Denial of Service<\/a>\u00a0(DoS) attacks are malicious acts that prevent the utilization of an IT system.\u00a0 The attack can be a single \u201csilver bullet\u201d packet sent to a system that disrupts a service and crashes it.\u00a0 Other DoS attacks can involve an attacker gaining access to the target system, taking control of it and shutting it down.\u00a0 DoS attacks can also manifest with transmitting a deluge of packets or opening many connections to a target system, overwhelming it to the point of saturating its capacity and consuming all its available resources, thus rendering it unusable.<\/p>\n The source of a DoS attack can be a geographically diverse set of traffic originators all sending packets to a single target.\u00a0 This is known as a\u00a0Distributed Denial of Service<\/a>\u00a0(DDoS) attack.\u00a0David Dittrich\u00a0(@davedittrich<\/a>) at the University of Washington Tacoma was one of the first to\u00a0discover DDoS attacks,\u00a0uncovering the\u00a0Stacheldraht attack tool in 1999.\u00a0 Ever since those early days of DDoS research, these types of attacks have continued to increase and metamorphose over the years.\u00a0 If you\u2019re interested in the evolution of DDoS, please review the presentation by Merike Kaeo from Farsight Security on \u201cDDoS History, Trends, Call for Action<\/a>,\u201d which she delivered at NANOG70.<\/p>\n DDoS attacks are typically asymmetric, in that the source address of the packets are from spoofed addresses so the return traffic does not return to the transmitter.\u00a0 The source address can also be spoofed to appear to be from a victim system, such that the resulting reflected response traffic overwhelms the spoofed destination address.\u00a0 DDoS attacks can be volumetric floods of massive amounts of layer 3 and 4 or layer 7 attack traffic.\u00a0 DDoS attacks can consume CPU or memory resources or IP address pool resources in the victim\u2019s system, rendering it unusable.\u00a0 DDoS attacks can also take advantage of connection timeouts or session-state timers to bog down application servers.\u00a0 DDoS attacks can also target software vulnerabilities using specifically crafted packets.\u00a0 There are a wide\u00a0variety of packet types<\/a>\u00a0that comprise most DDoS attacks, including, but not limited to:<\/p>\n The types of packets that attackers generate can vary from year to year or day to day depending on which method may be the most detrimental to the victim.\u00a0 In recent years,\u00a0NTP<\/a>\u00a0and DNS reflection DDoS attacks have been prevalent.\u00a0 There are documented methods for \u201cFinding and Fixing Open DNS Resolvers<\/a>\u201d that may prove helpful in ensuring that your DNS servers aren\u2019t complicit in these types of attacks.<\/p>\n A great source of information on recent DDoS activities is the Akamai\u00a0State of the Internet Report<\/a>.\u00a0 In the\u00a0Q4 2017 report<\/a>,\u00a0Akamai determined that there was a 14% increase in total DDoS attacks, a 14% increase in infrastructure layer 3 and 4 attacks, a 22% increase in application-layer attacks, and a 4% increase in reflection-based attacks.\u00a0 Another great source of DDoS trends and statistics is the\u00a0Arbor Networks<\/a>\u00a0(now the security division of Netscout)\u00a0Worldwide Infrastructure Security Report<\/a>\u00a0(WISR); they recently published their thirteenth report.<\/p>\n The wide variety of attack packet types can use either IPv4 or IPv6 for the network-layer protocol.\u00a0 However, if a target only has IPv4 transport and connectivity to and from the Internet, then it\u2019s only possible for the attack to use IPv4.\u00a0 As IPv6 has becomes more widely deployed, IPv6 will be an increasingly viable attack protocol.<\/p>\n Eric Vyncke and I wrote about IPv6 DDoS in 2008 in our book \u201cIPv6 Security<\/a>\u201d (Chapter 3), but it took a few years for IPv6 DDoS attacks to be seen in the wild.\u00a0 Some of the first sizable IPv6 DDoS attacks were\u00a0observed by Arbor Networks and documented in February 2012<\/a>.\u00a0 I was interviewed about these early IPv6 DDoS attacks and at the time I felt that the attacks were the result of one of two possibilities:\u00a0 The first possibility was that attackers might just be clueless about the IP version that the attack used.\u00a0 It could be that the attacker\u2019s botnet army happened to have IPv6 Internet connectivity and the attacker simply pointed to a victim\u2019s FQDN, which resolved to an IPv6 address.\u00a0 Therefore, the attack unknowingly took place over IPv6 transport.\u00a0 The second possibility was that the attackers were purposefully using IPv6 as the transport protocol to assess whether their victims had IPv6 DDoS mitigation measures in place.