DDoS QUICK GUIDE

October 2020

DISCLAIMER: This advisory is provided “as is” for informational purposes only. DHS/CISA does not provide any
warranties of any kind regarding any information contained within. DHS/CISA does not endorse any commercial
product or service, referenced in this advisory or otherwise. Further dissemination of this advisory is governed by
the Traffic Light Protocol (TLP) marking in the footer. For more information about TLP, see http://www.us-
cert.gov/tlp.

ATTACK POSSIBILITIES BY OSI LAYER

OSI Layer Protocol Layer Description Protocols Examples of Denial of Potential Mitigation Options for Attack
Data Unit Service Techniques at Impact of DoS Type
(PDU) Each Level Attack

Application Layer Data Message and Uses the PDF GET requests, Reach resource Application monitoring is the
(7) packet creation Protocols FTP, HTTP GET, HTTP POST, limits of practice of monitoring
begins. DB access HTTP, POP3, & = website forms (login, services software applications using
is on this level. SMTP and its uploading photo/video, Resource dedicated set of algorithms,
End-user protocols device is the submitting feedback) starvation technologies, and approaches
such as FTP, Gateway to detect zero day and
SMTP, Telnet, and application layer (Layer 7
RAS work in this attacks). Once identified these
layer. attacks can be stopped and
traced back to a specific
source more easily than other
types of DDoS attacks.

Presentation Data Translates the data Use the Protocols Malformed SSL The affected To mitigate, consider options
Layer (6) format from sender Compression & Requests – Inspecting systems could like offloading the SSL from
to receiver. Encryption SSL encryption packets stop accepting the origin infrastructure and
is resource intensive. SSL connections inspecting the application
Attackers use SSL to or automatically traffic for signs of attacks
tunnel HTTP attacks to restart traffic or violations of policy at
target the server an applications delivery
platform (ADP). A good ADP
will also ensure that your
traffic is then re-encrypted
and forwarded back to the
origin infrastructure with
unencrypted content only ever
residing in protected memory
on a secure bastion host.

Session (5) Data Governs Use the Protocol Telnet DDoS-attacker Prevents Check with your hardware
establishment, Logon/Logoff exploits a flaw in a administrator provider to determine if
termination, and Telnet server software from performing there’s a version update or
sync of session running on the switch, switch patch to mitigate the
within the OS over rendering Telnet management vulnerability
the network (ex: services unavailable functions
when you log off
and on)

TLP: WHITE
CISA | DEFEND TODAY, SECURE TOMORROW

cisa.gov [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov

 DDoS Quick Guide

ATTACK POSSIBILITIES BY OSI LAYER

OSI Layer Protocol Layer Description Protocols Examples of Denial of Potential Mitigation Options for Attack
Data Unit Service Techniques at Impact of DoS Type
(PDU) Each Level Attack

Transport (4) Segment Ensures error-free Uses the SYN Flood, Smurf Reach DDoS attack blocking,
transmission Protocols TCP & Attack bandwidth or commonly referred to as
between hosts: UDP connection blackholing, is a method
manages limits of hosts typically used by ISPs to stop a
transmission of or networking DDoS attack on one of its
messages from equipment customers. This approach to
layers 1 through 3 block DDoS attacks makes
the site in question completely
inaccessible to all traffic, both
malicious attack traffic and
legitimate user traffic. Black
holding is typically deployed by
the ISP to protect other
customers on its network from
the adverse effects of DDoS
attacks such as slow network
performance and disrupted
service

Network (3) Packet Dedicated to Uses the Protocols ICMP Flooding – A Can affect Rate-limit ICMP traffic and
routing and IP, ICMP, ARP, & Layer 3 infrastructure available prevent the attack from
switching RIP and uses DDoS attack method network impacting bandwidth and
information to Routers as its that uses ICMP bandwidth and firewall performance
different networks. device messages to overload impose extra
LAN or the targeted network’s load on the
internetworks bandwidth firewall

