What is a State-Exhaustion Attack?
State-exhaustion DDoS attacks are primarily focused on taking down services or underlying network infrastructure which is responsible for delivering content to the end users. This might involve an attacker targeting DNS name servers with invalid name queries, thus resulting in increased load on the DNS infrastructure itself, disrupting service as users will no longer be able to connect to the services as the DNS name cannot be resolved to IP addresses. This attack vector was used in the DYN attack in 2016 which resulted in major web sites like Amazon, Twitter, Github and others becoming unavailable. The attacker might also target Transport Layer Security (TLS) endpoints, thereby resulting in legitimate users being unable to connect to the services. As the name suggests, these attacks target stateful devices such as Next Gen Firewalls with the intention of filling TCP State Tables with bogus connections. These attacks are typically employed by determined attackers who monitor and adjust their attacks for maximum impact.
Such DDoS attacks are usually low-to-mid volume since they have to conform to the protocol the application itself is using, which often involves protocol handshakes and protocol/application compliance. This means that these attacks will primarily be launched using discrete intelligent clients, usually IoT devices, and cannot be spoofed.
What Are the Different Types of State-Exhaustion Attacks?
State-exhaustion attacks typically target the edge load balancers, firewalls, and stateful traffic inspection services of publicly-exposed services by stressing the scale of the Transmission Control Protocol (TCP) state machine of these devices. These attacks can easily overwhelm even large-scale enterprise services, but present as much lower overall bandwidth attacks (typically less than 10-20 gigabits per second), so they are not normally considered a direct threat to the network provider’s infrastructure. State-exhaustion attacks cannot be mitigated in stateless edge router infrastructures.
Common state-exhaustion attacks might include:
What Are the Signs of a State-Exhaustion Attack?
State-exhaustion attacks are complex in nature. Because they are designed to be indistinguishable from legitimate traffic and operate at relatively small traffic volumes, these attacks rarely have signatures that can be matched in stateless payload filters.
What makes them even more insidious is that determined attackers will rapidly change the attack vector as soon as that vector is mitigated. Such attacks can be detected using security-focused flow analysis; however, since they are low-volume attacks, it is necessary to use behavioral analysis or deep packet analysis to uncover them. Payload-based blocking is simply not sufficient. What is required is the use of IDMSs to detect the specific attack vector used by either employing virtual or physical appliances’ visibility into the traffic.
Why Are State-Exhaustion Attacks Dangerous?
Modern DDoS attackers are constantly improving their attack tools and looking for new state-exhaustion attack techniques. And because they now have access to millions of vulnerable Internet of Things (IoT) devices, they can launch complex attacks at scales never seen before.
What makes state-exhaustion attacks most dangerous is that even when multi-vector attacks contain identifiable patterns, a determined attacker will monitor the results of his attack and modify it to thwart a skilled and determined defender. Because active attackers are known to continually modify payload patterns to avoid simplistic DDoS mitigation, maintaining an ongoing list of known attack patterns quickly becomes impractical due to scale issues and the rate at which this list must be updated. Further, since payload patterns bring a high risk of causing collateral damage, maintaining a long-lived set of payload patterns may be unwise.
How to Mitigate and Prevent State-Exhaustion Attacks
Proper defense against today’s landscape of Internet-based security threats requires flexibility, scale, intelligent detection, and automated mitigation. State-exhaustion attacks cannot be mitigated in a stateless edge router infrastructure. This type of infrastructure requires intelligent L3-L7 mitigation front-ending individual services and applications, and centralized mitigation architected to protect the provider’s infrastructure and all its downstream customers. By leveraging economies of scale (multi-tenancy), it becomes possible to implement centralized DDoS scrubbing.
Best practices to defend against these constantly evolving types of attacks include:
- Use flow telemetry analysis supplemented with behavioral analysis to detect abnormalities and attacks. Focus on understanding what is normal. This will simplify identification of abnormalities.
- Use an IDMS to detect abnormal behavior and state-exhaustion attacks that require advanced and active mitigation; and using this approach in conjunction with BGP FlowSpec Offload when and where appropriate.
If implemented successfully, these DDoS protection strategies will force the attacker to behave like normal clients, rendering the DDoS attack ineffective and allowing for the use of application-level analysis to detect any abnormal traffic or usage patterns.