DDoS or Not DDoS? The Tale Of A DDoS-like Network Symptom

Denial-of-service attacks are very common these days, to a point that when something like a gigabit of traffic against a usually low-traffic site happens, we dismiss it as just another DDoS attack. This normalization of DDoS has become a recurring meme in the world dependent on the Internet, WLANs and when downtime means lost productivity and opportunity. Seems like the context of DDoS needs to be revisited, as Akamai detected unusual high traffic against certain sites lacking all the signs & symptoms of a typical DDoS attack.

Before that, we need to establish a common definition. Distributed Denial Of Service Attack is a level of traffic that enters and exits a node, too large it overflows the bandwidth of the site, denying access for the legitimate users of that site/service. Overloading of system resources requires enormous bandwidth, to begin with, but it is now easier to gather that much bandwidth through the use of botnets. A botnet is a large group of machines, infected with malware that acts under the command of a central command and control computer.

“There were 139 IP addresses approaching the customer’s URL a few days before the peak, with the exact same ‘attack’ features. This URL went from 643 requests to well over four billion, in less than a week. Examining all the POST requests hitting the customer’s URL showed that the User-Agent fields were not being forged or otherwise altered, boosting the confidence researchers had for their conclusion that a Windows-oriented tool was responsible for this massive flood of requests,” explained Akamai.

Network Translation Gateways are not the usual ‘attackers’ in the equation of a DDoS, but something is happening with Windows, most especially in its COM Object-based WinhttpRequest protocol handling. The strange POST-only traffic coming from a Windows machine fascinates Akamai. It was later realized that what is happening is a bug, as domain traffic should always contain both a POST and GET request, as a pair.

The bug made POST-only requests, at the time of this writing the hotfix for it is already available and can be downloaded to resolve the issue. This basically changes the entire equation on how the world sees DDoS-like symptoms, it is not always coming from a real DDoS attack. But this does not mean that anti-DDoS tools and procedures in handling instant huge traffic need not be practiced anymore. Just an awareness campaign to enable the IT team or whoever tasked to monitor the network will suffice.

Nothing beats re-educating employees and IT staff in the arts of maintaining a healthy network. Time and money spent on training are worth it, as a well as expenses for that penetration testing that the financial managers would love to dispose of but they really can’t. It is a good practice to have an organization with cybersecurity-aware leadership. IT security is securing the organization, its brand, its products, and services. Cutting corners means lessening the capacity of the organization to defend itself and recover in times that an actual cyber attack happens.