WHAT IS THE BLOG ABOUT?
DDoS, cloud security, Azure
The question arises, what is good about it? Why do they do it? So that IT administrators don’t get bored? The answer can be much more complicated. There are many sides to cybercrime and there can be many reasons for targeted attacks. Strangely, it can be said that the reasons include the easy possibility of deception of security at the given organization. A very simple example of this is the spoofing of the source IP address.
A BAD EXAMPLE: HOW DDOS WORKS
One of the most common forms of DDoS is amplification attack, in which an attacker uses multiple reflector units to flood the target. The attacker spoofs the target’s IP address to send a request to a reflector (such as an open server, middlebox) that responds to the target. To amplify an attack, the response must be greater than the request, resulting in a reflected amplifier attack. The attacker’s motivation is to create the largest reflection of the smallest requests. The attacker achieves this goal by finding many reflectors and making requests that result in the highest amplification. The root cause of reflection amplificion attacks is that an attacker can force reflectors to respond to targets by spoofing the source IP address.
If spoofing is not possible, this attack vector is reduced. So by making it impossible to spoof an IP address, part of the problem is solved. Whereas in the past, UDP (User Datagram Protocol for sending fast packets) was used by attackers, today TCP (Transmission Control Protocol, Internet Transport Layer) with three-way handshake has been included in refelection amplification attacks. If we skip the technical details and look more at the trends, it turns out that more and more vulnerabilities are being found in the Internet protocol, which is believed to be more secure, and unfortunately, attackers are also coming up with new methods.
Carpet bombing: DDOS WAR?
Such is the case with carpet bombing, which attacks a larger network instead of one target, and strives a smaller amplification instead of maximizing responses. This is much slower detectable and more difficult to mitigate the attack than traditional baseline-based detection, but the traffic congestion still occurs.
The question at the beginning of the blog, however, is difficult to give an accurate answer to. Why do an organization get at the center of DDoS attacks, into the middle of a cyber war? In fact, it doesn’t matter at all, because we don’t even know why a lightning strikes right where. Of course, this can also be investigated, there is an AI, but the statistics are more an answer to what to expect during such an attack and, as a result, how to defend against it.
WHAT DO THE NUMBERS SHOW?
The Microsoft Azure Cloud Infrastructure Network team provides detailed reports of attack data. These are interesting numbers, obviously for those who are involved in the subject, but they can also tell a lot to lay people:
Azure Networking Team
„In the last 12 months, we mitigated approximately 175,000 UDP reflected amplification attacks. We monitored more than 10 attack vectors, where the most common ones are NTP with 49,700 attacks, DNS with 42,600 attacks, SSDP with 27,100 attacks, and Memcached with 18,200 attacks. These protocols can demonstrate amplification factors of up to x4,670, x98, x76 and x9,000 respectively.
This pie chart shows the volume of UDP- reflected amplification attacks observed in Azure from April 1, 2021, to March 31, 2022. The highest volume observed is 28% through NTP, while the least volume observed is 2% through Open VPN. We measured the maximum attack throughput in packets per second for a single attack across all attack vectors. The highest throughput was a 58 million packets per second (pps) SSDP flood in August last year, in a short attack campaign that lasted 20 minutes on a single resource in Azure. TCP reflected amplification attacks are becoming more prevalent, with new attack vectors discovered. We encounter these attacks on Azure resources utilizing diverse types of reflectors and attack vectors.
One such example is a TCP reflected amplification attack of TCP SYN+ACK on an Azure resource in Asia. Attack reached 30 million pps and lasted 15 minutes. Attack throughput was not high, however there were approximately 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure elements.”
Amir Dahan & Syed Pasha
WHAT DOES AZURE DO AGAINST A DDOS ATTACK?
So the problem is significant and it can’t really be expected to decrease. It should be noted that service providers are not able to provide adequate mitigation against the impact of attacks in all cases, while IT operators in individual organizations cannot do too much in the absence of adequate knowledge. They used to say “well, that’s how it goes”. Obviously, there is a solution because all cloud providers try to avoid getting on the front pages by a DDoS scandal.
Azure, the cloud provider for SYSWIND, has revealed the following details about how they are prepared to mitigate attacks:
Azure Networking Team
„On the network side, we continuously optimize and implement various traffic monitoring, traffic engineering and quality of service (QoS) techniques to block reflected amplification attacks right at the routing infrastructure. We implement these mechanisms at the edge and core of our wide area networks (WAN) network, as well as within the data centers. For inbound traffic (from the Internet), it allows us to mitigate attacks right at the edge of our network. Similarly, outbound attacks (those that originate from within our network) will be blocked right at the data center, without exhausting our WAN and leaving our network.
On top of that, our dedicated DDoS mitigation pipeline continuously evolves to offer advanced mitigation techniques against such attacks. This mitigation pipeline offers another layer of protection, on top of our DDoS networking strategies. Together, these two protection layers provide comprehensive coverage against the largest and most sophisticated reflected amplification attacks.
Since reflected amplification attacks are typically volumetric, it is not only enough to implement advanced mitigation strategies, but also to maintain a highly scalable mitigation pipeline to be able to cope with the largest attacks. Our mitigation pipeline can mitigate more than 60Tbps globally, and we continue to evolve it by adding mitigation capacity across all network layers.”
Amir Dahan & Syed Pasha
Analysis by Azure staff also highlights the need for industry-wide collaboration, with Microsoft collaborating with a number of other cloud providers to prevent downtime and damage from DDoS attacks to protect customer workloads and the platform itself.
Microsoft also highlighted that Azure customers are protected from Layer 3 and Layer 4 DDoS attacks as part of protecting their infrastructure and cloud platform. However, the Azure DDoS Protection Standard provides comprehensive protection for customers by automatically tuning the detection policy to specific traffic patterns in the protected application. This ensures that when traffic patterns change, such as in the event of a rapid mass event, the DDoS policy is automatically updated to reflect these changes for optimal protection. When a reflection amplification attack is launched against a protected application, detection processes automatically detect it based on an automatically tuned policy. The automatic mitigation policy includes the necessary countermeasures to block reflection amplification attacks. Protection can be easily enabled on any new or existing virtual network and does not require any application or resource changes. Recently released Azure built-in policies allow you to better manage network security compliance by making it much easier to deploy all virtual network resources and configure logs. To enhance the security status of your applications, Azure’s network security services can work in parallel to secure your workloads, where DDoS protection is one of the tools provided by Microsoft.
While our blog didn’t answer the very first question of why an organization could be targeted by a DDoS attack, it did reveal why it is more efficient to use a tech-giant cloud service to build an enterprise IT infrastructure. Of course, this comes at a price, perhaps not small from an entrepreneurial perspective. However, DDoS attacks are very difficult to fight with small IT teams and local servers. The comparison is complete if the organization compares the damage caused by the attacks (which cannot be precisely determined in advance) with the operating costs of a secure architecture (which can be accurately expressed on a daily basis.)
For more information about DDoS attacks, visit the Microsoft website.
Links to Azure DDoS protection solutions:
- Azure DDoS Protection product.
- Azure DDoS Protection Standard documentation.
- DDoS Protection best practises.