Re: Over a decade of DDOS--any progress yet?

[Matthew Petach <mpetach () netflight com>]

On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley <jay () prolexic com> wrote:
> On 08/12/2010 16:14, Drew Weaver wrote:
> > I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack.
> >
> > thanks,
> > -Drew
>
> This has been our recent experience as well.  There are some pure app
> attacks, to be sure, but we many blended attacks also.  Bandwidth
> (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH
> floods) attempting to run underneath the radar.  We regularly see SYN
> floods these days > 20 Gb/s.

Another thing to be aware of--when you get hit with what seems to be
a "simple" flooding attack aimed at one point of your infrastructure...
start checking your logs at _other_ places in your network very, VERY
carefully.

There seems to be a trend of using larger-scale flooding, or other
simple types of attacks to get all the network people at an organization
rushing over to throw resources and energy at it...while the real target
of the attack is something completely different, on a different subnet, in
a different part of the company; and that attack is small, carefully focused
at its target, and is designed to be relatively quiet.  The "big" attack is used
simply to ensure all the human energy is focused on the wrong place,
increasing the chance that what otherwise might caused raised eyebrows
and double-checking of logs/IDS alerts, etc. gets missed while everyone
is focusing on the"big" attack.

> The thing to bear in mind is that app attacks *are* difficult to detect
> as they are low bandwidth and make a full TCP connection.  As a result
> many IDS/Firewalls etc regularly miss these attacks.
>
> Lastly there is usually always someone at the other end of these attacks
> watching what is working and what is not.  If the attack doesn't work
> they will simply round up more bots to increase the attack bandwidth or
> change the attack vector.

And, in what seems to be an increasing trend, what they are watching
for is *not* necessarily the result of the large botnet attack; they're checking
on the results of their targeted probes elsewhere in the network, or on the
outbound set of connections from a compromised machine within an
organization; after all, during a huge DDoS attack, with everyone focusing
on a set of uplinks being flooded with _inbound_ traffic, who is going to
notice the (relatively smaller) outbound spike of traffic as the compromised
machine sends out a copy of your internal intellectual property to the
miscreant recipients?

Matt
(speaking purely hypothetically, of course, and definitely not on behalf
of any institution or entity other than myself)