This expert is designed for detecting types of attacks that abuse the TCP/IP protocol by taking advantage of some of its weaknesses. TCP/IP is a connection-based protocol. The sender must establish a connection with his or her peer before sending any data packets. TCP/IP relies on a three-way handshake mechanism (SYN, SYN-ACK, ACK) where every request creates a half-open connection (SYN), a request for a reply (SYN-ACK), and then an acknowledgement of the reply (ACK). Attacks attempting to abuse the TCP/IP protocol will often send TCP packets in the wrong order or with wrong TCP flags, causing the target server to hold an increasing number of half-open connections and eventually running out computing resources.
This expert assesses flow information for the signs of the SYN flood, FIN flood, RST flood, the reflected SYN-ACK, ACK flood, and PSH + ACK attacks.
This expert is designed to monitor various traffic metrics for each of the major protocols - TCP, UDP, and ICMP. It looks for changes in traffic rate, packet rate, and flow rate. This expert detects and reports abnormal changes in all three traffic characteristics by each protocol.
Detecting bandwidth attacks could be particularly diﬃcult when the attack is highly distributed, since the attack traﬃc from each source may be small compared to the normal background traﬃc. One of a better indicators of a highly distributed attack is increase in the number of external source IP addresses observed on the victim network. Changes in the network’s IP addresses composition are tracked by a dedicated expert. This expert is capable of distinguishing attack patterns from the “flash mob” events – a significant increase in the network’s IP addresses composition due to a legitimate event such as a sale promotion which attracted an unusually large number of customers.
Another indication of a DDoS attack is a sudden appearance of many hosts which send one or two packets and go away. Such hosts’ behavior may be described as noise in the network environment. A dedicated level tracks noise level in a network and raises an alert when the level becomes excessively high.
The application layer attacks usually have nothing to do with overwhelming bandwidth, and are different from common volumetric attacks. This expert is designed for detecting network hosts which send abnormal number of application level protocol requests to a selected group of servers (e.g. Web Servers, DNS Servers). Using machine learning this expert reports an attack when the number of connections to a monitored server has significantly increased and a relatively small group of clients is responsible for the increase in the total number of connections.
Low and Slow is an attack that appears to be legitimate traffic at a very slow rate, targeting application or server resources. As these attacks generate traffic that is very difficult to distinguish from normal traffic, they are hard to detect and mitigate.
Here are some examples of low and slow attacks:
Slowloris tool tries to establish many connections to the target web server open and keeps them open as long as possible. It targets web server by sending a partial request, and, periodically, it will send subsequent HTTP headers, never completing the request. Affected servers will keep these connections open, filling their capacity, and eventually denying additional connections from legitimate users.
R.U.D.Y., short for R U Dead yet, opens fewer connections to the website being targeted for a long period and keeps the sessions open. The attacker opens concurrent POST HTTP connections to the HTTP server and delays sending the body of the POST request by sending many small packets at a very slow rate to keep the connection open and the server busy, denying legitimate connections from clients.
Sockstress is an attack that exploits vulnerable feature in the TCP protocol stack implementation. The attacker forces the server to maintain an idle connection by setting the size of the TCP window (TCP window is a buffer that stores the received data before uploading it to the application layer) to 0 bytes soon after a connection is established. This indicates that there is no more room in that buffer on the client side, and it causes the server to send Window Zero Probe (ZWP) packets to the client continually to see when it can accept new information. Because the attacker does not change the window size the connection is kept open indefinitely.
By opening many connections like this to a server, the attacker consumes all of the resources in the server, preventing legitimate users from establishing new connections or causing the server to crash.