Volumetric attacks are those that are aimed at completely saturating the available bandwidth of a specific target. These types of attacks are also known as volume-based attacks, as they send hundreds of GB per second through a botnet they have purchased. In this way, by saturating the bandwidth that goes to the server, legitimate users who want to access the service will not be able to do so, causing a denial of service.
Some of the most common attacks that are volumetric are the following:
- DNS amplification: It consists of taking advantage of the DNS protocol, spoofing the IP of the target to send a large number of requests and get the DNS servers to respond to them.
- ICMP flood: This protocol can be used to flood the available bandwidth of our target.
- UDP flood: In this case, the UDP protocol is used to try to saturate the bandwidth of a target, to overwhelm the server ports. This attack is the most powerful because it allows you to saturate services that have a large bandwidth.
As you can see, volumetric attacks aim to completely saturate the available bandwidth of the server.
The objective of this attack is to exhaust all the resources of the attacked server, trying to crash the server itself by creating hundreds of forged requests per second, to crash the web server and even crash the operating system itself due to this unusual high traffic. The most popular and used attack on protocols is the TCP SYN flood to a specific computer. We must take into account that the TCP protocol is a connective, reliable and connection-oriented protocol, so before starting to send real data, it is necessary to perform a handshake with the server, so that later all the data flows correctly without packet loss. Next we explain what the TCP SYN attack consists of:
- An attacker sends the server a TCP segment with the SYN flag, in this segment our real source IP address will not be, but a spoofed one.
- The server will try to establish the three-way handshake, sending a SYN-ACK to the connected client, however, it will never arrive because it has spoofed its source IP.
- The server will have to wait a certain time before closing the connection that has been opened.
If an attacker sends 10 TCP SYN segments, the server will be able to handle it correctly and without problems, but when the attacker sends millions of TCP SYN segments, it could be easily blocked. However, in the latest versions of the operating systems there are already mitigation measures for this attack, in addition, we could also incorporate a SYNPROXY to manage this type of attack more efficiently.
Application Layer Attacks
These types of attacks aim to cause the complete crash of the web server, be it an Apache2 or Nginx, which are the two most popular. This is done by sending HTTP requests that look legitimate, but really are not. These attacks are also known as layer 7 (application) DDoS attacks, in addition, there are mainly two types of attacks:
- HTTP flood: It consists of sending thousands of HTTP requests from different source IPs, with the objective of completely saturating the web server and making it stop working.
- low-and-slow: this attack consists of sending a small flow of HTTP traffic, without using too much bandwidth, the objective is to gradually saturate the web server with the aim of crashing and denying the service to real users .
Now that you know the different DDoS attacks that exist, we ask you the question: is it worth always having anti-DDOS security measures activated? Would it be better to only activate them in case of a real attack? Today all hosting services and also CDNs allow us to activate DDoS mitigation measures. A DDoS attack can be mitigated to a lesser or greater extent, but it can never be avoided because it is not in our power to stop this attack, this is the first thing we must take into account. After having this clear, we must think about whether to activate the anti-DDoS system on demand or leave it always active so that it protects us against possible new attacks, however, each policy has its strengths and also its weaknesses.
Anti-DDoS on demand
An anti-DDoS system on demand consists of a service that we can activate or deactivate whenever we want. In the event that our hosting or CDN detects a DDoS attack on our website, application or online service, it will notify us immediately to decide what measures to take. Generally the measures to be taken are:
- Analyze the type of DDoS attack being carried out on us.
- Activate the mitigation measures specifically aimed at stopping this attack that they are carrying out on us.
When we activate DDoS mitigation measures, legitimate traffic could also be affected, that is, certain clients may not be able to access our website, because in many cases it is difficult to differentiate between malicious traffic and legitimate traffic. Depending on the policies used in the firewall, these problems may not appear or only to a lesser extent, or it is possible that hundreds of clients are affected by these mitigation measures if the DDoS attack is more aggressive, so we must have it very much in mind.
The strengths of using this system on demand is that we will only use it during the period of time that the attack lasts, and once it is over, then we can deactivate it without any problem and our website will continue to function properly. The negative aspect of using this method is that it is possible that the website will be thrown out until we activate the mitigation measures in the hosting or CDN, in addition, someone from the technical team should always be there to make sure that everything is going well and continuously monitor the traffic of our website.
Attack Mitigation Always On
An always-on distributed denial-of-service attack mitigation system means that the mitigation against these attacks is always up and running. Certain hostings and also CDN allow us to permanently enable this protection, to mitigate any possible attack that they carry out on us. Although it may seem that always having this system activated is perfect because we will be immune to different attacks, the truth is that it is not as good as it seems.
When we activate DDoS mitigation measures on an ongoing basis, we need to consider all types of attacks and create rules to mitigate all of them simultaneously. Another very important aspect is that the legitimate traffic of our clients could be affected, preventing hundreds of users from accessing our website, so we ourselves could be denying the service. This is something that we must take into account when activating the mitigation permanently or almost permanently, because a lot of traffic that is not malicious could be blocked.
The positive part of having it always activated is that we should not worry too much about this type of attack, since most of them will be adequately mitigated, however, we must take into account what rules we have applied to carry out this mitigation, because you may not have “covered” all possible attacks.
On-demand or always-on attack mitigation has its strengths and weaknesses. Generally, on-demand mitigation is always used, to prevent legitimate traffic from our customers from being blocked as well. This can be done easily and quickly through the administration panel of our hosting, or if you use CDN services such as Cloudflare, we can activate it directly from the main management menu.
In the case of Cloudflare, we can activate different mitigation measures depending on the type of attack, for example, we can only activate layer 7 mitigation measures, this will protect us against attacks that are directed at our websites with HTTP and HTTPS. We will also be able to activate the mitigation measures of the transport and network layer, for example, it will allow us to protect the FTP, SSH and even VoIP services or online games, with the aim of adding an additional layer of security to these services.
Finally, we could also establish rules so that the mitigation measures are automatically activated in the event of an attack, and when this attack stops, then disable the security measures so as not to interfere with legitimate traffic.