Amritam Putatunda
Technical Product Manager
Blog

Dissecting the Most Complex DDoS Test Challenge in the World

September 27, 2016 by Amritam Putatunda

1The Elephant in the Room—DDoS

Distributed Denial of Services, or DDoS, has gone through more extreme innovations than many other threat vectors. Now, this is not to undermine the tremendous evolution we have seen in malwares or other vectors. However, with DDoS, no one would have ever imagined it reaching the sophistication it has now. From being a collection of headless zombies targeting hapless end points, to the modern-day DDoS attacks that have evolved into flexible, sophisticated, and intelligent killers that can attack network bandwidth, CPU/memory resources, or even a vulnerability within protocols. This, accompanied with the growth in IoT and the spread of powerful tablets and phones, means hackers have a much bigger target and more-powerful arsenal.

DDOS 2

Recent hacked-camera DDoS attack is perfect example of the sneaky people we are dealing with

Intrigued by the variance and spectrum of the DDoS capabilities out in the wild, we thought it would be cool to see how fatal it would be if we combine all the DDoS attack variants available in Ixia’s BreakingPoint into a single test. I’m sure this would probably be the most complex DDoS test ever attempted on a real device. 

Obviously, just having a test with all types of DDoS attacks wouldn’t be that interesting unless we had a DDoS mitigation solution that could showcase the attacks and mitigation actions live. So we partnered with A10 Networks, who brought their Thunder appliance to the party to help us showcase what we are calling the “The World’s Most Complex DDoS Challenge”. 

Anatomy of The World’s Most Complex DDoS Test

The target of the test was to have complex and relevant legitimate traffic at high scale and at the same time, mix it with different variants of DDoS and crank up the scale. Below are some of the variants we added.

Legitimate Traffic: False positives or false negatives both are the biggest problems for DDoS appliances. An over-conservative solution stops perfectly benign business traffic and a fairly-relaxed solution lets through attacks before starting to mitigate. To ensure this doesn’t happen, we injected about 10G of mixed HTTPS, HTTP, and DNS traffic, well-distributed across several clients replicating busy-hour Internet traffic.

The SYN Flood: One of the oldest kid on the DDoS block, SYN flood takes down TCP-based apps by pounding millions of SYN request towards them. TCP, being the simple protocol it is, keeps on tirelessly replying to it with an SYN-ACK, meanwhile allocating resources for the connections. We decided to have around 60G of this old, but very effective, TCP SYN flood, thus distributing the source IP addresses to be randomly selected from a cache of over a million IP addresses.

The TCP Options:  As winter is near, we can’t be too far from Christmas trees. Well in DDOS terms, a Christmas Tree Attack is done with a packet with every single option set for whatever protocol is in use. In our test, we not only turned on multiple flags (PUSH, URG, FIN, SYN), but also played with the scaling and windowing options to create a mix of potent attack that hits multiple flags on a TCP/application implementation.  We added 10G of mixed Christmas tree traffic.

The Fragmentation: To ensure we provide justice to the two major transport protocols of the Internet, we needed to bring in UDP. And what better way to bring UDP than to include a fragmentation attack. Handling fragmentation is a network-intensive operation, as someone in between needs to reassemble, reorder, etc.  So we included 6G of UDP fragmentation and ensured the packets were not just extremely fragmented, but also randomized their orders to make reassembly more difficult.

Domain Name System (DNS) Reflection: The above three attacks, even though very effective, are still in the volumetric category. Meaning, they can bring in maximum damage only at higher volume, thus sometimes are easily mitigated through traffic policing and shaping. So we decided to bring in sophistication. For starters, we added DNS reflection, where the attacker spoofs look-up requests to DNS servers to hide the source of the exploit and direct the response to the target. It’s complicated to block, especially with a large volume of legitimate DNS traffic flowing through. We added around 4G of DNS reflection.

Application-Based Attacks – Slow Loris:  Slow Loris, name derived from the slow and cautions climbing primates Loris, living in the tropical wilderness of India, Sri Lanka, and parts of Asia. In DDoS terms, this was one of the first attacks that targeted CPU/memory resources, rather than bandwidth, thereby making them difficult candidates to catch. A general modus operandi for Slow Loris is to try to keep many connections to the target web server open and hold them open as long as possible. Since the legitimate traffic is comprised mainly of HTTP, it made sense to add a proper dosage of Slow Loris that consumed around 2G of bandwidth, but a few million concurrent sessions.

HTTP Excessive Post: We added more HTTP attacks that target websites by sending several GET/Post requests. They look so much like legitimate requests that they are difficult to block and invariably mitigation solutions fail against such attacks. This proves costly when we get SSL in the flow, as now they also have the added headache of encryption and decryption. As a proverbial cherry on top of all the other attacks, we added 8G of GET/Post targeting the server infrastructure.

The Results

In our tests, the total traffic surpassed 100G and, although there was a significant traffic blocked by the A10 tool, we could still see legitimate traffic passing through without any hindrance.

3

Split-screen showing total statistics (top) and legitimate traffic (below)

DDOS 4

BreakingPoint DDoS traffic mixed with legitimate traffic

5

The A10 device blocked the DDoS while passing the legitimate traffic

Together, the tests became a fine mix of legitimate traffic combined with volumetric, vulnerability, and memory/resource DDOS at scale. Our security partner A10 had to perform some tunings and their device overall did a great job of detecting and providing individual mitigations to the different attacks and at the same time maintaining the steady flow of the legitimate traffic. The tests are designed to put security infrastructures in trouble and find their “BreakingPoint” for DDOS detections and mitigations. Feel free to connect with us for further questions on the test configuration, results reports, or for an evaluation of your network.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Resources

Check out the video: The World’s Most Complex DDoS Challenge