An unprecedented DDoS attack waged in October 2016 targeted Dyn,—a domain name system (DNS) host that transforms the word-based internet addresses of domains to their numeric internet protocol (IP) addresses—which rendered numerous popular websites, including Twitter, PayPal, Shopify and The New York Times unavailable. Millions of computer users across North American and Europe suffered internet disruptions due to the assault, the likes of which was waged by infecting millions of common, “Internet of Things” start devices with a strain of malicious software known as Mirai.
Using Mirai—malware that turns computer systems into remotely controlled “bots”—hackers can access a wealth of unsecured IoT smart devices such as closed-circuit TV cameras and DVD players to create huge botnet armies. They have caused some biggest web sites on the world — owned by the most famous E-Commerce companies such as Yahoo, eBay, Amazon –to become inaccessible to customers, partners, and users, and the financial losses are very huge.
As the name suggests, denial-of-service (DoS) attacks are designed to deny legitimate users access to websites and services by overwhelming them with illegitimate connections, requests and traffic. A distributed denial-of-service attack is when the DoS attacks are being done by multiple attackers all trying to attack a source at once, be it from real hackers or from a single entity and their network of bots.
Such attacks are orchestrated by sets of networked hosts that collectively act to disrupt or deny access to information, communications, or computing capabilities, generally by exhausting targets’ critical resources such as bandwidth, processor capacity, or memory. An attacker uses a non-trivial amount of computing resources, which they either built themselves or, more commonly, by compromising vulnerable PC’s around the world, to send bogus traffic to a site. If the attacker sends enough traffic, legitimate users of a site can’t be serviced.
DDoS attacks are hard to trace, difficult to prevent, easy to carry out and increasingly affordable to acquire. This makes them one of the top methods of attack for extortionists, political activists (hacktivists) and disgruntled individuals/groups.
For the Defense Department, the stakes are higher. DDoS attacks can disrupt critical command and control networks, interfere with situational awareness, jeopardize missions, and put lives at risk.
The international terrorist organizations can use the DDoS to target the web sites or Internet systems of U.S. government and military, the results and losses will be disastrous and unimaginable. Therefore, for guarding both American national security and commercial security, it is really important to detecting, preventing and mitigating the DDoS attacks.
DARPA’s XD3 program looks to develop technologies that: Thwart DDos attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting, disguise the characteristics and behaviors of those assets to confuse or deceive the adversary, blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission-critical servers.
Vencore, Inc. announced today that its innovative research arm, Vencore Labs, Inc., has been awarded multiple contracts$17.7 million value DARPA to deliver research in the area of cyber defenses against distributed denial of service (DDoS) attacks. Under the contract, Vencore Labs plans to develop a comprehensive solution that covers the full spectrum of the DDoS attack surface. Research on distributed communications and network maneuvering will make it harder for attackers to identify high-value targets, and will deny them the critical feedback they need to determine whether an attack is successful; research on DDoS detection and mitigation will help network operators protect critical services from the effects of large scale IoT-based attacks.
DARPA earlier awarded seven XD3 multi-million contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs (two contracts) and to the University of Pennsylvania to radically alter DDOS defenses. The UPenn project attempts to pinpoint the specific protocol component that is under attack and then massively replicate that component to blunt the effects of the attack, DARPA stated.
DDOS attacks becoming more widespread, powerful, and persistent and sophisticated
DDoS attacks are increasing becoming easy and inexpensive to initiate, due to exponential growth in computing devices, and availability “DDoS-for-hire” subscription service. According to cybersecurity firm Imperva’s annual “DDoS Threat Landscape Report”, DDoS attacks rose by 221% between April 2015 and March 2016, with the UK becoming the second most popular target in the world. According to Kaspersky Lab’s DDoS intelligence report covering the first quarter of 2016, 74 countries were targeted by DDoS attacks, with China, South Korea and the the United States as the top three most-targeted countries.
Incapsula’s Global DDoS Threat Landscape Q3 2015 report shows that China continues to be the number one source of DDoS traffic, accounting for 37.5% globally. In fact, Incapsula found that DDoS traffic originating from China actually increased by 152% over the previous quarter. The Incapsula report also found that the United States was the biggest target of DDoS attacks worldwide, with 45.8% of DDoS traffic aimed at websites hosted in the US.
Cybercriminals continue to exhibit a growing persistence in carrying out DDoS attacks. In Q2, attacks lasting up to 8.5 days were observed. That said, even one short-term attack may inflict serious damage to a business both in terms of direct financial loss and reputational loss.
DDoS attacks have morphed to become increasingly sophisticated. Three types recently have become more popular says Rodney Caudle, Director of Information Security, NIC
• Resource consumption. The attacker ties up all of the target server’s available connections by simultaneously requesting numerous bogus connections. When the server responds to each request, the attacker withholds the final information needed to complete each connection. The server waits, the bogus connections stay open and legitimate users are shut out.
• Slowloris. Attackers establish valid connections, but rather than sending all the data a normal user would, they send it in bits and pieces. The targeted server, which is keeping track of all of the attacker’s connections, can’t respond to real users.
