VOLUME BASED DDOS ATTACKS

AND HOW TO MITIGATE THEM

Alysson Celso de Almeida Silva
Student, M.S in Information Technology, Loyola University of Chicago

Abstract
In the last few years, Distributed Denial of Service (DDoS) attacks have evolved from
simple flooding attacks and have become a significant threat to the whole internet with attacks
registering the remarkable line of 500 gigabits per second [1]. Any organization exposed to the
internet is vulnerable to this type of attack. The internet community has seen increased media
reports showing that even large companies, such as Sony and Microsoft, are having long
downtimes due to DDoS attacks [2]. This paper discusses volume based DDoS attacks and some
techniques that can be used to mitigate and/or prevent this threat.

1 Introduction
The Internet has become an essential part of modern life and is the main method of communication
used by the world's population. Moreover, it has turned into a resource for the processing and exchange of
sensitive and confidential data, such as credit card and bank passwords. As a result, it has become an object
of deliberate attacks which undermine network services and the delivery of information to users. A specific
type of attack has been receiving attention of the internet community. It is called Distributed Denial of

Service (DDoS), so called because it aims to cause the inaccessibility of a service provided by a
computational resource or an element in a network infrastructure.
A DDoS attack is characterized by the complete ignorance of its true origin. This attack is
performed by sending packets at a much higher rate than the rate of which a computer or network device
can process for a particular service. This leaves legitimate users unable to connect to a service. Packets sent
to the victim to achieve the attack purpose are organized in a distributed way. Thus, those packets are sent
from different sources, considerably increasing the traffic generated against the victim and causing total
unavailability to the victim's service.
The first DDoS attack occurred in 2000 and was used to take out Amazon, eBay, and a host of other
e-commerce sites. The weapon used was a volumetric flood attack, and the attackers used a rudimentary
botnet of multiple computers to flood the network with high volume traffic. That attack brought the ecommerce sites down and caused an estimated $1.7 billion in collective damages [3]. For the victims, the
results of these attacks are financially disastrous, so there is a great need for the study and creation of
solutions to mitigate and/or prevent DDoS attacks.

2 Volume based attacks

The type of DDoS attacks most people are familiar with are volume based attacks [4]. In a
volume based attack, the attacker attempts to saturate the targets bandwidth, and the magnitude
of the attack is measured in bits per second (bps).Volume consumption DDoS attacks can be
divided into the following three types: direct attack on the target, reflection and amplification
attack and attack on the link [5].
In a direct attack on the target, numerous computers called zombies are used to flood
targets with overwhelming data packets to exhaust the bandwidth of the target device. This type

of attack consumes all the data processing capacity of the target, which ultimately results in a
denial of service.
In a reflection and amplification attack, an attacker exploits the requested responses of
routers and servers (reflectors) in order to reflect the attack and hide the originate source. The
largest cyber-attack in history used this technique to send over 250 million DNS requests and up
to 500Gbps of traffic [1]. The principle of this attack is shown below in Figure 1.

Figure 1 the basic principle of a Reflection attack [5]

In an attacks on the link, two zombie networks are created and used to generate traffic
against each other. From the link perspective, the packets transferring between these zombie
networks are legitimate communication data and hard to deal with.

2.1 Defense
When dealing with attacks, it is always feasible to worry about its prevention and
remediation. For DDoS attacks, prevention is based on avoiding attacking machines have the
opportunity to act. For example, blocking unused protocols on the Internet Service Provider
(ISP) side. Another possibility is to increase the capabilities of the systems in order to resist
3

heavy loads of traffic. From this it can be noted that a definitive solution to avoid DDoS attacks
would be to have perfect systems and network resource without fail. However, this is just an
ideal to be achieved. In the real world the following configurations are recommended by some
authors [5] [6] [7] to mitigate or prevent DDoS attacks:

Limit the traffic of the source IP address and control the rate if the traffic exceeds a
certain threshold.

Disable any unused or unneeded network services. This can limit the ability of an
intruder to take advantage of those, such as NTP, SSDP, Open relay DNS Servers, etc.

Create Access Control Lists (ACL) whenever possible. When an ACL is applied, the
incoming packets are checked if they satisfy the ACL table before entering. When a
packet conforms to an existing rule present in a router, various options such as deny,
accept, reject, etc could be performed.

