For a device to offer DDoS protection it must be able handle the different traffic profiles that constitute the current DDoS attack landscape. By illustrating the relative layer 3 and layer 4 counts of source and destination one can easily see the major categories of DDoS Threats. After introducing a basic traffic shape, anomalous variants will be shown to highlight the types of attacks that a modern DDoS Protection Solution should be able to detect and mitigate automatically.
Before comparisons can be made, one term that will help is that of a network socket. A network socket is an IP address, Layer 4 protocol, and port number (e.g. 184.108.40.206:UDP:53).
Normal inbound traffic to a site (hosting provider, ISP, or a large enterprise) can be shown as a trapezoid. While traffic can originate from almost anywhere in the internet, at any given time only a small subset is seen. The destination network sockets at a site will be smaller than the quantity of source network sockets. See figure 1.
When this trapezoid starts to narrow or broaden too much it becomes a traffic anomaly and possibly malicious activity. Next we will take a look at some typical DDoS Threats.
SYN Flood: In this attack the source network sockets become totally random and overwhelming and at the same time the destination network sockets become much more narrowed. In extreme cases over 99% of the incoming packets are to one destination network socket. The trapezoid transforms into a broad base triangle. See figure 2.
Reflective Attack Victim: An attacker is sending in spoofed requests using one of the site’s IP addresses as the source IP to open servers on the internet. The result is the sudden reduction of source network sockets as the open servers all reply to the target site using the same source port number (DNS-53, SSDP-1900, SNMP-161, Chargen-19). The normal pseudo-random selection of source sockets gets drowned out by the few sockets the attacker is exploiting on the open internet servers. While the destination port numbers may be randomized thus leading multiple destination sockets on the one target IP at the site, the amplified nature of these attacks leads to fragmentation and the loss of the port numbers on most of the fragments. The trapezoid transforms into a narrow base triangle. See Figure 3.
Reflective Attack Resource: The local site is being used to attack another target. The real attacker is sending in spoofed requests using one of the target’s IP addresses as the source IP to the local site. This one source IP and one open socket destination can dominate the local sites traffic as a percentage. In extreme cases the trapezoid can appear to shrink to a line. See Figure 4.
These shape changes can be moderately easy to detect in a lab or at an enterprise because the traffic pattern is generally a nice trapezoid that has low variance over time. In a hosting provider or ISP environment, each customer has their own trapezoid composed of different network sockets and network sockets counts. Detecting anomalies within these overlapping profiles requires a DDoS Protection Solution that has in-depth visibility.