In session at the Black Hat USA conference in Las Vegas, F5 Networks researchers outlined the challenges of morphing DDoS attacks and announced the release of a new open source tool called SODA in an effort to help test defenses for attack resilience.
SODA is an acronym for Simulation of DDoS Attacks and provides multiple traffic generation tools to simplify DDoS protection testing. The inspiration for SODA came from a July 2018, attack against encrypted email provider cby an aggressive form of Distributed Denial of Service (DDoS) attack that was constantly morphing its' tactics. The attack and its unique approach to disruption inspired F5 Networks researchers to figure out how to help organizations better defend themselves against the new type of DDoS.
Mudit Tyagi, Architect, Security Products, F5 Networks, explained that the attack vectors used in the Protonmail morphing DDoS attack included common attack methodology including UDP and syn floods.
"What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphing," he said.
Tyagi added that after the Protonmail attack, his team took it upon themselves to figure out how to catch morphing attacks. The first step was to build a tool that could simulate morphing attacks, so organizations could test their own defences to see what would happen and what might be lacking. The end result of that effort is SODA.
What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphingMudit Tyagi, Architect, Security Products, F5 Networks
"SODA can be used to put down any part of your infrastructure," explained Mikhail Federov, Product Management Engineer, Security, F5 Networks.
The SODA tool integrates a number of integrated DDoS attacks and then morphs the vector with predefined pattern and interval. On the defender or blue team side, Federov explained that the setup brings together multiple components to help simulate an environment. Among the tools is the DVWA (Damned Vulnerable Web Application),the pfSense firewall, telegraf for sending metrics, influxDB for storing the data and then finally Grafana for the dashboard. Users put the DDoS solution of their choice in front of the firewall and can then see how it is able to respond to SODA simulated attacks.
Tyagi said that what typically happens is organizations configure static vectors for DDoS response with set thresholds, for example limiting UDP traffic at a certain traffic volume. Given that morphing DDoS attacks can take aim at different resources, in his view, thresholds don't work. They also don't work because good traffic is also blocked and the potential for false positives is non-trivial.
Federov commented that simply doing anomaly detection at the network level is not accurate either and the lesson learned from testing with SODA is that there is also a need to use anomaly detection at the application level.
Tyagi added that SODA is a tool that can be used by organizations to enable bakeoffs in a way that tests resilience for morphing attacks.
"We don't care what you use for DDoS, ProtontMail got attacked and we got really charged and we wanted to help the community to defend against similar types of attacks," he said. "Whatever you use, .focus on intelligent mitigation and test your posture, we understand it's hard and that's why we give you a kit with SODA."