KillNet uses DDoS as its main protest tool. DDoS attacks are a relatively easy and low-cost method of disrupting online services and websites and can be a powerful way to draw attention, making them a popular choice among hacktivist groups. In addition, DDoS attacks can be launched anonymously, which could make it difficult for authorities to track down perpetrators.

In this blog post, we provide an overview of the DDoS attack landscape against healthcare applications hosted in Azure over three months. We then list a couple of recent campaigns from KillNet, describe their attack patterns, and present how we mitigated and protected customers from these attacks. Finally, we outline best practices for organizations to protect their applications against DDoS attacks.

DDoS attacks against healthcare in Azure

We measured the number of attacks daily on healthcare organizations in Azure between November 18, 2022 and February 17, 2023. We observed an incline from 10-20 attacks in November to 40-60 attacks daily in February.

We tracked attack statistics through the same time period and observed that DDoS attacks on healthcare organizations didn’t demonstrate severely high throughput. There were several attacks hitting 5M packets per second (pps), but majority of attacks were below 2M pps. These attacks, although not extremely high, could take down a website if not protected by a network security service like Azure DDoS Network Protection (see guidance at the end).

The types of healthcare organizations attacked included pharma and life sciences with 31% of all attacks, hospitals with 26%, healthcare insurance with 16%, and health services and care also with 16%.

We also observed a combination of multi-vector layer 3, layer 4, and layer 7 DDoS attacks. Attacks are primarily targeting web applications, and intertwined TCP and UDP attack vectors. We observed layer 7 DDoS attacks consuming many TCP connections and keeping them alive long enough trying to deplete memory state resources to render the application unavailable. This is a repeated pattern noticed in several cases for attacks attributed to KillNet. Another common attack pattern tries to establish many new TCP connections over short intervals to hit CPU resources.

In contrast to overall DDoS attack trends for 2022, in which TCP was the most common attack vector, 53% of the attacks on healthcare were UDP floods, and TCP accounted for 44%, reflecting a different mixture of attack patterns used by adversaries on healthcare.

Out of the UDP attack vectors, 38% are UDP spoof flood attacks, followed by 29% of DNS amplification attacks.  UDP reflected amplification attacks consumed 52% of all attacks. This is in line with other public reports on KillNet, where amplification and spoofed sources are used, among other attack vectors. Although majority of attacks are on web applications, adversaries used multi-vector UDP spoof and reflected amplification attacks alongside TCP attacks to saturate the network and impact the attacked application.

Attack campaigns

In this section, we outline a couple of attack campaigns launched by KillNet or its affiliated hacktivist groups targeting customers in Azure. These attacks had no impact on Azure services and customers were protected by our Azure DDoS Network Protection service.

The first customer is a healthcare provider that was hit by a DDoS attack recently. The attack throughput wasn’t very high, peaking at 1.3M pps. The organization protected its service with Azure DDoS Network Protection, and the attack was successfully mitigated. Such attack throughput demonstrates why it’s crucial to protect applications against DDoS attacks. Similar attacks may target an application with low enough volumes that evade infrastructure-level DDoS protection, as they don’t impose a risk to Azure services or to other customers but may still take down an application. With Azure DDoS Network Protection, we learn normal baseline patterns specific to an application and detect traffic anomalies effectively.

Attack vectors included TCP SYN, TCP ACK, and packet anomalies. The attack lasted less than 12 hours, and the adversary likely launched it using DDoS scripting tools, spoofing large numbers of source IP addresses.

Another attack targeted a multinational industrial company. The attack lasted several days and included layer 4 TCP SYN and ACK, as well as layer 7 HTTP request attacks on the company’s website. It was launched from a botnet comprising 22,000 attack sources. The attack volume was similarly not very high, hitting 250K pps, and each attack source sent a relatively small amount of HTTP traffic to the attacked website. Majority of the traffic pattern appeared as if it was legitimate client traffic. However, the number of connections created aimed to consume state and CPU resources.

