What is a Volumetric DDoS Attack?
Volumetric DDoS attacks are designed to overwhelm internal network capacity and even centralized DDoS mitigation scrubbing facilities with significantly high volumes of malicious traffic. These DDoS attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet.
What Are the Different Types of Volumetric Attacks?
Volumetric attacks are typically launched against a specific target, usually critical Service Provider (SP) services or enterprise customers. Highly skilled attackers tend to combine volumetric attacks with application layer attacks to hide the more focused application level attacks which do the real damage. These types of attacks take advantage of vulnerable services like memcached, NTP, DNS and SSDP, launching spoofed queries which will flood the destination with large reply packets, filling up links, and many cases, resulting in the target network infrastructure collapsing.
Common volumetric attacks might include:
What Are the Signs of a Volumetric Attack?
Such attacks are typically very high bandwidth (up to 100 Gb+ or even going beyond Terabits/second) and are immediately obvious to both the target and upstream connectivity providers. For this reason, determined attackers have learned to actively monitor the results of their attacks, and often randomize attack parameters as soon as defenders can block or limit the current attack vector using DDoS mitigation tools.
To detect volumetric DDoS attacks, flow telemetry analysis (NetFlow, IPFIX, sFlow, etc.) has become the industry standard. Flow telemetry analysis is usually done using dedicated flow analysis tools (often centrally located), which process exported flow telemetry from routers and switches, activating the proper defenses according to the classification of the attack.
Why Are Volumetric Attacks Dangerous?
While volumetric attacks are primarily focused on causing congestion, they can also be a sign of an ulterior motive, covering up more sophisticated and surgical DDoS attacks, such as penetration attempts on exposed services. In such cases, attackers may be attempting to cause as much operational disruption and distraction as possible, including monitoring and rapidly mutating their attacks to evade static mitigation techniques. These kinds of attacks have been referred to as "Trojan Horse" DDoS and may be intended to disable a firewall or intrusion prevention system, allowing attackers to infiltrate a network, install malware, and ultimately steal data.
How To Mitigate and Prevent Volumetric Attacks
Mitigating and preventing volumetric attacks requires DDoS protection technologies, such as Remotely-triggered Blackholing (RTBH) and Source-based Remotely-triggered Blackholing (S/RTBH), which have proven to be very effective when used in situationally appropriate manner. A BGP feature, FlowSpec (which stands for "flow specification"), has proven to be extremely effective when combined with security-focused flow telemetry analysis tools. Combining flow telemetry analysis with FlowSpec allows for automated detection and analysis of attacks, making it possible to mitigate volumetric attacks at the network edge using the 5-tuple parameters and packet length of the attack, thereby avoiding having to transport volumetric attack traffic to dedicated cleaning centers (usually IDMSes).
The following steps are recommended, particularly in light of network expansion and the adoption of Internet of Things (IoT):
- Use flow telemetry analysis, supplemented with behavioral analysis to detect abnormalities and attacks. By focusing on understanding what is normal, it becomes easier to identify abnormalities.
- When a volumetric attack is detected, use FlowSpec to automatically activate network-based mitigation to block the attacks at the edges of the network.