According to statistics released by the Web Hacking Incident Database (WHID) project DDoS attacks have become so popular that they are currently leading charts such as the top Web Application Risks and top Attack Methods, with downtime being the top Attack Outcome.
LiveJournal has been the latest blogging platform targeted by multiple DDoS attacks. LiveJournal have been targeted a number of times in the past with DDoS attacks, mostly due to conflicting political opinions between specific blogs hosted on the site and those of the attackers’.
This time, however, the attack is targeting several of the most popular blogs on LiveJournal at once, suggesting that the goal of these attacks might be to bring the whole blogging infrastructure down, rather than a single blog.
Other popular blogging platforms are no strangers to these types of attacks either. WordPress.com, which serves over 18 million websites and 30 million publishers – covering roughly 10% of all websites in the world, was the target of another intense DDoS attack that started on the 3rd of March, leading to a denial of service condition that rendered the blogs unusable.
The initial announcement on these latest attacks was made by LiveJournal on the 31st of March. Ilya Dronov, director of products development at SUP (owner of LiveJournal), has released interesting statistics of the first day of these attacks in his blog:
· Response time – it took 7 hours to mitigate the attack
· Attack characteristics:
o The number of concurrent sessions rose to 1.2M, versus 50K in peace-times
o The rate of HTTP requests was ten times higher than normal
o Outbound traffic rose to 2Gbps, versus 400Mbps in peace-times
· Attack origin – a sample of 1000 attacking IP addresses identified most of the attack sources as the APAC region
· Under attack – only 30% of the HTTP requests could be served (legitimate and attack-related requests)
In another post describing the subsequent attacks from the 4th of April, Dronov writes that unlike the 30th March attacks which consisted mainly of network and application floods such as TCP SYN and HTTP, the 4th of April attacks were so intense that the main objective was not merely to bring down the website, but to bring down the network equipment and possibly the link itself.
Analysing the information published on these attacks, we can tell that:
· “This is the largest and most sustained attack we’ve seen in our 6 year history” (WordPress founder Matt Mullenweg)
· Attack characteristics – multiple Gbps and tens of millions of PPS (packets per second)
· Attack origin – 98% of the attacks originated in China with a small percentage coming from Japan and Korea
· Motive – not necessarily political, probably financial – “it doesn’t look like attacks were politically motivated, more likely business-oriented given the targeted site” (Mullenweg)
The above portrays some of the common experiences of battling a DDoS attack:
o Multiple attacks are mixed together, putting more strain on any equipment trying to cope with them
o Attacks are adapted over time, in order to find the weak-spots of a target and make the Denial of Service condition last longer
o Botnets are in use, increasing the attack capacity and versatility over that of a single attacker, as well as making it harder to defend against by simple rate limiting and filtering mechanisms
o Attack campaigns last for days and sometimes weeks, consisting of different waves and intensities
Protecting blogging infrastructure is no different than protecting any other online service, however mitigating DDoS attacks is not an easy task – and doing so effectively entails various requirements:
o Mitigation performance – high rate DDoS must be mitigated by specialised hardware to withstand the attack load while allowing legitimate traffic to pass through – e.g. Anti-DDoS solutions using ASIC-based DDoS Mitigation Engines
o Reducing reaction time – Network Behavioral Analysis (NBA) technology should be utilised to automatically and accurately distinguish attack traffic from legitimate traffic – at all layers including layer-7 (e.g. HTTP)
o Blocking multiple attack vectors – using NBA, IPS and DoS technologies within a single Anti-DDoS solution ensures no attack is overlooked during a multi-vector attack campaign
o Emergency Response – using advanced Anti-DDoS technology must be complemented by proven, experienced and knowledgeable security engineers who are well versed in DDoS attack mitigation and the operation of the chosen Anti-DDoS solution. A centralised 24×7 service of this sort (e.g. provided by the Anti-DDoS vendor) can guarantee the necessary human intelligence to mitigate DDoS attacks as efficiently as possible