The top three countries from which the adversary launched the botnet attack were the US, Russia, and Ukraine.

These attacks were successfully mitigated for customers enrolled in Azure DDoS Network Protection and Web Application Firewall services.

Mitigating DDoS attacks from KillNet and other adversaries

KillNet and its affiliated adversaries utilize DDoS attacks as their most common tactic. By using DDoS scripts and stressors, recruiting botnets, and utilizing spoofed attack sources, KillNet could easily disrupt the online presence of websites and apps. KillNet attempted to evade DDoS mitigation strategies by changing their attack vectors, such as utilizing different layer 4 and layer 7 attack techniques and increasing the number of sources participating in the attack campaign.

Azure DDoS Network Protection helps to protect apps and resources with a profile automatically tuned to expected traffic volume. Customers can defend themselves against even the most sophisticated attacks with an Azure global network that provides dedicated monitoring, logging, telemetry, and alerts.

Azure DDoS Network Protection not only detects and mitigates DDoS attacks, but also minimizes the impact on legitimate traffic, such as in cases where botnets are harnessed to carry out attacks. We employ various mitigations to minimize false positives, including utilizing authentication, foot printing, and connection and rate-limiting countermeasures. With DDoS Rapid Response, DDoS Network Protection customers can leverage a hotline to a DDoS service team that helps in attack mitigation, which is important when attack campaigns are highly coordinated. The combination of Azures DDoS Network Protection and Web Application Firewall (WAF) provides protection for layer 3, 4, and 7 DDoS attacks.

Steps to protect against and respond to DDoS attacks

To defend against DDoS attacks, organizations hosting web applications in Azure are recommended to take the following steps:

1. Enable DDoS Network Protection. Enabling DDoS Network Protection takes only a few steps, and customers don’t need to change their network architecture. Include Azure WAF to protect your application against layer 7 DDoS attacks and other application attacks. Use Azure Front Door CDN to minimize the threat of DDoS attacks by distributing and balancing web traffic across Azure’s global network.
2. Design your application with DDoS best practices in mind, and ensure it’s protected before an attack occurs. Design your DDoS Protection strategy based on fundamental best practices. Make sure you test your application readiness, and DDoS Protection by simulating DDoS attacks with one of our partners.
3. Create a DDoS response plan. Having a response plan is critical to help you identify, mitigate, and quickly recover from DDoS attacks. A key part of the strategy is a DDoS response team with clearly defined roles and responsibilities. This DDoS response team should understand how to identify, mitigate, and monitor an attack and be able to coordinate with internal stakeholders and customers.
4. Reach out for help during an attack. During attacks you need to count on experts that will help you to mitigate the attack while ensuring no downtime and keeping the application up and running. Azure DDoS Network Protection customers have access to the DDoS Rapid Response team, who can help with investigation during an attack as well as post-attack analysis.
5. Learn and adapt after an attack. While you’ll likely want to move on as quickly as possible if you’ve experienced an attack, it’s important to continue to monitor your resources and conduct a retrospective after an attack. You should apply any learnings to improve your DDoS response strategy.

Amir Dahan and Syed Pasha, Azure Network Security Team

The post KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks appeared first on Microsoft Security Blog.

In the first half of 2022, the cyberthreat landscape was focused around the war in Ukraine and the rise of nation state attacks and hacktivism across the world. In February, Ukraine was hit with the largest distributed denial of service (DDoS) attack ever in the country’s history, impacting government websites and banking web services. As the conflict continued, there was a ripple effect to western countries, including the UK, US, and Germany. UK financial services firms experienced a significant increase in DDoS attacks as they were heavily targeted by nation state attackers and hacktivists looking to disrupt Ukraine’s allies.

Hacktivism continued to be rampant throughout the year, including Taiwanese websites experiencing outages in August 2022 due to DDoS attacks ahead of House Speaker Nancy Pelosi’s arrival in Taiwan. Beyond attacks with political motives, DDoS attacks also impacted a wide range of industries. In particular, the gaming industry continued to be highly targeted. In March 2022, a DDoS attack brought down the game servers of Among Us, preventing players from accessing the popular multiplayer game for a few days. A new version of RapperBot (heavily inspired by the Mirai botnet) was used in the second half of 2022 to target game servers running Grand Theft Auto: San Andreas.

In this blog, we share trends and insights into DDoS attacks we observed and mitigated throughout 2022.

2022 DDoS attack trends

Large volume of attacks during the holiday season

In 2022, Microsoft mitigated an average of 1,435 attacks per day. The maximum number of attacks in a day recorded was 2,215 attacks on September 22, 2022. The minimum number of attacks in a day was 680 on August 22, 2022. In total, we mitigated upwards of 520,000 unique attacks against our global infrastructure during 2022.

This year, we saw a lower volume of attacks in June through August and a high volume of attacks during the holiday season until the last week of December. This is in line with attacks trends we have seen in the last few years, except for 2021 where there were fewer attacks during the holiday season. In May, we mitigated a 3.25 terabits per second (TBps) attack in Azure, the largest attack in 2022.

DDoS protection tip: Make sure to avoid having a single virtual machine backend so it is less likely to get overwhelmed. Azure DDoS Protection covers scaled out costs incurred for all resources during an attack, so configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in.

TCP attacks remain the most common attack vector

TCP attacks were the most frequent form of DDoS attack encountered in 2022, comprising 63% of all attack traffic, which includes all TCP attack vectors: TCP SYN, TCP ACK, TCP floods, etc. Since TCP remains the most common networking protocol, we expect TCP-based attacks to continue to make up most DDoS attacks. UDP attacks were significant as well with 22% of all attacks (combined for UDP flood and UDP amplification attacks), while Packet anomaly attacks made up 15% of attacks.

Out of UDP flood attacks, spoofed floods consumed most of the attack volume with 53%. The remaining attack vectors were reflected amplification attacks, with the main types being CLDAP, NTP, and DNS.

We observed TCP reflected amplification attacks becoming more prevalent, with attacks on Azure resources using diverse types of reflectors and attack vectors. This new attack vector is taking advantage of improper TCP stack implementation in middleboxes, such as firewalls and deep packet inspection devices, to elicit amplified responses that can reach infinite amplification in some cases. As an example, in April 2022, we monitored a reflected amplified SYN+ACK attack on an Azure resource in Asia. The attack reached 30 million packets per second (pps) and lasted 15 seconds. Attack throughput was not very high, however there were 900 reflectors involved, each with retransmissions, resulting in high pps rate that can bring down the host and other network infrastructure.

DDoS protection tip: To protect against UDP and TCP attacks, we recommend using Azure DDoS Protection. For gaming customers, consider using A10 virtual appliances and Azure Gateway Load Balancers to help with volume-based attacks.

Shorter attacks continue to be popular

Shorter duration attacks were more commonly observed this past year, with 89% of attacks lasting less than one hour. Attacks spanning one to two minutes made up 26% of the attacks seen this year. This is not a new trend as attacks that are shorter require less resources and are more challenging to mitigate for legacy DDoS defenses. Attackers often use multiple short attacks over the span of multiple hours to make the most impact while using the fewest number of resources.

Short attacks take advantage of the time it takes systems to detect the attack and for mitigation to kick in. While time to mitigation may only take one or two minutes, the information from those short attacks can make it into the backend of services, impacting legitimate usage. If a short attack can cause a reboot of the systems, this can then trigger multiple internal attacks as every legitimate user tries to reconnect at the same time.

DDoS protection tip: Use Azure Web Application Firewall to protect web applications.

