What is a Protocol DDoS Attack?
Unlike application-layer distributed denial of service (DDoS) attacks and volumetric DDoS attacks, protocol DDoS attacks rely on weakness in internet communications protocols. Because many of these protocols are in global use, changing how they work is complicated and very slow to roll out. Moreover, for many protocols, their inherent complexity means that even when they are reengineered to fix existing flaws, new weaknesses are often introduced allowing for new types of protocol attacks and network attacks.
Detecting Protocol DDoS Attacks
Detecting protocol DDoS attacks requires in-depth monitoring of streams of communications and analysis of deviations from expected standards.
Examples of Protocol DDoS Attacks
Border Gateway Protocol (BGP) hijacking is a great example of a protocol that can become the basis of a DDoS attack. BGP is used by network operators to announce to other networks how their address space in configured. If a bad actor manages to send a BGP update that’s presumed to be authentic then traffic intended for one network can be routed to a different network and the spurious traffic can cause resource depletion and congestion. Because BGP is used by tens of thousands of network operators around the world, an upgrade to a more secure version of the protocol would be both complicated and very expensive to deploy. Other protocol attack examples include SYN flood and Ping of Death.
Real-World Protocol DDoS Attacks
Unfortunately, protocol attacks aren’t large enough to make the news so finding good examples is hard. In addition, protocol DDoS attacks aren’t deemed successful based on their size but rather the frequency and persistence of the attack. One of the rare examples of a protocol DDoS attack occurred in 2018 when hackers used BGP hijacking to redirect traffic intended for the MyEtherWallet, a service that managed Ethereum cryptocurrency accounts, to Russian servers that presented a fake version of the site. The attack lasted for roughly two hours and acted as a cover for stealing the contents of cryptocurrency wallets. The Verge reported:
Connecting to the service, users were faced with an unsigned SSL certificate, a broken link in the site’s verification. It was unusual, but it’s the kind of thing web users routinely click through without thinking. But anyone who clicked through this certificate warning was redirected to a server in Russia, which proceeded to empty the user’s wallet. Judging by wallet activity, the attackers appear to have taken at least $13,000 in Ethereum during two hours before the attack was shut down. The attackers’ wallet already contains more than $17 million in Ethereum.
How A10 Can Help Protect Against Protocol DDoS Attacks
A10 Networks Thunder® Threat Protection System (TPS®) provides network-wide protection against all types of DDoS attacks with high availability to ensure application performance. Designed for deployments at enterprise- and service provider-scale, A10’s DDoS mitigation solutions provide 10 to 100 times lower cost per subscriber compared to traditional network vendors and are available in both hardware and software form factors.
DDoS Attack Articles and Assets of Interest
- Defending Enterprise Network Security: a DDoS Attack Primer
- Threat Intelligence Report: DDoS Attacks Intensify in Q2 2020
- Five Most Famous DDoS Attacks and Then Some
- What You Need to Know About DDoS Weapons Used in DDoS Attacks
- Will Lassalle on 5G Security, DDoS Attacks and Gaming
- How to Defend HTTP/HTTPS Applications from DDoS Attacks (Webinar)
- Hybrid DDoS Cloud (Video)
The State of DDoS Weapons Report
In this report, we share a unique insight into DDoS attacks by providing details into relevant tools and weapons utilized, their global distribution and the vulnerabilities of exploited servers, to help you improve your organization’s security posture.
DDoS attacks continue to grow in frequency, intensity and sophistication. However, the delivery method of using infected botnets and vulnerable servers to perform crushing attacks at massive scale has not changed.Read the Report