How Corero Protects Against Blended DDoS Attacks

Recently the Corero Security Operations Center (SOC) team observed a combined SYN Flood and ACK Flood attack that reached 75Gbps, targeting one of our customers that has large data centers across the globe.

The chart below illustrates the volume and duration of the attack, which was simultaneously launched on each of the customer’s data centers. Although the DDoS attack was relatively short-lived, the attack would have saturated the company’s network, resulting in significant downtime, if not for the fact that the attack was automatically mitigated by the Corero SmartWall. This blended DDoS attack was a highly targeted, high bandwidth, but very short duration event that lasted a few minutes. The only way to stop this form of attack is with an inline solution.

DDoS attacks come in a variety of forms; there are at least 25 types of attacks. Some DDoS attacks target traditional border infrastructure, while others target critical network services, other security technologies, or online business integrity. DDoS hackers have become more sophisticated, using a variety of techniques to pull off these attacks: Network Layer, Reflective/Amplified, Fragmented Packet, Application Layer, etc. Increasingly, hackers often launch blended attacks that combine three, four or five types of attacks at the same time. Luckily the Corero SmartWall Threat Defense System (TDS) defends against all of them.

SYN floods and ACK floods are some of the most common types of attacks we see, and they target traditional border infrastructure. In a SYN Flood, a victim server, firewall or other perimeter defense receives SYN packets (often spoofed and most often from a botnet) at very high packet rates that can overwhelm the victim by consuming its resources. In most cases if a server is protected by a firewall, the firewall will become a victim of the SYN flood itself and begin to flush its state-table, knocking all good connections offline or—even worse— reboot.

To remain up and running, some firewalls will begin to indiscriminately drop all good and bad traffic to the destination server being flooded. Some firewalls perform an Early Random Drop process blocking both good and bad traffic. SYN floods are often used to consume all network bandwidth as well as negatively impact routers, firewalls, IPS/IDS, SLB, WAF and the victim servers.

In an ACK DDoS attack (or ACK-PUSH Flood), attackers send spoofed ACK (or ACK-PUSH) packets at very high packet rates that fail to belong to any current session within the firewall’s state-table and/or server’s connection list. The ACK flood exhausts a victim’s firewalls by forcing state-table lookups and depletes server resources used to match these incoming packets to an existing flow.

Obviously, during a DDoS attack, a firewall is easily compromised, offering no defense to servers downstream. Corero technology blocks the bad traffic and allows all normal/good traffic to pass through.

Leave a Reply