Data Link (2) Frame Establishes, Uses the Protocols MAC flooding – Disrupts the Many advances switches can
maintains, and 802.3 & 802.5 inundates the network usual sender to be configured to limit the
decides how the and it’s devices switch with data packets recipient flow of number of MAC addresses
transfer is are NICs, switches data – blasting that can be learned on ports
accomplished over bridges & WAPs across all ports connected to end stations;
the physical layer allow discovered MAC
addresses to be authenticated
against an authentication,
authorization and accounting
(AAA) server and subsequently
filtered

Physical (1) Bits Includes, but not Uses the Protocols Physical destruction, Physical assets Practice defense in-depth
limited to cables, 100 Base-T & obstruction, will become tactics, use access controls,
jacks, and hubs 1000 Base-X and manipulation, or unresponsive accountability, and auditing to
uses Hubs, patch malfunction of physical and may need to track and control physical
panels, & RJ45 assets be repaired to assets
Jacks as devices increase
availability

TLP: WHITE
CISA | DEFEND TODAY, SECURE TOMORROW 2

cisa.gov [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov

 DDoS Quick Guide

POSSIBLE DDoS TRAFFIC TYPES

HTTP Header HTTP headers are fields which describe which resources are requested, such as URL, a form, JPEG, etc. HTTP
headers also inform the web server what kind of web browser is being used. Common HTTP headers are GET,
POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can
make them communication specific. DDoS attackers can change these and many other HTTP headers to make
it more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate caching
and proxy services. For example, is it possible to ask a caching proxy to not cache the information.

HTTP POST Flood An HTTP POST Flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so
that the server cannot respond to them all. This can result in exceptionally high utilization of system resources
and consequently crash the server.

HTTP POST Request An HTTP POST Request is a method that submits data in the body of the request to be processed by the server.
For example, a POST request takes the information in a form and encodes it, then posts the content of the
form to the server.

HTTPS Post Flood An HTTPS POST Flood is an HTTP POST flood sent over an SSL session. Due to the use of SSL it is necessary to
decrypt this request in order to inspect it.

HTTPS POST Request An HTTPS POST Request is an encrypted version of an HTTP POST request. The actual data transferred back
and forth is encrypted

HTTPS GET Flood An HTTPS GET Flood is an HTTP GET flood sent over an SSL session. Due to the SSL, it is necessary to decrypt
the requests in order to mitigate the flood.

HTTPS GET Request An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL, it is necessary
to decrypt the requests in order to inspect it.

HTTP GET Flood An HTTP GET Flood is a layer 7 application layer DDoS attack method in which attackers send a huge flood of
requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate
requests from the server.

HTTP GET Request An HTTP GET Request is a method that makes a request for information for the server. A GET request asks the
server to give you something such as an image or script so that it may be rendered by your browsers.

SYN Flood (TCP/SYN) SYN Flood works by establishing half-open connections to a node. When the target receives a SYN packet to an
open port, the target will respond with a SYN-ACK and try to establish a connection. However, during a SYN
flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK.
As a result, these "connections" remain in the half-open state until they time out.

UDP Flood UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is
easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.

ICMP Flood Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange
data between systems. ICMP packets may accompany TCP packets when connecting to a sever. An ICMP flood
is a layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network's
bandwidth.

MAC Flood A rare attack, in which the attacker sends multiple dummy Ethernet frames, each with a different MAC
address, Network switches treat MAC addresses separately, and hence reserve some resources for each
request. When all the memory in a switch is used up, it either shuts down or becomes unresponsive. In a few
types of routers, a MAC flood attack may cause these to drop their entire routing table, thus disrupting the
whole network under its routing domain.

TLP: WHITE
CISA | DEFEND TODAY, SECURE TOMORROW 3

cisa.gov [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov

 DDoS Quick Guide

GLOSSARY

Denial of Service The core concepts of cyber security are availability, integrity, and confidentiality. Denial of Service (DoS)
attacks impact the availability of information resources. The DoS is successful if it renders information
resources unavailable. Success and impact differ in that impact is relative to the victim. For example, if an
actor DoS's a website belonging to a company that relies on e-commerce to drive their business operations, the
company may experience financial losses if the DoS is sustained for a period of time. The risk, threat, and
impact levels for DoS activity are determined on a case by case basis.