US, India, and East Asia top regions targeted by attacks

As with previous years, most attacks were launched against US-based resources, with India, East Asia, and Europe making up a large portion of remaining attacks. The rising adoption of smartphones and popularity of online gaming in Asia will likely contribute to increased exposure to DDoS attacks. This also applies to countries accelerating digital transformation and cloud adoption.

DDoS Protection Tip: Frequent and regular DDoS simulation testing done by any of our testing partners helps ensure consistent protection for services.

Hacktivism is back

We saw politically motivated DDoS attacks ramping up on a large scale in 2022. Notably, a hacking group named Killnet targeted western government, healthcare, education, and financial firms. Killnet has been a vocal supporter of Russia’s war in Ukraine, using DDoS attacks as its primary weapon to create chaos in western countries. The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis (MS-ISAC) published a guide to help governments and organizations respond effectively against DDoS attacks, especially those launched by hacker groups like Killnet.

IoT devices increasingly used to launch DDoS attacks

In 2022, Internet of Things (IoT) devices were consistently used in DDoS attacks, which expanded into use in cyber warfare, such as in Ukraine. A growing number of attacks repurposed existing malware or leveraged the modular nature of botnets to carry out these attacks. Threat actors have also turned to a growing criminal black market to purchase malware and solutions to grow their malicious toolkit.

Well-known botnets, such as Mirai, have also been observed in use by nation-state threat actors and growing criminal enterprises. The persistence of malware like Mirai from year to year has highlighted its adaptability and its potential to infect a wide range of IoT devices and compromise new attack vectors. While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash.

What’s ahead for 2023?

In 2023, cybercrime will likely continue to rise as new threats and attack techniques emerge. We increasingly see DDoS attacks becoming used as distractions to hide more sophisticated attacks happening at the same time, such as extortion and data theft. New IoT DDoS botnets will emerge and attacks from them will continue to be prevalent and cause significant disruption. We are also observing a rise in DDoS attacks from account takeovers where malicious actors gain unauthorized access to resources to launch DDoS attacks. As geopolitical tensions continue to emerge globally, we will likely continue to see DDoS being used as a primary tool for cyberattacks by hacktivists.

With DDoS attacks becoming more frequent, sophisticated, and inexpensive to launch, it’s important for organizations of all sizes to be proactive, stay protected all year round, and develop a DDoS response strategy.

Cloud-native DDoS protection at any scale

Azure provides comprehensive solutions to protect your valuable data and resources from the most sophisticated DDoS attacks at any scale. Azure DDoS Protection provides always-on traffic monitoring to automatically mitigate an attack when detected, adaptive real time tuning that compares your actual traffic against predefined thresholds, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts. Customers using Azure DDoS Protection have access to the DDoS Rapid Response support (DRR) team to engage experts for help during an active attack. Protection is simple to enable and designed to meet the needs of all organizations, including a cost-effective SKU for small and medium businesses (SMBs).

For more insights on the latest threat intelligence, visit Security Insider.

References

• https://venturebeat.com/security/ddos-attack-was-largest-ever-in-ukraine-russia-suspected/
• https://www.finextra.com/newsarticle/40955/uk-finance-suffers-surge-in-ddos-attacks
• https://www.nbcnews.com/tech/security/taiwanese-websites-hit-ddos-attacks-pelosi-begins-visit-rcna41144
• https://www.pcmag.com/news/ddos-attack-takes-among-us-servers-offline-for-entire-weekend
• https://thehackernews.com/2022/11/warning-new-rapperbot-campaign-aims-to.html

The post 2022 in review: DDoS attack trends and insights appeared first on Microsoft Security Blog.

While DDoS attacks happen all year round, the holidays are one of the most popular times and where some of the most high-profile attacks occur. Last October in India, there was a 30-fold increase in DDoS attacks targeting services frequently used during the festive season, including media streaming, internet phone services, and online gaming¹. Last October through December, Microsoft mitigated several large-scale DDoS attacks, including one of the largest attacks in history from approximately 10,000 sources spanning multiple countries².

