There tend to be three main types of denial of service attack, and they don’t seem to be targeted at any particular type of organisation.
- Max MTU, i.e. 1500 byte packet. Tends to be directed to UDP port 80, they’re not sure why. Tend to originate from spoofed addresses. Tend to attack a single IP address.
- DNS Amplification, e.g. Ask what are A records for some entry, response tends to contain more bytes of data than the query. Can use dig. Again, UDP, so source IP tends to be spoofed. A 10Mb link maxed out with DNS queries can generate much more than 10Mb of outbound traffic.
- SYN Flood, where you send a SYN message to a server, which reserves some resource for an expected new connection, sends a SYN-ACK back to what it thinks the SYN originated from, and then waits for an ACK from the source – which never arrives. Repeat, and gradually all resources on the server are consumed by half-open connections.
No network kit at customer site can help with DoS – if there’s 2-3Gbps heading your way and you only have a 1Gbps link you’re just going to be swamped.
Things CSIRT can do to help:
- Basically stop the data reaching the affected customer in the first place. They can usually tell if you’re being affected by monitoring the health of your link, but you should contact them ASAP if you think you’re the victim of a DoS attack. Some customer kit, e.g. ASA, can show high CPU utilisation due to interrupt generation as DoS attack starts, so watch for this.
- Mitigation Black Hole IP address, can cope with 10Gbps of sustained traffic
- Granular edge filtering, like an extended ACL so specific IPs and ports can be blocked. Slower to apply or remove, not always useful, can cope with several Gbps of sustained traffic