October was full of surprises on the cyber security front – including a perennial nuisance – the continual growth and evolution of Distributed Denial of Service (DDoS) attacks.

DDoS is a nuisance that’s affecting big names, and big companies. Recent attacks have shown us that DDoS attacks have, yet again, evolved and are starting to target emerging technologies, which may not have security requirements or standards in place yet. For example, we’re seeing that these attacks are now weaponizing insecure Internet of Things devices, which in turn is making IoT a liability to the Internet. That’s right – Internet-facing devices (soon projected to number in the billions) – thermometers, DVR recorders, webcams and tea kettles are being commandeered and used as “IoT Cannons” to disrupt web sites and services.

Recent Evolution of DDoS Attacks

As Brian Krebs from KrebsonSecurity reports in his investigation, an attack against “a large number of Web sites was launched with the help of hacked ‘Internet of Things’ (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.”

In another post, Krebs writes that DDoS is evolving from using a “large robot network, or botnet of hacked computers… to paying a few bucks for a subscription to one of dozens of booter or stresser services.” He goes on to add why these attacks are more effective and can achieve higher volumes of traffic, the target is the victim of spoofing using a “technique called traffic amplification and reflection…In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.”

There are many ways to launch an DDoS attack – freely available network stressors and DDoS tools can be configured and controlled in botnets with command and control, as with Low Orbit Ion Cannon (LOIC), an early generation point and click tool used on message boards and IRC. More advanced tools include nation state-backed “Internet Cannons” that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.

What is the motive behind these attacks?

Perhaps this is a type of active reconnaissance or “recon by fire.” Last month Bruce Schneier warned that someone is learning how to take down the Internet. Schneier describes that “these attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing… as if the attacker were looking for the exact point of failure… to see what the company’s total defenses are… to demonstrate their defense capabilities for the attacker.”

What can Citrix do to protect against DDoS?

Citrix NetScaler checks client connection and request parameters to prevent flood attacks until a valid application request has been submitted. Jason Samuel has an excellent and comprehensive post on mitigating these attacks. Using NetScaler, we can defend against attacks at multiple layers. From his blog:

  • Application layer defense (Layer 7 defense) – like Slow Read, Slow HTTP POST (RUDY), Slow HTTP Headers (slowloris), HTTP Flood, Random Searches, Apache Range Header, etc. that cause resource starvation on the web servers (not usually a volumetric attack)
  • Transport layer defense (Layer 4 defense) – like SYN floods, DNS query floods, SMURF, SSL floods, etc. to starve bandwidth on the web servers by using up sockets (volumetric attack)
  • Network layer defense (Layer 3 defense) – DNS amplification, IMCP floods, UDP floods, teardrop, fraggle, Christmas tree, etc. to starve bandwidth on network devices (volumetric attack)

Earlier this year we announced a partnership with Webroot to dynamically blacklist malicious IP addresses globally. With NetScaler running build 11.0 or later, you have an IP Reputation subscription, which is included in the Platinum subscription. From the product documentation: “IP Reputation is an extremely effective tool in identifying the IP address that is sending unwanted requests. You can use the IP reputation list to preemptively reject requests that are coming from the IP with the bad reputation. For example, you can use this feature to optimize application firewall performance by filtering out the requests that you do not want to process. You can reset or drop the connection, or you can configure a responder policy to take a specific responder action.” Here are some examples of attacks that you can prevent by using IP Reputation:

  • Infected personal computers and IoT devices: IPs sending unwanted requests to block large scale DDoS, DoS, or anomalous SYN flood attacks from known infected sources.
  • Centrally managed and automated botnet: Attacks launched by botnets to figure out passwords that use commonly used dictionary words.
  • Compromised web-server: Web-servers and online forums that hackers can compromise and use to send spam and malicious payloads.
  • Windows Exploits: Active IPs offering/distributing malware, shell code, rootkits, worms or viruses.
  • Known spammers: Mass e-mail marketing campaigns.
  • Phishing Proxies IP addresses hosting phishing sites, and other fraud such as ad click fraud or gaming fraud.
  • Anonymous proxies: IPs providing proxy and anonymization services including The Onion Router aka TOR.

Watch this video by Brian Tannous on how to configure and see IP Reputation in use.

Whether it’s protecting layers 3 and 4 or defending against logic attacks at the application layer,

NetScaler provides a multilayer approach to DDoS protection coupled with built-in IP Reputation service. To learn more about security best practices and tips, visit our security page: Citrix.com/secure.