Layer 3 and Layer 4 Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure Layer 3
DDoS Attacks (network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slow
down web server performance, consume bandwidth, and eventually degrade access for legitimate users. These
attack types typically include ICMP, SYN, and UDP floods.

Layer 7 DDoS Attack A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server
infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble
legitimate website traffic. Even simple Layer 7 attacks--for example those targeting login pages with random
user IDs and passwords, or repetitive random searches on dynamic websites--can critically overload CPUs and
databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack,
making it more difficult to detect and mitigate.

itsoknoproblembro The name given to a suite of malicious PHP scripts discovered on multiple compromised hosts. The main
functionalities appear to be file uploads, persistence, and DDoS traffic floods. The itsoknoproblembro toolkit
includes multiple infrastructure and application-later attack vectors, such as SYN floods, that can
simultaneously attack multiple destination ports and targets, as well as ICMP, UDP, SSL encrypted attack types.
A common characteristic of the attacks is a large UDP flood targeting DNS infrastructure. Uniquely, the attacking
botnet contains many legitimate (non-spoofed) IP addresses, enabling the attack to bypass most anti-spoofing
mechanisms.

PHP Shell, PHP A script in the PHP language that can execute commands, view files, and perform other system administrative
Webshell tasks. PHP shells are often used to take control of web servers via web application vulnerabilities.

Proxy A proxy is a network device which terminates incoming traffic and then creates a new communication session
which is used to send the traffic to the actual destination. The proxy fits between the requestor and the server
and mediate all of the communication between the two. Examples of proxy technologies are content switches
and load balancers. Proxy servers are most often used for the DNS requests, HTTPS, and HTTP. When HTTPS is
being proxied, the proxy server itself must have copies of the public certificate which includes the public key
and the private key so it can effectively terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks is
sometimes carried out using proxies.

Infrastructure DDoS An infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amounts
Attack of bandwidth, for example by making excessive connection requests without responding to confirm the
connection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by using
cryptographic hashtags and SYN cookies.

DNS Amplification A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in
Attack which attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic.
The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server
with the source address spoofed to be the target’s address. When the DNS server sends the DNS record
response, it is sent instead to the target.

TLP: WHITE
CISA | DEFEND TODAY, SECURE TOMORROW 4

cisa.gov [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov

 DDoS Quick Guide

MITIGATING LARGE SCALE DoS/DDoS ATTACKS

DEVICE LAYER OPTIMIZED FOR DOS PROTECTIONS

Firewall 4-7 Flow Inspection, Deep Inspection Screen, Session Limits, Syn Cookie

Router 3-4 Packet Inspection, Frame Inspection Line-Rate ACLs, Rate Limits

Some DDoS Mitigation Actions and Hardware

• Stateful Inspection Firewalls

• Stateful SYN Proxy Mechanisms
• Limiting the number of SYNs per second per IP
• Limiting the number of SYNs per second per destination IP
• Set ICMP flood SCREEN settings (thresholds) in the firewall
• Set UDP flood SCREEN settings (thresholds) in the firewall
• Rate limit routers adjacent to the firewall and network

REFERENCES
https://jncie.files.wordpress.com/2008/09/801003_protecting-the-network-from-denial-of-service-
floods.pdf http://en.wikipedia.org/wiki/MAC_flooding
https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
https://softwareandnetworks.wordpress.com/
https://www.wisegeek.com/what-is-mac-flooding.htm
https://quizlet.com/14023507/lesson-2-defining-networks-with-the-osi-model-flash-cards/
http://zuhairmirza-informative.blogspot.com/2013/04/dos-and-ddos-glossary-of-terms-part-2.html
https://www.us-cert.gov/ncas/alerts/TA13-088A

TLP: WHITE
CISA | DEFEND TODAY, SECURE TOMORROW 5

cisa.gov [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov