September 1, 2013
Besides monitoring network traffic and behavior to identify possible DDoS attacks, another method to mitigate attacks is to prevent massive numbers of automated connections from taking up resources. Host-based authentication was developed to combat attack scripts, and it is the most effective method of preventing DDoS attacks.
Numerous approaches to host-based authentication have been taken to combat attack scripts—TCP SYN, HTTP redirect, HTTP cookies, Javascript and CAPTCHA authentications are only a few of the many authentication procedures that have been developed. These procedures aim to authenticate each attempted connection to online services.
Though difficult, some attackers have found posways to bypass these authentication procedures—for example, by simulating the traffic flow of an authenticated session. Below are some brief examples of how this can be done:
TCP SYN Authentication:
TCP SYN authentication was specifically designed to mitigate TCP SYN floods and is proven to be effective. As long as the attack is within the threshold of the mitigation device, TCP SYN authentication effectively mitigates TCP SYN floods regardless of the attack size.
However, due to the continuous evolution of attack scripts, attackers can now easily bypass TCP SYN authentication by enhancing the attack script to make it send out parallel requests or by using valid host botnets.
HTTP Redirect Authentication:
HTTP redirect authentication was developed to mitigate Layer 7 attacks that are either GET or POST floods. These types of attacks exhaust resources by retrieving the contents of a website or by continuously posting data such as login, search, etc.
This type of authentication can be bypassed with the use of third-party applications, such as CURL and WGET. HTTP redirect authentication can also be bypassed by developing an attack script thacomplies with the redirect response that is sent out by the mitigation service or software.
Cookie-Based Authentication:
Cookie-based HTTP authentication is another type of Layer 7 authentication. It was developed with the same purpose in mind as HTTP redirect authentication, but does not have its weaknesses.
Unfortunately, this authentication method has vulnerabilities of its own—an attacker can figure out the right algorithm and develop an attack script that is capable of handling cookies.
JavaScript Authentication:
As part of the continuous development in Layer 7 attack mitigation, JavaScript authentication was created to exploit a limitation of botnets—the lack of javascript support.
However, since JavaScript is client-side programming—its scripts are interpreted and executed by browsers—attacker can analyze a script’s source code and simulate its traffic flow to bypasses it. It is only a matter of time before botnets implement a JavaScript interpretation engine.
CAPTCHA Authentication:
CAPTCHA authentication is designed to interrupt a request by demanding user interaction before the request is allowed. Prior to establishing a connection, the user is requested to recognize and manually input several characters in a distorted image. This method is very effective in preventing automated DDoS attacks, but can create a poor user experience—CAPTCHA images are sometimes too difficult to understand.
CAPTCHA authentication is very difficult to bypass, since algorithm analysis and engine learning of the CAPTCHA implementation requires much time and effort.
The table below is a brief summary of host-based authentications:
Source: NXG Labs, 2013/08
With attackers now turning away from sheer muscle, they have successfully developed some serious DDoS kung-fu. Today’s DDoS attacks not only focus on exploiting vulnerabilities, but also on the attack’s efficiency—packing the most effective punches with the least resources. The continuous evolution of Layer 7 DDoS attacks has brought attackers to focus on attack bypass rate. To keep up with the constant and continuous evolution of attacks, DDoS mitigation technologies must become as innovative and creative as attacks are.