While retail and gaming companies are the most targeted during the holidays, organizations of all sizes and types are vulnerable to DDoS attacks. It’s easier than ever to conduct an attack. For only $500, anyone can pay for a DDoS subscription service to launch a DDoS attack. Every year, DDoS attacks are also becoming harder to protect against as new attack vectors emerge and cybercriminals leverage more advanced techniques, such as AI-based attacks.

With the holidays coming up, we’ve prepared this guide to provide you with an overview of DDoS attacks, trends we are seeing, and tips to help you protect against DDoS attacks.

What is a DDoS attack and how does it work?

A DDoS attack targets websites and servers by disrupting network services and attempts to overwhelm an application’s resources. Attackers will flood a site or server with large amounts of traffic, resulting in poor website functionality or knocking it offline altogether. DDoS attacks are carried out by individual devices (bots) or network of devices (botnet) that have been infected with malware and used to flood websites or services with high volumes of traffic. DDoS attacks can last a few hours, or even days.

What are the motives for DDoS attacks?

There is a wide range of motives behind DDoS attacks, including financial, competitive advantage, or political. Attackers will hold a site’s functionality hostage demanding payment to stop the attacks and get sites and serves back online. We’re seeing a rise in cybercriminals combining DDoS attacks with other extortion attacks like ransomware (known as triple extortion ransomware) to extort more pressure and command higher payouts. Politically motivated attacks, also known as “hacktivism”, are becoming more commonly used to disrupt political processes. At the start of the war in Ukraine earlier in 2022, the Ukrainian government reported the worst DDoS attack in history as attackers aimed to take down bank and government websites⁴.  Also, cybercriminals will often use DDoS attacks as a distraction for more sophisticated targeted attacks, including malware insertion and data exfiltration.

Why are DDoS attacks so common during the holidays?

Organizations typically have reduced resources dedicated to monitoring their networks and applications—providing easier opportunities for threat actors to execute an attack. Traffic volume is at an all-time high, especially for e-commerce websites and gaming providers, making it harder for IT staff to distinguish between legitimate and illegitimate traffic. For attackers seeking financial gain, the opportunity for more lucrative payouts can be higher during the holidays as revenues are at the highest and service uptime is critical. Organizations are more willing to pay to stop an attack to minimize loss of sales, customer dissatisfaction, or damage to their reputation.

Why protect yourself from DDoS attacks?

Any website or server downtime during the peak holiday season can result in lost sales and customers, high recovery costs, or damage to your reputation. The impact is even more significant for smaller organizations as it is harder for them to recover from an attack. Beyond the holidays when traffic is traditionally the highest, ongoing protection is also important. In 2021, the day with the most recorded attacks was August 10, indicating that there could be a shift toward year-round attacks².

