Protocol DDoS attack success is measured not by their size but rather their frequency and persistence
Distributed denial-of-service (DDoS) attacks temporarily or indefinitely disrupt services of a host connected to a network to render an entire network or website unavailable. There are three attacks in this category considered to be the most common — volumetric attacks, application layer attacks and protocol attacks — the last of which relies on weaknesses in internet communications protocols, such as firewalls or routing engines.
According to A10 Networks, the global nature of these protocols makes fixing existing weaknesses complicated, and even when they are reengineered to fix existing flaws, new weaknesses are often introduced, which enables new types of protocol attacks to emerge.
“Detecting protocol DDoS attacks requires in-depth monitoring of streams of communications and analysis of deviations from expected standards,” A10 Networks stated. The company added that, unlike some other types of DDoS attacks, the success of protocol attacks is measured by their size but rather their frequency and persistence.
Border Gateway Protocol hijacking
Network operators use Border Gateway Protocol (BGP) for network routing. It allows operators to announce to other networks the configuration of their address space, but if a bad actor sends an illegitimate BGP update presumed to be authentic, traffic intended for one network can be routed to a different network. This can lead to resource depletion and congestion.
In 2018, hackers employed this tactic to redirect traffic intended for a service that manages Ethereum cryptocurrency accounts called MyEtherWallet. Instead of the traffic being sent to the service, it was routed instead to Russian servers hosting a fake version of the legitimate site. The attack, which lasted roughly two hours, allowed those behind the misdirection to steal from users’ cryptocurrency wallets. The Verge reported that in those few hours, the attacker managed to steal at least $13,000 in Ethereum; moreover, the attacker’s wallet, said the Verge, already contained more than $17 million in Ethereum.
SYN flood attack
Something called a TCP three-way handshake is necessary for two computers to initiate a secure communication channel. Once this handshake is performed, the two entities can exchange information. Short for synchronize packet, a SYN packet is typically the first step of this TCP handshake as its role is to indicate to the server that the client wants to start a new channel.
As outlined by Imperva on its website, a “normal” TCP handshake goes as follows: First, the client requests connection by sending SYN (synchronize) message to the server; then, the server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client; and finally, the client responds with an ACK (acknowledge) message, and the connection is established.”
However, during a SYN flood attack, the hacker floods the server with numerous SYN packets, each containing spoofed IP addresses. When the server inevitably responds to each packet, requesting the client to complete the handshake, the client or clients never respond. THE server continues to wait for a response until it crashes, having been depleted of enough resources to respond to legitimate TCP handshake requests.
Implementing a high-quality traffic analysis tool can help defend against protocol DDoS attacks like BGP hijacking and SYN flood attacks. However, even something has simple as upgrading your security hardware is likely the best place to start, as these can monitor for signs of a protocol attack.
