Anatomy of an attack: network bandwidth exhaustion

Anatomy of an attack: network bandwidth exhaustion

January 5, 2016 | NSFOCUS

Track:  Technical

Author: Vann Abernethy, Field CTO, NSFOCUS

notebook-1071777_1920DDoS attacks come in three basic flavors:  network-layer, application-layer and a hybrid of the two.  This is a somewhat simplistic view but when you look at the strategy for taking someone down via DDoS, the two primary vehicles are either exhaustion of available network bandwidth or the overwhelming of back-end processing power (which can be directed either at the server system itself or the applications residing on them).  The most efficient approach to take down a target will depend on the target itself.  This is why it is important for every company to consider all of the assets that could become targets when designing anti-DDoS protection. 

In a network-layer DDoS attack, the attacker sends a large amount of packets to saturate limited bandwidth or exhaust the network resources of a victim.  Network resources like routers, servers and firewalls have a finite capacity.  When they are attacked and overloaded, end-users will not be able to get through because there is either no bandwidth left for them to use or the network infrastructure systems themselves are overwhelmed.  The most common traffic attack is flooding.  In this attack, a large amount of TCP, UDP, and ICMP packets that seem legitimate are sent to the target host (typically with spoofed IPs) from a large number of computers (bots).  TCP-, SYN-, ACK-floods all fall into this category.  For example, SYN-Flood attacks send a large number of TCP SYN request packets with forged source IP addresses.  The targeted server ends up with a very large list of half-open connections (the request to complete is left hanging open), which consumes up resources and makes it harder for normal users to connect to the end system.

A typical DDoS attack headline reads… “Company X hit with a HUGE multi-gigabit attack”.  This is also the type of attack you typically see from the “DDoS for Hire” groups looking to make money from the botnets they have built.  It is fairly straight-forward to use these botnets and most likely will be the first type of DDoS attack a company will see used against it.

Defending against these type attacks is pretty straight-forward as well…. if you have the right equipment (or your service provider does) and expertise.  The key here is being able to discern the difference between good (normal) and bad (attack) traffic and mitigate the bad before it hits your network so that, even though your systems are under load, they are not stressed and you are not knocked down.  Typical networking and security systems are not designed to do this, however, purpose-built anti-DDoS systems can easily identify malicious traffic and ensure only legitimate traffic reaches your critical servers and application.


VannVann Abernethy is the Field CTO for NSFOCUS.  He brings more than 20 years of Security and IT management experience working for a wide range of companies, from start-ups to the Fortune 500. Throughout his career, Abernethy has developed and deployed security, network and infrastructure management products and solutions; ranging from SMBs to government to some of the largest, industry-leading enterprises worldwide.