Tips for protecting and responding against DDoS attacks

1. Don’t wait until after an attack to protect yourself. While you cannot completely avoid being a target of a DDoS attack, proactive planning and preparation can help you more effectively defend against an attack.
   • Identify the applications within your organization that are exposed to the public internet and evaluate potential risks and vulnerabilities.
   • It’s important that you understand the normal behavior of your application so that you’re prepared to act if the application is not behaving as expected. Azure provides monitoring services and best practices to help you gain insights on the health of your application and diagnose issues.
   • We recommend running attack simulations to test how your services will respond to an attack. You can simulate a DDoS attack on your Azure environment with services from our testing partners—BreakingPoint Cloud and RedButton.
2. Make sure you’re protected. With DDoS attacks at an all-time high during the holidays, you need a DDoS protection service with advanced mitigation capabilities that can handle attacks at any scale.
   • We recommend enabling Azure DDoS Protection, which provides always-on traffic monitoring to automatically mitigate an attack when detected, adaptive real time tuning that compares your actual traffic against predefined thresholds, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts.
   • Azure DDoS Protection should be enabled for virtual networks with applications exposed over the public internet. Resources in a virtual network that require protection against DDoS attacks include Azure Application Gateway, Azure Load Balancer, Azure Virtual Machines, and Azure Firewall.
   • For comprehensive protection against different types of DDoS attacks, set up a multi-layered defense by deploying Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure DDoS Protection protects the network layer (Layer 3 and 4), and Azure WAF protects the application layer (Layer 7). You receive a discount on Azure WAF when deploying DDoS Network Protection along with Azure WAF, helping to reduce costs.
   • Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention. To get notified when there’s an active mitigation for a protected public IP resource, you can configure alerts.
3. Create a DDoS response strategy. Having a response strategy is critical to help you identify, mitigate, and quickly recover from DDoS attacks. A key part of the strategy is a DDoS response team with clearly defined roles and responsibilities. This DDoS response team should understand how to identify, mitigate, and monitor an attack and be able to coordinate with internal stakeholders and customers. We recommend using simulation testing to identify any gaps in your response strategy.
4. Reach out for help during an attack. If you think you are experiencing an attack, you should reach out to the appropriate technical professionals for help. Azure DDoS Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. Check out this guide for more details on when and how to engage with the DRR team during an active attack.
5. Learn and adapt after an attack. While you’ll likely want to move on as quickly as possible if you’ve experienced an attack, it’s important to continue to monitor your resources and conduct a retrospective after an attack. You should apply any learnings to improve your DDoS response strategy.

Azure offers cloud native, Zero Trust based network security solutions to protect your valuable resources from evolving threats. Azure DDoS Protection provides advanced, cloud-scale protection to defend against the largest and most sophisticated DDoS attacks.

Don’t let DDoS attacks ruin your holidays! Prepare for the upcoming holiday season with this guide and make sure Azure DDoS Protection is at the top of your holiday shopping list.

References

¹Thirty-fold increase in DDoS cyber attacks in India in festive season, CIO News, ET CIO (indiatimes.com)

²Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends

³Microsoft Digital Defense Report 2022

⁴Ukraine says it suffered worst DDoS Attack in Standoff

Additional resources

Azure DDoS Protection reference architectures

Components of a DDoS response strategy

Azure DDoS Protection fundamental best practices

Azure network security resources

The post 2022 holiday DDoS protection guide appeared first on Microsoft Security Blog.

In this blog, we start by surveying the anatomy and landscape of amplification attacks, while providing statistics from Azure on most common attack vectors, volumes, and distribution. We then describe some of the countermeasures taken in Azure to mitigate amplification attacks. 

DDoS amplification attacks, what are they? 

Reflection attacks involve three parties: an attacker, a reflector, and a target. The attacker spoofs the IP address of the target to send a request to a reflector (e.g., open server, middlebox) that responds to the target, a virtual machine (VM) in this case. For the attack to be amplified the response should be larger than the request, resulting in a reflected amplification attack. The attacker’s motivation is to create the largest reflection out of the smallest requests. Attackers achieve this goal by finding many reflectors and crafting the requests that result in the highest amplification. 

The root cause for reflected amplification attacks is that an attacker can force reflectors to respond to targets by spoofing the source IP address. If spoofing was not possible, this attack vector would be mitigated. Lots of effort has thus been made on disabling IP source address spoofing, and many organizations prevent spoofing nowadays so that attackers cannot leverage their networks for amplification attacks. Unfortunately, a significant number of organizations still allow source spoofing. The Spoofer project shows that a third of the IPv4 autonomous systems allow or partially allow spoofing.  

UDP and TCP amplification attacks 

Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake.  

While UDP makes it easy to launch reflected amplification attacks, TCP has a 3-way handshake that complicates spoofing attacks. As a result, IP source address spoofing is restricted to the start of the handshake. Although the TCP handshake allows for reflection, it does not allow for easy amplification since TCP SYN+ACK response is not larger than TCP SYN. Moreover, since the TCP SYN+ACK response is sent to the target, the attacker never receives it and can’t learn critical information contained in the TCP SYN+ACK needed to complete the 3-way handshake successfully to continue making requests on behalf of the target. 