\u00a0 The attackers could also be betting the victim did not have an IPv6 defensive capability and hoping that an attack over IPv6 would be more disruptive.\u00a0 My hope was for the former possibility of clueless attackers unknowingly using IPv6.<\/p>\n The concerns over\u00a0IPv6 DDoS attacks continued into 2015<\/a>\u00a0as more observations were being made.\u00a0 DDoS attack traffic volumes continued to rise:\u00a0 at the end of 2016, the Mirai botnet was able to generate an astounding 600 Mbps.\u00a0 An Arbor Networks report stated that the peak traffic volume that their ATLAS system monitored was 641 Gbps (in a DNS reflection attack), but the largest NTP reflection\/amplification attack observed was 662 Gbps.<\/p>\n Recently, in early March 2018, there was an\u00a0unprecedentedly massive DDoS attack that leveraged Memcached servers<\/a>\u00a0to perform a packet amplification attack directed at GitHub.\u00a0 The traffic volume reported by Akamai\/Prolexic as an astounding 1.3 Tbps sent to Github. Then\u00a0Arbor Networks observed a 1.7 Tbps<\/a>\u00a0reflection attack directed toward an ISP customer.\u00a0 The second attack reportedly was initiated by 1900 compromised IPv6-connected hosts, exploiting open DNS resolvers for packet amplification.\u00a0 The Register reported \u201cIt’s begun: ‘First’ IPv6 denial-of-service attack puts IT bods on notice<\/a>\u201d, and others reported this as the \u201cfirst native IPv6 DDoS attack<\/a>.\u201d \u00a0While this was far from being the first IPv6 DDoS attack, it was a sizable volumetric attack.\u00a0 The DDoS attack volume was way off the charts, setting a new high-water mark for these types of attacks, regardless of IP protocol version.\u00a0 It is now clear that as IPv6 gains adoption, it will become a more lucrative connection protocol for attackers.<\/p>\n Attackers have demonstrated that they can vary their attack methods quickly and, in some cases, they can stay ahead of the defender\u2019s ability to change their mitigation strategies.\u00a0 When enterprises are preparing their IPv6 DDoS mitigation measures, they should realize that their IPv6 protection measures are going to be very similar to their IPv4 protection measures.\u00a0 It is also important to recognize that an organization needs to have equal protections for IPv4 and IPv6.\u00a0 If the attacker senses weakness in either transport protocol, then the attacks will use the less defended protocol.<\/p>\n The\u00a0Arbor Networks WISR #13 report<\/a>\u00a0stated that of those organizations who have deployed IPv6, only 61% could monitor their IPv6 traffic.\u00a0 Furthermore, DDoS over IPv6 was one of the major concerns of the survey\u2019s respondents.\u00a0 Even though most DDoS attacks occur over IPv4, 8% observed DDoS attacks that used IPv6 packets.<\/p>\n Enterprises must plan to mitigate an IPv6 DDoS attack before it happens, and there is\u00a0published guidance<\/a>\u00a0on how to achieve this goal.\u00a0 Ognian Mitev (the\u00a0RMv6TF Chair<\/a>, currently at Charter Communications) and Barry Dykes gave a great presentation at\u00a0NANOG63<\/a>\u00a0on \u201cApproaches for DDoS \u2014 an ISP Perspective<\/a>\u201d that covers many of the common mitigation methods.\u00a0 However, the most practical advice for enterprises is to simply IPv6-enable their currently used common DDoS mitigation techniques.<\/p>\n Access Control Lists (ACLs) can be used to block the incoming packets based on type, source or destination.\u00a0 Even though ACLs are the lowest lifeform on the DDoS mitigation spectrum, they are quick and easy to deploy in a tactical situation.\u00a0 Ingress and egress filtering is considered a Best Current Practice (BCP) and documented in\u00a0IETF BCP 38<\/a>.\u00a0 ACLs can also be used to filter\u00a0Bogon<\/a>\u00a0addresses, thus filtering any packets sourced from anything other than\u00a0assigned IPv6 global unicast addresses<\/a>.\u00a0 Bogon route servers, such as those maintained by\u00a0Team Cymru<\/a>, can be helpful in keeping these route filter ACLs consistent and regularly-updated.<\/p>\n Unicast Reverse Path Forwarding<\/a>\u00a0(Unicast RPF) can also be a useful method in dropping packets where the source address does not match the return route back to that originating address.\u00a0 Routing tables can be used to identify traffic with spoofed source addresses arriving on an abnormal interface.\u00a0 Unicast RPF can work well by utilizing the IPv4 or IPv6 routing table to detect and drop spoofed packets.<\/p>\n Remotely Triggered Black Hole (RTBH) (RFC 5635<\/a>) is a common DDoS method used in large networks. This technique has been adapted for IPv6 (RFC 6666<\/a>), too.\u00a0 Cisco has a great paper on configuring \u201cRemotely Triggered Black Hole Filtering in IP Version 6<\/a>\u201d.<\/p>\n Intrusion Prevention Systems (IPSs) can also be used to block IPv6 attack traffic.