Packet length limit and fragment dropping. The large attack messages in a lot of attacks
can drain all the processing capacity of the server. To solve this problem it is a good
practice to limit the packet length and to drop UDP fragment messages.

Observe your system performance and establish thresholds for unusual activity. Check
for unusual disk activity, CPU usage, or network traffic.

Invest in redundant and fault tolerant devices.

Implement Anycast. In most DDoS attacks, many compromised "zombie" computers are
used to form what is known as a botnet. These machines can be scattered around the web
and generate so much traffic that they can overwhelm a typical Unicast-connected
machine [8]. With Anycast, various machines can share the same IP address, creating a
bigger surface area to absorb an attack. This technique was used by CloudFare, to divide
4

and spread out one of the biggest attacks that reached up to 300 gigabits per second [9]
[10]. The following figure illustrates the difference between an attack against an Unicast
address and an Anycast address. In an Unicast environment, all the traffic goes against an
unique server or network device, while in an Anycast environment the traffic is divided
between various server or network devices.

Figure 2 Unicast x Anycast in a DDoS environment

3 Conclusion
The main goal of volume based DDoS attacks, whether by directly targeting the server or
using up the bandwidth of the network device or the backbone network, is to drain all the
bandwidth of the server or the link available to network devices. Due to this magnitude, it has
become a threat to the whole internet. In the case of victims who rely on the Internet for the
viability of their business, the Denial of Service attacks can be the cause of unquestionable
financial damage. In terms of defense, mitigating and preventing DDoS attacks can be expensive.
Additionally, coordination with the ISPs could help to effectively mitigate attack traffic.

Reference
[1] P. Olson, "The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites," Forbes, 20th
November 2014. [Online]. Available: http://www.forbes.com/sites/parmyolson/2014/11/20/thelargest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/. [Accessed 24th January 2015].
[2] B. Sinclair, "PlayStation Network, Xbox Live hit by DDOS attacks," Games Industry, 02nd January
2015. [Online]. Available: http://www.gamesindustry.biz/articles/2014-12-29-playstation-networkxbox-live-hit-by-ddos-attacks. [Accessed 24th January 2015].
[3] Juniper Networks, Inc., "DEFENDING AGAINST APPLICATION-LAYER DDOS ATTACKS," 01 DECEMBER
2013. [Online]. Available: http://www.juniper.net/assets/us/en/local/pdf/whitepapers/2000550en.pdf. [Accessed 26 JANUARY 2015].
[4] F. Jovine, "3 Most Common Categories of DDoS Attacks," Techjaws, 26 June 2013. [Online].
Available: http://www.techjaws.com/3-most-common-categories-of-ddos-attacks/. [Accessed 26
January 2016].
[5] NSFOCUS, "Bandwidth Consumption DDoS Attacks and Mitigation Methods," NSFOCUS, [Online].
Available:
http://www.nsfocus.com/SecurityView/Bandwidth%20Consumption%20DDoS%20Attacks%20and%
20Mitigation%20Methods.pdf. [Accessed 26 January 2015].
[6] The SANS Institute, "Denial of Service attacks and mitigation techniques: Real time implementation
with detailed analysis," 2011. [Online]. Available: http://www.sans.org/readingroom/whitepapers/detection/denial-service-attacks-mitigation-techniques-real-timeimplementation-detailed-analysi-33764. [Accessed 26 January 2015].
[7] D. K. K. V.Suresh, "Detection and Mitigation DDoS Defence Techniques to Strengthen Intrusion
Prevention Systems," International Journal of Latest Research In Engineering and Computing
(IJLREC), vol. I, no. 1, pp. 59-62, 2013.
[8] M. Prince, "A Brief Primer on Anycast," CloudFare, 21 October 2011. [Online]. Available:
https://blog.cloudflare.com/a-brief-anycast-primer/. [Accessed 26 January 2015].
[9] NSFOCUS, "Analysis of DDoS Attacks on Spamhaus and recommended solution," NSFOCUS, 2013.
[Online]. Available:
http://www.nsfocus.com/SecurityView/Analysis%20of%20DDoS%20Attacks%20on%20Spamhaus%2
0and%20recommended%20solution-EN-20130510.pdf. [Accessed 26 January 2015].
[10] M. Prince, "The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)," CloudFare, 20
March 2013. [Online]. Available: https://blog.cloudflare.com/the-ddos-that-knocked-spamhausoffline-and-ho/. [Accessed 26 January 2015].