In late October 2016, malicious actors took over internet-connected devices to launch a series of cyberattacks known as distributed denial of service (DDoS) attacks.
Hackers launch DDoS attacks by sending an overload of web traffic at a target to the point that it is unable to function. To generate this traffic deluge, hackers use a large number of connected devices, or a technique called reflection, in which compromised devices send traffic to an intermediary service that expands and reflects the data at the target.
To counter DDoS attacks, the S&T Homeland Security Advanced Research Projects Agency’s Cyber Security Division (CSD) is funding several research projects that will help defenders turn away attacks.
The October DDoS attacks targeted Dyn—a domain name system (DNS) host that transforms the word-based internet addresses of domains to their numeric internet protocol (IP) addresses—which rendered numerous popular websites, including Twitter, PayPal, Shopify and The New York Times unavailable. These targeted attacks impacted millions of users across the world.
Until recently, most major attacks were reflections. However, using Mirai—malware that turns computer systems into remotely controlled “bots”—hackers now can access a wealth of infected IoT smart devices such as closed-circuit TV cameras and DVD players with weak default passwords to create huge botnet armies.
As a result, over the past six months there has been an exponential increase in the intensity and frequency of DDoS attacks. For instance, in September 2016, there was a 620 gigabyte (Gbps) per second attack on cybersecurity blog KrebsOnSecurity and a 1.1 terabit per second (Tbps) one on OVH, a French Internet Service Provider, that may have reached 1.5 Tbps (Megabytes, Gigabytes, Terabytes...What Are They?).
A Dyn official told a reporter they, “observed 10s of millions of discrete IP addresses” during the attack. In a postmortem several days later, Dyn said many of them were legitimate user attempts to connect to a website. A more troubling aspect of growth in size of DDoS attacks is that it is not clear current network infrastructure can withstand larger-size attacks, say cybersecurity experts.
CSD’s Distributed Denial of Service Defense (DDoSD) project is spearheading a three-pronged approach to shift the advantage to network infrastructure defenders. The project’s two primary focuses are on increasing deployment of best practices to slow attack scale growth and defending networks against a one Tbps attack through development of collaboration tools that can be used by medium-size organizations. A third part of the project addresses other types of denial of service attacks such as attacks against 911 and Next Generation 911 emergency management systems.
“The goal of the DDoSD project is to build effective and easily implemented network defenses and promote adoption of best practices by the private sector to bring about an end to the scourge of DDoS attacks,” says Program Manager Daniel Massey. “Our performers are developing exciting new defense approaches that will help organizations defend against very large-scale DDoS attacks.”
The DDoSD project encourages universal adoption of Internet Best Current Practice 38 (BCP 38)—issued by the Internet Engineering Task Force. BCP 38 slows attack scale growth by blocking forged packets at or near the source of an attack. The University of California San Diego (UCSD) has developed the Open Source Spoofer Toolset, which provides organizations the capability to test whether their network is deploying BCP 38 correctly as well as assisting in correcting and identifying issues or vulnerabilities. Using this free tool, both system administrators and individuals can test whether the network they use allows spoofing.
While we encourage all organizations to deploy BCP 38, no one tool or defense can stop every attack. That’s why the DDoSD project is engaged actively in several research initiatives.
In a significant research initiative supported by CSD, a team at Galois, a Portland, Oregon-based tech firm, is working on a novel solution called DDoS Defense for a Community of Peers. The solution is a dynamic, peer-to-peer network of collaborating service providers across the internet. When a node suspects an attack is underway, it publishes this information to its peers. Each peer then examines its data flows for suspicious traffic. If an attack is identified, the peer nodes contributing to the attack can shut down the flow, thereby shutting down—or limiting—the attack before it takes the target offline.
Other research teams are dedicated to ramping up defenses against the growing size of attacks. Five teams of researchers have demonstrated the capability to withstand a 250 Gbps attack and are working toward defenses for a one Tbps attack.
CSD’s DDoSD project is beginning to tilt the playing field toward defenders. Much work still needs to be completed, especially in the area of developing proactive defenses against new types of attacks. Cyberspace is always changing, and the work to prevent DDoS attacks and other threats from malicious actors will never stop. CSD’s DDoSD is just one of the ways S&T is working with our partners to help keep cyberspace safe and secure.