Amritam Putatunda
Technical Product Manager
Blog

Why Cloud Providers Recommend Table-Top DDoS Simulation

May 7, 2018 by Amritam Putatunda

Providing a platform for storage, networking, and compute without owning a single piece of hardware, cloud is a lure for IT personnel across the globe. It’s not surprising to see rapid adoption of public cloud around the world. The comprehensive benefits of cloud adoption have been discussed and elaborated in thousands of different blogs, so instead, I will focus this blog on ensuring secure and resilient clouds specifically from the point of distributed denial of service (DDoS) attacks. 

Unique Challenges of DDoS Attacks in Cloud 

Certain features of cloud networking make it easier for DDoS attacker to cause maximum harm to their targets. The way cloud services are scaled and billed, and the proliferation of Internet-connected smart devices fall into this category:

Cloud Elasticity: On-demand scalability is a great promise of the cloud, where key resources like storage, compute, or networking can scale elastically based on need. Unfortunately, this also makes it easier for attackers to target the bandwidth or the memory of a cloud network. They can generate a massive bandwidth or memory attack and the cloud provider will elastically increase the resources to service the increased volume. 

The Billing Damage: A cloud customer incurs a cost every time they use the compute, networking, or storage resources of the cloud. A massive DDoS attack can create a significant rise in the use of those resources, hitting the customer with a huge bill from their cloud providers. Although in many cases the cloud service providers do provide protection along with elasticity, this doesn’t absolve the user from their responsibility to ensure attack protection. 

Internet of Things (IoT) Scale: For an attacker, it has become incredibly easy to find new bots to generate attacks. Malware like Mirai have shown how IoT devices can be easily compromised to become DDoS bots. Similarly, mass vulnerabilities like Wannacry can also help attackers gain a large number of bots quickly. 

Most cloud vendors emphasize the shared responsibility to secure applications deployed in the cloud. The shared responsibility can be loosely translated as the cloud provider letting the customers know that, even though they will take some steps to provide security, that doesn’t absolve the customer from a shared responsibility. 

While cloud service providers enable their customers to build applications on a secure infrastructure and provide built-in cloud security services (network security groups, web application firewall, DDoS protection services, etc.), it is the customer’s responsibility to select appropriate mitigation services and ensure they are properly configured and activated. Additionally, multiple security vendors provide security solutions such as network security appliances or software as a service (SaaS) that can replace, enhance, or extend the built-in cloud services. Each security model has unique benefits that result in sometimes significantly different cost levels. 

Types of DDoS Attacks Most Common in Cloud 

1. Rate-Based Protocol DDoS Attacks: Let’s look at two common rate-based attacks.

a)    UDP-based DDoS: UDP is a great Layer-4 protocol to generate DDoS. Its connection-less nature makes it easier to generate with different packet sizes. This, and its simplicity, helps bots to fill the network pipe with UDP packets. These unidirectional packets are effective in clogging the network or increasing the number of packets that the target needs to handle. The attacks can be modified, like sending jumbo frames or fragmented packets, to inflict further damage. Attackers can also play with lower packet sizes to increase the packets per second while keeping the bandwidth low enough not to trigger a bandwidth based-rate control.
b)    Small-packet, high-rate TCP DDOS: As the name suggests, these are crafted single packets that generally carry a flag like TCP-SYN or acknowledgements that compel the victim to do some processing on each of the packets. This makes TCP-based attacks harder to detect and block than simple UDP attacks. TCP-SYN Flood, TCP-ACK Flood, and TCP RST are few of the most common attacks in this category. Mitigation: Fortunately, most cloud vendors have basic protection services that employ rate control/packet drops for such volumetric attacks 

1
 

Bots can generate a large number of TCP flag floods to deplete the resources of the victim.

Mitigation: Most Cloud services will block such DDoS attacks through basic DDOS protection services. These decisions are generally made based on unusual volumes, traffic patterns, etc. No user configuration or application changes are required to enable such services.

2. Reflection-Based Attacks: The reflection attack is a great example of a sophisticated DDoS. In such attacks, a query is sent to a certain service like DNS, NTP, or SSDP whose response might be significantly bigger. The requestor bot generally indicates the receiver’s IP to be the victim’s, thereby sending many unexpected packets as a response. Reflection attacks generally have an amplification factor—suppose a single query of X bytes leads to 100X bytes worth of response, resulting in an amplification factor of 100. This amplification capability makes reflection a favorite amongst attackers targeting cloud resources as they can leverage a small number of bots to generate a huge volume. Popular Internet services like DNS and NTP that are designed to respond to requests from generic clients over UDP are commonly used as reflectors for these attacks.

Mitigation: Apply advanced DDoS protections, generally provided by cloud services, that can detect and mitigate such reflection attacks based on behavior analysis or rate controls.

