The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the multistate information sharing, and analysis center (MS-ISAC) have, in a joint effort, released an advisory to defend against distributed denial of service (DDoS) attacks.
Especially popular with Russia-backed hacktivists and nation-state actors, DDoS attacks refer to malicious attempts to disrupt the normal traffic of a targeted service by overwhelming its servers and networks with a flood of fake traffic.
The joint advisory is released to serve “as a guidance for federal, state, local, tribal, and territorial government entities to address the specific needs and challenges faced by them to defend against denial of service (DoS) and DDoS attacks.”
A DoS attack involves a single source to overwhelm the target system as opposed to the multiple sources, also called botnets, used in DDoS attacks. The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent, according to the advisory.
Typical denial of service attacks
The advisory has grouped typical DoS and DDoS attacks based on three technique types: volume-based, protocol-based, and application layer-based. While volume-based attacks aim to cause request fatigue for the targeted systems, rendering them unable to handle legitimate requests, protocol-based attacks identify and target the weaker protocol implementations of a system causing it to malfunction.
A novel loop DoS attack reported this week targeting network systems, using weak user datagram protocol (UDP)-based communications to transmit data packets, is an example of a protocol-based DoS attack. This new technique is among the rarest instances of a DoS attack, which can potentially result in a huge volume of malicious traffic.
Application layer-based attacks refer to attacks that exploit vulnerabilities within specific applications or services running on the target system. Upon exploiting the weaknesses in the application, the attackers find ways to over-consume the processing powers of the target system, causing them to malfunction.
Interestingly, the loop DoS attack can also be placed within the application layer DoS category, as it primarily attacks the communication flaw in the application layer resulting from its dependency on the UDP transport protocol.
DDoS has been extensively used by the Russia-aligned hacktivists, calling themselves the Anonymous Sudan, who recently disrupted a series of French government services.
Analysis, planning, and mitigation tools
Running a thorough and continuous analysis of the network systems was assigned the topmost priority in the advisory’s list of recommendations. This included risk assessment to determine existing vulnerabilities to DDoS attacks, network monitoring to track unusual and suspicious traffic activities, and regular traffic logging to prepare a baseline of normal traffic patterns.
Bandwidth capacity planning was also recommended as tweaking the bandwidth capacity to accommodate sudden seasonal spikes can come in handy while tackling malicious traffic. Implementing load balancing to distribute traffic and prevent a single and central point of failure might help too, the advisory noted.
Tools that can prove beneficial in preventing or handling DDoS attacks include DDoS mitigation services, the implementation of captcha to fish out bot access, and network firewalls configured to filter out suspicious traffic patterns and block known malicious IP addresses.
The development comes days after the Feds issued warning against tightened activities of the Chinese Volt Typhoon gang, the nation-state allegedly maintaining malicious persistence in critical US systems by exploiting critical vulnerabilities such as the recent Fortinet RCE flaws.