• Bandwidth consumption. Attackers consume all the available bandwidth on the networks leading to the server by sending phony network traffic as quickly as possible toward the targeted server, taking down both the server and its surrounding networks.
The nature of DDoS attacks can span a wide range. Botnet-induced volumetric attacks, which can generate hundreds of gigabits per second of malicious traffic, are perhaps the best-known form of DDoS. However, low-volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint. Such attacks target specific applications, protocols or state-machine behaviors while relying on traffic sparseness (or seemingly innocuous message transmission) to evade traditional intrusion-detection techniques
Limitations of Current DDos Defenses
The current art in DDoS defense generally relies on combinations of network‐based filtering, traffic diversion and “scrubbing,” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and/or to provide diverse access for legitimate users. In general, these existing approaches fall well short of desired capabilities in several respects:
• Responses to DDoS attacks are too slow and manually driven, with diagnosis and formulation of filtering rules often taking hours to formulate and instantiate. In contrast, military communication often demands that disruptions be limited to minutes or less.
• Low‐volume DDoS attacks remain exceedingly difficult to identify and block with in‐line detection techniques. Even for volumetric DDoS attacks, in‐line filtering can present daunting tradeoffs between the desire for complete blockage of malicious traffic and the need to “do no harm” to legitimate communication (i.e., maximizing true positives while minimizing false positives).
• Mechanisms that rely on in‐line inspection of data flows may be problematic for handling encrypted tunnels, and pose scalability challenges as network bandwidths continue to increase.
• Defensive methods must be applicable to real‐time, transactional services (such as military command and control) as well as to cloud computing. Techniques that are only useful for protecting the storage and dissemination of quasi‐static data are insufficient.
A clear need therefore exists for fundamentally new DDoS defenses that afford far greater resilience to these attacks, across a broader range of contexts, than existing approaches or evolutionary extensions thereto.
DARPA’s Extreme DDoS Defense (XD3)
DARPA has called for research proposals under Extreme DDoS Defense (XD3) programme, for innovative approaches that enable revolutionary advances in the area of resilient defenses against distributed denial of service (DDoS) attacks on computer networks.
The idea is to create a countermeasures system that is not only more nimble in thwarting an attack, but also able to quickly recognise when an attack is developing so it can establish a proper defence. One goal is to have a response time of 10 seconds or less, but that would be under ideal conditions and dependent upon the level of the attack.
To address these shortcomings, DARPA’s Extreme DDoS Defense (XD3) program will focus on three broad areas of opportunity to improve resilience against DDoS attacks. The program aims to thwart DDoS attacks by:
(1) dispersing cyber assets (physically and/or logically) to complicate adversarial targeting;
(2) disguising the characteristics and behaviors of those assets through networked maneuver to confuse or deceive the adversary; and
(3) using adaptive mitigation techniques on endpoints (e.g., mission-critical servers) to blunt the effects of attacks that succeed in penetrating other defensive measures.
This research program will include formulation of new algorithms, demonstrations and field exercises with software prototypes, development of performance metrics to assess effectiveness and integration of systems across the three aforementioned areas to maximize overall defensive capabilities.
Technical Area 1: Manageable Dispersion of Cyber Resources
In the current art, critical functions such as cloud computing, C2, situational awareness, and multimedia session control rely heavily on highly shared, centralized servers and data centers. Existing protocols and architectures to support these functions include (among others) Internet Relay Chat (IRC), File Transfer Protocol (FTP), the military’s Global Command and Control System (GCCS), the Session Initiation Protocol (SIP), and implementations of MapReduce or related programming models within data centers. The concentrated loci of information and cyber capabilities within these architectures can greatly facilitate DDoS target development and attack execution.
This essentially is scattering resources so they do not present a single, easily compromised target. The challenge in this approach is the impact on performance when time is critical, especially in situations with highly variable bandwidth.
The goal of XD3 TA1 is to devise and demonstrate new architectures that physically and logically disperse these capabilities while retaining (or even exceeding) the performance of traditional centralized approaches.
Technical Area 2: Networked Maneuver
The concepts of cyber agility and defensive maneuver (CAADM) have been well studied as means of complicating adversaries’ target development and attack execution. The potential for deception, in which CAADM establishes a false reality for the adversary, has been far less explored.
In contrast to simple obfuscation, deception has the potential to divert attacks in ways that minimize damage to mission activities, while giving the adversary the illusion of success. The goal of XD3 is to develop new CAADM techniques that greatly improve resilience against DDoS attacks.
Technical Area 3: Adaptive Endpoint Sensing and Response
Underlying protocol logic and state machines are typically not designed to deal with a wide range of potentially malicious actions, thus providing the opportunities that low‐volume DDoS attacks exploit. XD3 TA3 aims to infuse potential DDoS targets, such as servers, with the ability to sense that they are under attack, and to adapt their operation in real time to mitigate the attack.
These XD3 concepts have broad applicability to a variety of scenarios of interest to the US military and to the broader community, including commercial network service providers, cloud computing and storage service providers, and enterprises of all sizes. Accordingly, responses to this BAA may consider a wide range of possible network and service contexts, to include enterprise networks, wide‐area networks, wireless networks, cloud computing, and software defined networks, among others.