by RSS Hemant Jain  |  Oct 24, 2016  |  Filed in: Industry Trends & News

As further details become available for the massive distributed denial of service attack against Dyn on Oct 21 2016, here are some things FortiDDoS customers can do to protect themselves from a potential Internet of Things (IoT) botnet-based DDoS attack like Mirai.

Mirai spreads by compromising vulnerable IoT devices such as DVRs. Many IoT manufacturers failed to secure these devices properly, and they don't include the memory and processing necessary to be updated. They are also usually not in control of the destination of their outbound traffic, so if that information is changed or compromised there is nothing they can do. As a result, the attack cannot be stopped at the egress point on the devices themselves. Instead, network segmentation is absolutely critical for protection against outbound attacks. The responsibility for protection from IoT-based DDoS attacks, however, lies at the ingress point of the attack.

(Read my other blog entry: https://blog.fortinet.com/2015/07/20/iot-and-cyberwars)

The Mirai malware responsible for this latest attack is designed to look for telnet services available from the Internet, and checks for several sets of default credentials, such as default username and password. The most common targets were IP CCTV cameras ­ as many have known default credentials.

FortiDDoS is designed to identify and mitigate attacks like the one caused by the Mirai malware. To protect your organization from such inbound DDoS attacks, here is a list of mitigation techniques you can use with FortiDDoS:

Attack Type

Attack Name

Attack Description

Mitigation

0.

Straight up UDP flood

UDP flood

  • Ensure that UDP services are in an independent Service Protection Profile (SPP).
  • For the SPPs that don’t receive UDP services, simply use an ACL to block UDP protocols.
  • For SPPs that do receive UDP services, ensure that the thresholds are based on your baseline traffic.
  1.  

Valve Source Engine query flood

The Valve Source Engine flood is a UDP (amplification) attack used to consume available resources against a server. The attack is designed to flood TSource Engine Query with so many requests to a gaming server that it cannot process all of them, thereby creating a denial attack against the gaming service. This type of attack is geared specifically to the gamers market. It is a reflection attack with responses larger than requests.

  • Ensure that UDP services are in an independent Service Protection Profile (SPP).
  • In the SPPs that don’t receive UDP services, simply use an ACL to block the UDP protocol.
  • For SPPs that do receive UDP services, ensure that the thresholds are based on your baseline traffic.
  1.  

DNS Water Torture

Queries of made up of subdomains. Also known as Slow Drip DNS attack.

  • Enable “Allow only valid queries under flood (LQ)”
  • Enable “Validate TTL for queries from the same IP under flood (TTL)”
  • Enable “Generate response from cache under flood”
  1.  

SYN flood with options

 

  • Enable Syn Flood Mitigation on both inbound and outbound directions
  1.  

ACK flood

 

  • Enable TCP Session feature controls
  1.  

ACK flood to bypass mitigation devices

 

  • Enable TCP Session feature controls
  1.  

GRE IP flood

 

  • Restrict GRE to only service SPP, and reduce the threshold to your baseline
  1.  

GRE Ethernet flood

 

  • Restrict GRE to only service SPP and reduce the threshold to your baseline
  1.  

Proxy knockback connection

Disabled in code

  • NA
  1.  

Plain UDP flood optimized for speed

Random UDP flood

  • Ensure that UDP services are in an independent Service Protection Profile (SPP).
  • For the SPPs that don’t receive UDP services, simply use an ACL to block UDP protocol.
  • In the SPPs that do receive UDP services, ensure that the thresholds are based on your baseline traffic.
  1.  

HTTP layer 7 flood

 

HTTP floods

  • Enable Aggressive aging for Layer 7-flood, High concurrent connections per source, High concurrent connections per destination, and Track slow TCP connections
  • Enable Slow Connection Detection
  • Manage thresholds for concurrent connections per source and enable source tracking.

 

While the above solutions are based on available information and sources for Mirai botnet, no one can prevent a hacker from modifying existing attack processes. The advantage provided by FortiDDoS is that it looks for behavioral anomalies and responds accordingly. You can be therefore confident that the mitigations outlined above will work regardless of changes to attacks imposed by hackers.             

 

by RSS Hemant Jain  |  Oct 24, 2016  |  Filed in: Industry Trends & News

comments powered by Disqus