Zero-Day DDoS Attacks? What?

When talking about DDoS attacks, we often reuse a lot of the terms used in software security simply because they’re familiar, their meaning is close enough to be relevant, and they already have some sort of established importance in the industry. For example, a vulnerability in your web application means there’s a flaw or weakness in the code, whereas a DDoS vulnerability would mean there’s a flaw or weakness in the configuration of controls you have in place for DDoS mitigation.

Zero-days commonly refer to vulnerabilities in a system or application that are not previously known by the software vendor, but known by attackers. Attackers can then possibly exploit the vulnerability in order to gain control of a system with relative ease since there aren’t any defenses in place. We often get asked if we test for zero-day DDoS attacks, or if something like that even exists. To answer that, we need look at what a “zero-day DDoS attack” would even mean.

In a sense “zero-day DDoS attacks” do exist, but they’re not exactly zero-day. Periodically attackers will use a different protocol for their attack vector that hasn’t been used previously to launch a DDoS attack. This has happened quite a bit with reflection attacks where originally the attacks would use the DNS protocol, but over time reflection attacks have leveraged NTP, then SNMP, then SSDP, RIPv1 and even recently LDAP (or CLDAP). Thinking of these new attack vectors as zero-days gets a little hazy when you consider that these protocols have existed for many many years. Additionally, attackers will perform some variation of an existing attack for a new or better effect. This can be seen in the TCP Tsunami SYN flood, which we still see interesting results with.

In a sense, you can call the new attack vectors zero-days. DDoS mitigation vendors don’t necessarily have custom signatures ready to automatically detect these attacks, and hence they’ve had no time to develop these signatures. However these zero-days would not be limited to just different or new protocols being used — new botnets that use different source code to generate traffic and launch DDoS attacks also have their own unique signatures, even if they are using attacks that we’ve previously seen. Signatures for these botnets would need to be created to help aid in the automatic detection of an attack at any scale, and we would also need to analyse the sources of the traffic, which can help lead to the dismantling of the botnet.

To be able to handle and mitigate zero-day DDoS attacks, some basic measures can be put in place to minimize some of the initial impact:

Block all traffic that you’re not expecting, as close to the edge of your infrastructure as possible. If you’re using a DDoS scrubbing service, they should be dropping the traffic on their edge.

Have monitoring in place to detect large volumes of traffic hitting your network. Ensure you are able to sample and analyze the traffic to see what it is, and then generate rules to block that kind of traffic. This is something DDoS mitigation providers can do fairly well.

Additionally, ensure you have external monitors that track the reachability and health of your systems so that if an attack is fairly small but has a large impact on a service (ex. Application layer attacks), then you still have an early warning for potential issues.

There are also various limits you can place on TCP connections such as the idle time, concurrent connections per IP, the number of TCP connections opened per second, and even min and max bandwidth limits, that can help to mitigate any attack from layers 5–7.

Finally at this point, with the existence of several large botnets and volumetric application layer attacks, assume any protocol can and will be used to DDoS you. Botnets have grown so large that they don’t necessarily need to spoof IPs anymore, making them capable of establishing full TCP connections, interacting with servers at the application layer, and generating and sending packets for any protocol on UDP. At this point any protocol could potentially be used to launch a DDoS attack against you so testing your defenses, including people, process, and technology, against unknown attacks is critical to staying online.

For more information on current trends and vulnerabilities in DDoS defense, read the “State of DDoS Mitigation” report, which analyzes the results from DDoS tests that I have helped conduct against numerous businesses with enterprise-level DDoS mitigation technology in place.