DDos Attacks

Distributed Denial of Service (DDoS)1 attacks against the Web sites of State, Local, Territorial, and Tribal Governments (SLTTGs) can have a negative impact on public perception, disrupt daily business operations, and could potentially impact the monitoring and operation of critical infrastructure systems. In light of open source reporting of recent DDoS attacks targeting SLTTGs, the FBI suggests government entities review their reliance on easily identified Internet connections for critical operations, particularly those shared with public facing Web servers. 

The FBI assesses that the majority of recent DDoS attacks on SLTTGs have been directed towards the victim’s Web servers. Attackers likely target Web sites because they are public facing and easier to verify than degrading other services, such as e-mail. Successful DDoS attacks can be easily verified by visiting the targeted Web site with a Web browser. Attacks on services that cache Internet traffic, including e-mail and name servers, are less likely to have an immediate impact on user experience because caching traffic reduces the load on the afflicted servers and allows for delayed delivery, facilitating recovery from short DDoS attacks.

Recent victims observed different types of DDoS attacks, including the use of Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), and Domain Name System (DNS) amplification attacks, which generated network traffic ranging from 5 Gbps to 13 Gbps. Other victims observed DDoS attacks using TCP SYN flood attacks over ports 22, 25, and 80 and User Datagram Protocol (UDP) Flood attacks. 

Amplification attacks involve the attacker sending small requests to a set of servers running the targeted service (NTP, SSDP, or DNS) using a spoofed2 source IP address that matches the real destination IP address of the intended victim. Affected NTP, SSDP, or DNS servers can send responses much larger than the request, which are sent to the spoofed IP address of the victim. As a result, the victim would receive a large volume of data, potentially saturating their Internet resources and reducing legitimate network access.  

TCP SYN flood and User Datagram Protocol (UDP) flood attacks involve using one or more computers to send large volumes of traffic directly to the victim system. Source IP addresses are sometimes spoofed. Unlike previously mentioned attacks, UDP floods do not benefit from volume amplification.  

The FBI suggests that SLTTGs consider the impact a network outage will have on critical services before an event takes place. No single mitigation strategy is appropriate for every situation, but one or more of the following suggestions could protect critical infrastructure systems from the DDoS attacks currently being seen against SLTTGs.  

• Move public facing Web servers to Internet uplinks on networks that are separated (air-gapped) from critical infrastructure systems and those necessary for day-to-day operations.
• Make use of DDoS mitigation services or content delivery networks to serve Web content. Solutions that specialize in protecting Web content may be more cost effective and, given the limited types of traffic that should be allowed, might be able to more aggressively drop malicious traffic.
• Establish points of contact with your Internet Service Providers (ISP) in the event that you need them to perform traffic filtering. Defense against many attack types is most effective when performed before it reaches your network.
• Establish a baseline of normal activity on your internal network to determine anomalous ingress and egress traffic in the event of an attack. This may be automated by an Intrusion Detection System
  (IDS) with built-in protocol analysis capabilities.
• Distribute key network services across different sets of critical hardware, especially edge routers and firewalls that provide a last line of defense against malicious external traffic. While potentially cost-prohibitive, hosting key services across more than one edge router and firewall may significantly limit the impact of a DDoS attack.
• For DDoS attacks conducted over non-critical services (esp., SSDP and NTP), blocking the relevant ports may provide temporary mitigation. For example, blocking UDP port 1900 may help mitigate SSDP DDoS attacks and blocking UDP port 123 may help mitigate NTP DDoS attacks.

Additional Suggestions:

• If a critical infrastructure system cannot be removed from the Internet altogether, obtain a backup Internet uplink, through a separate service if possible.
• Review DNS servers for redundancy.
• ISPs should consider implementing network egress filtering3 and/or other anti-spoofing techniques to limit the effectiveness of DDoS attacks using spoofed source IP addresses.
• System administrators that operate DNS, SSDP, and/or NTP servers should ensure their systems are fully patched and consider rate-limiting and firewalling systems to minimize the likelihood their systems are used in an attack.

*Source FBI/DHS Bulletin