In the beginning, the Internet was designed to “just work”. The basic Internet protocols that we use every day including HTTPS (web traffi...
In the beginning, the Internet was designed to “just work”. The basic Internet protocols that we use every day including HTTPS (web traffic), SMTP (email), and DNS (converting URLs to IP addresses) weren’t designed to be secure. As a result, additional protocols have been developed after the fact to help improve the security of these protocols. However, protocols aren’t the only potential design “problems” of the Internet. Features like broadcast, anycast, and multicast were designed to handle certain situations, but they can also be used and abused in attacks.
In this post, we’ll talk about how these protocols are used for both good and evil, and why they make it necessary for organizations to deploy strong DDoS protection.
What are Broadcast, Anycast, and Multicast?
Unicast, multicast, broadcast, and anycast are different transmission types over the Internet. While it seems unnecessary to have four different ones, they all have their uses.
Unicast is the simplest option. This type of transmission is designed to go from a single source to a single destination, which seems like the only option that you’d really need (you’re only trying to visit a specific website, right?). However, the others are useful too. As the name suggests, multicast traffic has multiple recipients. You can specify a multicast group of recipients, and only the members of this group would receive the message. This is the middle group between unicast and broadcast. Broadcast is the equivalent of shouting your message in a crowded, quiet room. The person that you’re talking to hears the message, but so does everyone else. Every subnetwork has a broadcast address, which is used when the sender doesn’t know exactly how to reach their desired recipient or to send messages intended for multiple recipients (like a Public Service Announcement over the radio/TV).
Anycast is the most peculiar of the transmission types. An anycast message is designed to reach any of a group of possible recipients, but it doesn’t care which one. This is often used when an organization has multiple webservers scattered geographically. An anycast request for the website from the US will go to the US webserver rather than wasting the time and effort to grab the same webpage from the Australian webserver.
These protocols are all designed for good reasons, but any protocol can be used for good and evil. Some protocols are used to create Denial of Service attacks and others can be used to protect against them.
DDoS and Protocol Abuse
One of the ways that the broadcast transmission type is abused is through the smurf attack. Like the little blue guys from the TV show, the transmissions used in a smurf attack are small but they tend to cause a lot of trouble.
Smurf attacks take advantage of a technique called IP spoofing, where the attacker pretends to be someone else by sending a transmission using their IP address as the source address. This is similar to what those relentless telemarketers do when they pretend to be calling from a phone number similar to yours to trick you into thinking that it’s someone that you know.
In a smurf attack, the attacker sends a small transmission that is a request that requires a response from the recipient. Typically, the size of the response is bigger than the size of the request, so receiving and processing a single response will put more strain on the target (the spoofed source of the request packet) than on the attacker. Since a Denial of Service attack’s main goal is to overwhelm the victim, this is good for the attacker.
Processing a single response probably won’t cause too much of a headache for the victim (computers do it all the time), but what about hundreds? This is where broadcasts come into play. By sending the spoofed request to a network’s broadcast address, the attacker gets every computer in that network to send a response to the (very confused) target. Depending on the number of computers in the network (and the number of request packets sent by the attacker), this can easily overwhelm the victim: successful DDoS.
Protection Against DDoS
While broadcast can be easily abused to amplify Denial of Service attacks, not all uses of network transmission types are evil. One advantage of multicast traffic is that it can help alleviate the strain caused by a Distributed Denial of Service (DDoS) attack.
In anycast, a request goes to exactly one of a set of possible recipients. This can easily be used to implement load balancing, where the choice of recipient is based upon a set of factors (usually geography). In order to perform a global DDoS attack against a target using anycast for load balancing, the attacker needs the volume necessary to take down all of the servers since the attack will be distributed across them.
Blocking the Right Stuff
DDoS attacks are a significant threat to all organizations. The price of performing a DDoS attack is depressingly low for an attacker but the financial impact to the victim can be extremely high. One step that organizations can take to reduce the threat of DDoS attacks is to lock down broadcast addresses to devices inside the network only, to decrease the probability that they’ll be used in a smurf attack. From a defensive perspective, setting up DDoS protection and load balancing is also a great idea.
In this post, we’ll talk about how these protocols are used for both good and evil, and why they make it necessary for organizations to deploy strong DDoS protection.
What are Broadcast, Anycast, and Multicast?
Unicast, multicast, broadcast, and anycast are different transmission types over the Internet. While it seems unnecessary to have four different ones, they all have their uses.
Unicast is the simplest option. This type of transmission is designed to go from a single source to a single destination, which seems like the only option that you’d really need (you’re only trying to visit a specific website, right?). However, the others are useful too. As the name suggests, multicast traffic has multiple recipients. You can specify a multicast group of recipients, and only the members of this group would receive the message. This is the middle group between unicast and broadcast. Broadcast is the equivalent of shouting your message in a crowded, quiet room. The person that you’re talking to hears the message, but so does everyone else. Every subnetwork has a broadcast address, which is used when the sender doesn’t know exactly how to reach their desired recipient or to send messages intended for multiple recipients (like a Public Service Announcement over the radio/TV).
Anycast is the most peculiar of the transmission types. An anycast message is designed to reach any of a group of possible recipients, but it doesn’t care which one. This is often used when an organization has multiple webservers scattered geographically. An anycast request for the website from the US will go to the US webserver rather than wasting the time and effort to grab the same webpage from the Australian webserver.
These protocols are all designed for good reasons, but any protocol can be used for good and evil. Some protocols are used to create Denial of Service attacks and others can be used to protect against them.
DDoS and Protocol Abuse
One of the ways that the broadcast transmission type is abused is through the smurf attack. Like the little blue guys from the TV show, the transmissions used in a smurf attack are small but they tend to cause a lot of trouble.
Smurf attacks take advantage of a technique called IP spoofing, where the attacker pretends to be someone else by sending a transmission using their IP address as the source address. This is similar to what those relentless telemarketers do when they pretend to be calling from a phone number similar to yours to trick you into thinking that it’s someone that you know.
In a smurf attack, the attacker sends a small transmission that is a request that requires a response from the recipient. Typically, the size of the response is bigger than the size of the request, so receiving and processing a single response will put more strain on the target (the spoofed source of the request packet) than on the attacker. Since a Denial of Service attack’s main goal is to overwhelm the victim, this is good for the attacker.
Processing a single response probably won’t cause too much of a headache for the victim (computers do it all the time), but what about hundreds? This is where broadcasts come into play. By sending the spoofed request to a network’s broadcast address, the attacker gets every computer in that network to send a response to the (very confused) target. Depending on the number of computers in the network (and the number of request packets sent by the attacker), this can easily overwhelm the victim: successful DDoS.
Protection Against DDoS
While broadcast can be easily abused to amplify Denial of Service attacks, not all uses of network transmission types are evil. One advantage of multicast traffic is that it can help alleviate the strain caused by a Distributed Denial of Service (DDoS) attack.
In anycast, a request goes to exactly one of a set of possible recipients. This can easily be used to implement load balancing, where the choice of recipient is based upon a set of factors (usually geography). In order to perform a global DDoS attack against a target using anycast for load balancing, the attacker needs the volume necessary to take down all of the servers since the attack will be distributed across them.
Blocking the Right Stuff
DDoS attacks are a significant threat to all organizations. The price of performing a DDoS attack is depressingly low for an attacker but the financial impact to the victim can be extremely high. One step that organizations can take to reduce the threat of DDoS attacks is to lock down broadcast addresses to devices inside the network only, to decrease the probability that they’ll be used in a smurf attack. From a defensive perspective, setting up DDoS protection and load balancing is also a great idea.
COMMENTS