2
 

A reflection attack amplifies query responses and redirects them to the victim.

3. High-Volume Application Attacks: Any server application is designed to respond to client requests. However, if there are excessive requests from illegitimate clients, this may prevent the servers from responding to legitimate requests while being too busy servicing the flood from the DDoS bots. Excessive GET requests where BOT clients continuously ask for a certain page using the popular HTTP command GET is the most popular kind of this attack. Like others, it too has several variants like “Excessive POST”, “Excessive GET & POST”, “Recursive GET”. These also have variants, like a group of bot clients can actually download a large file from a website repeatedly to consume most of the downlink bandwidth of that website.

Mitigation: Similar to reflection attacks, most cloud service providers provide protection against such attacks through either rate control or behavior detections.

3

An excessive GET attack to a target website aims to prevent the servers from responding to legitimate requests.

4. Exploiting Application Behavior—Low and Slow Attacks: These are similar to volume-based application attacks as they also disrupt services by directly targeting the application. However, they employ very sophisticated techniques, and hence, are usually harder to detect. One great example of this type of attacks is Slowloris. This attack simply sends a GET request without sending the carriage return that signifies the end of the GET request. The server continues to wait for the complete GET request, so keeps the HTTP session opened till it times-out. If enough bots send such incomplete HTTP requests, this may quickly exhaust the CPU/memory resources of the server, thereby crashing the server or significantly reducing its capabilities. R-U-Dead-Yet? (aka: RUDY) is another popular low and slow attack. 

Mitigation: Most cloud services do not inherently provide mitigation techniques for such attacks. Users are advised to either employ a web application firewall (WAF) or other application-aware DDoS mitigation solution to combat them.

4

A RUDY bot can fill up website forms at a slow pace, sending it one byte of data at a time.

Why You Need Cloud-Based DDoS Emulation

Tuning mitigation techniques in a hardware environment can be quite complicated. In comparison, turning on mitigation in a cloud environment is highly simplified, for example in Microsoft’s Azure cloud service, the DDoS mitigation is turnkey protection. However, Microsoft recommends in its Azure DDoS Protection: Best practices and Reference Architecture that users employ a DDoS simulation solution to understand how the protection works, to optimize incident response, document DDoS compliance, and train network security teams. Let’s take a look at each of these in a bit more detail. 

Understand How your DDoS Mitigation Works 

You’ll first need to understand the efficacy of the mitigation that comes inherently with your cloud-based services and which attacks they protected you from. Ixia’s BreakingPoint Cloud generates rate/volume-based IP/UDP/TCP attacks that can help you quickly gauge the mitigation efficiency of this basic DDoS protection. The results and reports help in understanding the types of DDoS and the scale of that can be mitigated, as well as the possible impact they can have on your applications like latencies and transaction failures.

5

TCP SYN Flood DDoS attack simulation in BreakingPoint Cloud.

Create and Optimize Incident Response to DDOS Attacks

DDoS mitigations in Cloud environments are quite new features. This means you’ll need to establish the processes and protocols around the DDOS attacks and mitigation. This involves setting up a chain of command, charting a course of actions that includes identifying the type of attacks, connecting with the appropriate teams, identifying the tools required for additional analysis, and other immediate actions that need to be performed. Once established, such process needs to be consistently rehearsed and improved to ensure fast responses to DDoS attacks. A DDoS simulation environment can create different variations of attacks to help establish incident responses and also optimize them along the way.

Accelerate Compliance

Ensuring compliance is a major concern for most IT teams. Basic compliance checks elevate the overall quality of the services, increase efficiency, and are one of the key aspects of risk management. It also showcases due-diligence from the IT team. Simulation is a great way to ensure your cloud conforms to required compliances and that it is able to mitigate the most common types of cloud DDoS attacks. 

Training IT and Security Teams

Similar to the earlier point on incident response, the teams need regular training so they are able to quickly and effectively classify different attacks, become experts on the secondary tools that may be needed for further analysis, and also keep cool and execute the tasks expected from them during the attacks. DDoS simulation helps employees train and practice under a less stressed environment so they can better respond during a real attack.

Conclusion    

With the comprehensive and clear benefits of cloud, we will continue to see movement to cloud-based data centers. This will also make it a favorite target for attackers. Until now, emulating a DDoS attack in a cloud environment was accompanied by huge risk both for the customer and for the traffic generator. This was one of the biggest reasons organizations did not pursue DDoS emulations. Ixia, partnering with cloud providers, has abated such concerns and is enabling organizations with a safe, controlled DDoS emulation environment that helps to ensure high-performing, secure, and resilient cloud-based infrastructures. Please refer to this blog for a deeper understanding of BreakingPoint Cloud.