report Cloud Flare report Ars Technica story

Availability topics with their own pages:

On the general Availability page:

Back to the Security Page