Packet Rate Attacks: Modern DDoS Threats
Executive Summary:
One of the most complex threats that have appeared in the space of network security is focused on the packet rate attacks that tend to challenge traditional approaches to DDoS threats’ involvement. In this year, the British based biggest Internet cloud provider of Europe, OVHcloud was attacked by a record and unprecedented DDoS attack reaching the rate of 840 million packets per second. Targets over 1 Tbps have been observed more regularly starting from 2023, and becoming nearly a daily occurrence in 2024. The maximum attack on May 25, 2024, got to 2.5 Tbps, this points to a direction to even larger and more complex attacks of up to 5 Tbps. Many of these attacks target critical equipment such as Mikrotik models within the core network environment; detection and subsequent containment of these threats prove a test for cloud security measures.
Modus Operandi of a Packet Rate Attack:
A type of cyberattack where an attacker sends with a large volume of packets in a short period of time aimed at a network device is known as packet rate attack, or packet flood attack or network flood attack under volumetric DDoS attack. As opposed to the deliberately narrow bandwidth attacks, these raids target the computation time linked with package processing.
Key technical characteristics include:
- Packet Size: Usually compact, and in many cases is less than 100 bytes
- Protocol: Named UDP, although it can also involve TCP SYN or other protocol flood attacks
- Rate: Exceeding 100 million packets per second (Mpps), with recent attacks exceeding 840 Mpps
- Source IP Diversity: Usually originating from a small number of sources and with a large number of requests per IP, which testifies about the usage of amplification principles
- Attack on the Network Stack : To understand the impact, let's examine how these attacks affect different layers of the network stack:
1. Layer 3 (Network Layer):
- Each packet requires routing table lookups and hence routers and L3 switches have the problem of high CPU usage.
- These mechanisms can often be saturated so that network communication will be negatively impacted by the attacker.
2. Layer 4 (Transport Layer):
- Other stateful devices (e.g. firewalls, load balancers) have problems with tables of connections
- TCP SYN floods can also utilize all connection slots so that no incoming genuine connection can be made.
3. Layer 7 (Application Layer):
- Web servers and application firewalls may be triggered to deliver a better response in a large number of requests
- Session management systems can become saturated, and hence, the performance of future iterations will be a little lower than expected in terms of their perceived quality by the end-user.
Technical Analysis of Attack Vectors
Recent studies have identified several key vectors exploited in high-volume packet rate attacks:
1.MikroTik RouterOS Exploitation:
- Vulnerability: CVE-2023-4967
- Impact: Allows remote attackers to generate massive packet floods
- Technical detail: Exploits a flaw in the FastTrack implementation
2.DNS Amplification:
- Amplification factor: Up to 54x
- Technique: Exploits open DNS resolvers to generate large responses to small queries
- Challenge: Difficult to distinguish from legitimate DNS traffic
3.NTP Reflection:
- Command: monlist
- Amplification factor: Up to 556.9x
- Mitigation: Requires NTP server updates and network-level filtering
Mitigation Strategies: A Technical Perspective
1. Combating packet rate attacks requires a multi-layered approach:
- Hardware-based Mitigation:
- Implementation: FPGA-based packet processing
- Advantage: Can handle millions of packets per second with minimal latency
- Challenge: High cost and specialized programming requirements
2.Anycast Network Distribution:
- Technique: Distributing traffic across multiple global nodes
- Benefit: Dilutes attack traffic, preventing single-point failures
- Consideration: Requires careful BGP routing configuration
3.Stateless Packet Filtering:
- Method: Applying filtering rules without maintaining connection state
- Advantage: Lower computational overhead compared to stateful inspection
- Trade-off: Less granular control over traffic
4.Machine Learning-based Detection:
- Approach: Using ML models to identify attack patterns in real-time
- Key metrics: Packet size distribution, inter-arrival times, protocol anomalies
- Challenge: Requires continuous model training to adapt to new attack patterns
Performance Metrics and Benchmarking
When evaluating DDoS mitigation solutions for packet rate attacks, consider these key performance indicators:
- Flows per second (fps) or packet per second (pps) capability
- Dispersion and the latency that comes with it is inherent to mitigation systems.
- The false positive rate in the case of the attack detection
- Exposure time before beginning of mitigation from the moment of attack
Way Forward
The packet rate attacks are constantly evolving where the credible defenses have not stayed the same. The next step entails extension to edge computing and 5G networks for distributing mitigation closer to the attack origins. Further, AI-based proactive tools of analysis for prediction of such threats will help to strengthen the protection of critical infrastructure against them in advance.
In order to stay one step ahead in this, it is necessary to constantly conduct research, advance new technologies, and work together with other cybersecurity professionals. There is always a need to develop secure defenses that safeguard these networks.
Reference:
https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/
https://cybersecuritynews.com/record-breaking-ddos-attack-840-mpps/
https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/