In recent years, however, reflection and amplification attacks based on TCP have started emerging.  

Independent research found newer TCP reflected amplification vectors that utilize middleboxes, such as nation-state censorship firewalls and other deep packet inspection devices, to launch volumetric floods. Middleboxes devices may be deployed in asymmetric routing environments, where they only see one side of the TCP connection (e.g., packets from clients to servers). To overcome this asymmetry, such middleboxes often implement non-compliant TCP stack. Attackers take advantage of this misbehavior – they do not need to complete the 3-way handshake. They can generate a sequence of requests that elicit amplified responses from middleboxes and can reach infinite amplification in some cases. The industry has started witnessing these kinds of attacks from censorship and enterprise middle boxes, such as firewalls and IDPS devices, and we expect to see this trend growing as attackers look for more ways to create havoc utilizing DDoS as a primary weapon.  

Carpet bombing is another example of a reflected amplification attack. It often utilizes UDP reflection, and in recent years TCP reflection as well. With carpet bombing, instead of focusing the attack on a single or few destinations, the attacker attacks many destinations within a specific subnet or classless inter-domain routing (CIDR) block (for example /22). This will make it more difficult to detect the attack and to mitigate it, since such attacks can fly below prevalent baseline-based detection mechanisms. 

One example of TCP carpet bombing is TCP SYN+ACK reflection, where attacker sends spoofed SYN to a wide range of random or pre-selected reflectors. In this attack, amplification is a result of reflectors that retransmit the TCP SYN+ACK when they do not get a response. The amplification of the TCP SYN+ACK response itself may not be large, and it depends on the number of retransmissions sent by the reflector. In Figure 3, the reflected attack traffic towards each of the target virtual machines (VMs) may not be enough to bring them down, however, collectively, the traffic may well overwhelm the targets’ network. 

UDP and TCP amplification attacks in Azure 

In Azure, we continuously work to mitigate inbound (from internet to Azure) and outbound (from Azure to internet) amplification attacks. In the last 12 months, we mitigated approximately 175,000 UDP reflected amplification attacks. We monitored more than 10 attack vectors, where the most common ones are NTP with 49,700 attacks, DNS with 42,600 attacks, SSDP with 27,100 attacks, and Memcached with 18,200 attacks. These protocols can demonstrate amplification factors of up to x4,670, x98, x76 and x9,000 respectively. 

We measured the maximum attack throughput in packets per second for a single attack across all attack vectors. The highest throughput was a 58 million packets per second (pps) SSDP flood in August last year, in a short attack campaign that lasted 20 minutes on a single resource in Azure. 

TCP reflected amplification attacks are becoming more prevalent, with new attack vectors discovered. We encounter these attacks on Azure resources utilizing diverse types of reflectors and attack vectors. 

One such example is a TCP reflected amplification attack of TCP SYN+ACK on an Azure resource in Asia. Attack reached 30 million pps and lasted 15 minutes. Attack throughput was not high, however there were approximately 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure elements. 

We see many TCP SYN+ACK retransmissions associated with the reflector that doesn’t get the ACK response from the spoofed source. Here is an example of such a retransmission: 

The retransmitted packet was sent 60 seconds after the first. 

Mitigating amplification attacks in Azure 

Reflected amplification attacks are here to stay and pose a serious challenge for the internet community. They continue to evolve and exploit new vulnerabilities in protocols and software implementations to bypass conventional countermeasures. Amplification attacks require collaboration across the industry to minimize their effect. It is not enough to mitigate such attacks at a certain location, with a pinpoint mitigation strategy. It requires intertwining of network and DDoS mitigation capabilities. 

Azure’s network is one of the largest on the globe. We combine multiple DDoS strategies across our network and DDoS mitigation pipeline to combat reflected amplification DDOS attacks.  