\u00a0 Depending on the vendor you choose, the IPv6 capabilities in these products vary greatly.\u00a0 Therefore, you want to look carefully at the ingredients list and scrutinize the vendor\u2019s IPv6 feature claims and prefer vendors who have\u00a0dual-protocol IPS engines<\/a>.<\/p>\n NetFlow-based DDoS protection<\/a>\u00a0measures, like those popularized by\u00a0Arbor Networks<\/a>,\u00a0are dual-protocol capable.\u00a0 Steinthor Bjarnason, from Arbor Networks, presented on \u201cAs on a Darkling Plain: Network Survival in an Age of Pervasive DDoS<\/a>\u201d at the\u00a0NANOG71<\/a>\u00a0event.<\/p>\n Other emerging solutions involve utilizing BGP Flowspec (RFC 5575<\/a>); this method could be used with IPv4 or IPv6 equally well.\u00a0 There is an IETF draft (draft-ietf-idr-flow-spec-v6-09<\/a>) to disseminate flow spec rules for IPv6 attacks.\u00a0 Cisco provides configuration examples for\u00a0BGP Flowspec on their ASR 9000 routers<\/a>.<\/p>\n Another emerging mitigation technique is to leverage DDoS Packet Scrubbers.\u00a0 Examples of this would include the\u00a0Radware DefenseFlow<\/a>\u00a0and the\u00a0A10 Networks Threat Prevention System<\/a>\u00a0(TPS),\u00a0which won the 2014 RMv6TF Best of Show for IPv6 Product and Service Award<\/a>.<\/p>\n A popular choice for enterprises is cloud DDoS mitigation.\u00a0 Akamai acquired DDoS mitigation company Prolexic, and now offers their DDoS mitigation service.\u00a0 Verisign offers a DDoS mitigation service; their\u00a04th Quarter 2017 DDoS Trends Report<\/a>\u00a0provides valuable information.\u00a0 Other popular cloud-based DDoS services come from\u00a0Arbor Networks<\/a>, and\u00a0Incapsula\u2019s cloud DDoS solution<\/a>\u00a0comes from\u00a0Imperva<\/a>.<\/p>\n Content Delivery Networks (CDNs) such as\u00a0Akamai<\/a>,\u00a0CloudFlare<\/a>, and\u00a0Limelight Networks<\/a>\u00a0can also provide DDoS protection,\u00a0many of which have significant IPv6 capabilities<\/a>.\u00a0 Krassimir Tzvetanov, from Fastly, gave a great presentation on \u201cFundamentals of DDoS Mitigation<\/a>\u201d at the recent\u00a0NANOG72<\/a>\u00a0event as an update to his\u00a0DDoS Tutorial<\/a>\u00a0from NANOG69.<\/p>\n Cloud-based Web Application Firewalls (WAFs) such as those from\u00a0Threat X<\/a>,\u00a0Cloudflare<\/a>, and\u00a0Incapsula<\/a>\u00a0can also help protect DDoS attacks from affecting your web applications, regardless of IP protocol version.<\/p>\n You need to have DDoS mitigation procedures at-the-ready, and not wait to configure them until you need the DDoS mitigation techniques.\u00a0 People often utter the\u00a0Franz Kafka<\/a>\u00a0quote \u201cBetter to have, and not need, than to need, and not have.\u201d\u00a0 I would like to put forward a revision of this Kafka quote for consideration: \u201cIt’s better to have a DDoS protection mechanism and not need it than to need a DDoS protection mechanism and not have it.\u201d\u00a0 The\u00a0Boy Scout Motto<\/a>\u00a0\u201cBe Prepared\u201d also rings true.<\/p>\n When a DDoS attack strikes you do not want to frantically search for your upstream ISP\u2019s support contact information or try to hurriedly deploy an inline IPS.\u00a0 In the midst of a sudden IPv6 DDoS attack you do not want to be scrambling to apply IPv6 ACLs or to rapidly configure a BGP-based RTBH infrastructure.\u00a0 In times of crisis, you are highly likely to make mistakes, thus increasing your mean-time-to-mitigate.\u00a0 It is far better to prepare for this DDoS war during peacetime and, hopefully, you never need to deploy these measures.<\/p>\n Scott Hogg (@ScottHogg<\/a>) is CTO of\u00a0HexaBuild.io<\/a>, an IPv6 consulting and training company.\u00a0 Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF<\/a>) and authored the Cisco Press book on\u00a0IPv6 Security<\/a>.\u00a0 Follow HexaBuild on\u00a0Twitter<\/a>\u00a0and\u00a0LinkedIn<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" DDoS Happens! Denial of Service\u00a0(DoS) attacks are malicious acts that prevent the utilization of an IT system.\u00a0 The attack can be a single \u201csilver bullet\u201d packet sent to a system that disrupts a service and crashes it.\u00a0 Other DoS attacks can involve an attacker gaining access to the target system, taking control of it and […]<\/p>\n","protected":false},"author":321,"featured_media":666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17],"tags":[41,38,31,47,15,48],"class_list":{"0":"post-678","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ipv6-coe","8":"tag-cloud","9":"tag-ipv6","10":"tag-networking","11":"tag-ntp","12":"tag-security","13":"tag-threat","14":"entry"},"acf":[],"yoast_head":"\nDDoS Traffic Packet Types<\/h2>\n
\n
Do DDoS Attacks Really Occur Over IPv6?<\/h2>\n
How to Be Prepared?<\/h2>\n
Summary<\/h2>\n