On the network side, we continuously optimize and implement various traffic monitoring, traffic engineering and quality of service (QoS) techniques to block reflected amplification attacks right at the routing infrastructure. We implement these mechanisms at the edge and core of our wide area networks (WAN) network, as well as within the data centers. For inbound traffic (from the Internet), it allows us to mitigate attacks right at the edge of our network. Similarly, outbound attacks (those that originate from within our network) will be blocked right at the data center, without exhausting our WAN and leaving our network. 

On top of that, our dedicated DDoS mitigation pipeline continuously evolves to offer advanced mitigation techniques against such attacks. This mitigation pipeline offers another layer of protection, on top of our DDoS networking strategies. Together, these two protection layers provide comprehensive coverage against the largest and most sophisticated reflected amplification attacks.  

Since reflected amplification attacks are typically volumetric, it is not only enough to implement advanced mitigation strategies, but also to maintain a highly scalable mitigation pipeline to be able to cope with the largest attacks. Our mitigation pipeline can mitigate more than 60Tbps globally, and we continue to evolve it by adding mitigation capacity across all network layers.  

Different attack vectors require different treatment 

UDP-based reflected amplification attacks are tracked, monitored, detected, and mitigated for all attack vectors. There are various mitigation techniques to combat these attacks, including anomaly detection across attacked IP addresses, L4 protocols, and tracking of spoofed source IPs. Since UDP reflected amplification attacks often create fragmented packets, we monitor IP fragments to mitigate them successfully.  

TCP-based reflected amplification attacks take advantage of poor TCP stack implementations, and large set of reflectors and targets, to launch such attacks. We adopt our mitigation strategies to be able to detect and block attacks from attackers and reflectors. We employ a set of mitigations to address TCP SYN, TCP SYN+ACK, TCP ACK, and other TCP-based attacks. Mitigation combines TCP authentication mechanisms that identify spoofed packets, as well as anomaly detection to block attack traffic when data is appended to TCP packets to trigger amplification with reflectors.  

Get started with Azure DDoS Protection to protect against amplification attacks 

Azure’s DDoS mitigation platform mitigated the largest ever DDoS attacks in history by employing a globally distributed DDoS protection platform that scales beyond 60Tbps. We ensure our platform and customers’ workloads are always protected against DDoS attacks. To enhance our DDoS posture, we continuously collaborate with other industry players to fight reflected amplification attacks. 

Azure customers are protected against Layer 3 and Layer 4 DDoS attacks as part of protecting our infrastructure and cloud platform. However, Azure DDoS Protection Standard provides comprehensive protection for customers by auto-tuning the detection policy to the specific traffic patterns of the protected application. This ensures that whenever there are changes in traffic patterns, such as in the case of flash crowd event, the DDoS policy is automatically updated to reflect those changes for optimal protection. When a reflected amplification attack is launched against a protected application, our detection pipeline detects it automatically based on the auto-tuned policy. The mitigation policy, that is automatically set for customers, without their need to manually configure or change it, includes the needed countermeasures to block reflected amplification attacks. 

Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs. 

To strengthen the security posture of applications, Azure’s network security services can work in tandem to secure your workloads, where DDoS protection is one of the tools we provide. Organizations that pursue zero trust architecture can benefit from our services to achieve better protection. 

Learn more about Azure DDoS Protection Standard 

• Azure DDoS Protection product page. 
• Azure DDoS Protection Standard documentation. 
• Azure DDoS Protection Standard reference architectures. 
• DDoS Protection best practices. 
• Azure DDoS Rapid Response.  
• Protect your on-premises resources. 

Amir Dahan and Syed Pasha
Azure Networking Team

References 

1 The Spoofer project 

2 Weaponizing Middleboxes for TCP Reflected Amplification 

The post Anatomy of a DDoS amplification attack appeared first on Microsoft Security Blog.