4 Tips to Fight Botnets

In case you haven't been paying attention, Botnet DDoS attacks passed the 40 Gigabits/sec mark in 2008, according to Arbor Networks. The sheer size of today's Botnets has reached into the mind-boggling realm of 1.9 million bots in a single Botnet. Couple that with the fact that Botnet DDoS attacks are one of the hardest assaults to defend against and you have a real nightmare scenario on your hands. This is why DDoS attacks are the most common method employed by extortionists to attempt to hold online merchants hostage for ransom. It's big business for criminals and business is good.

Here is a common scenario: bad guy employs a Botnet army to saturate and take out of service something that is of value to you. The targets range from just a DDoS to saturate one critical server to saturating your entire connection to the Internet, effectively taking down all your Internet service. In some cases, the bad guy will launch his attack first, take down the web services, and then ask for the ransom money. Other times the bad guy will just send in the ransom request with the threat that if it is not met by X days they will take their website down.

Of course, none of this is new to you right. But have you ever thought about what you and your company would do if you got hit (or hit again) with a Botnet DDoS attack? How prepared are you to defend against this type of attack? Many companies (both large and small) deal with the issue by explaining it away with arguments like "we don't have anything a hacker would want" or "we are to small of a target to be worth the trouble." In some cases this turns out to be fairly true; the risk of a DDoS attack is just not worth the security investment. But in many cases, this line of thinking is dangerously wrong and the risk is actually higher than perceived. If I think about it from a bad guy perspective, I'm looking for one of two things: money or fame. If you can provide either or both of those then you are a target of opportunity.

So, let's get down to it. How can you fight off a Botnet DDoS attack? Well, the answer varies depending on the type of DDoS attack you are having, your network infrastructure, security tools you have available, and other variables. Even though there are so many variables to how you defend against DDoS in your particular environment, I still think there is value is highlighting a few of the more popular tactics. Here are some tips that I have seen work with some success in the past. Others are brand-new techniques to me but seem to offer up a compelling solution. I've listed these defense tips in no particular order. But feel free to let us know what you think the order of effectiveness should be.

DDoS Prevention Offerings from your ISP or DDoS service

This defensive tactic is usually the most effect of the bunch and of course (typically) the most expensive as well. Many ISPs offer some form of in the cloud DDoS protection for you Internet links. The idea is that the ISPs will scrub/clean your traffic before allowing it onto your Internet pipe. Since this defense is done in the cloud, your Internet links don't become saturated by a DDoS attack. At least that's the goal, anyway. Again, no silver bullet. This service is also offered by third-party in-the-cloud DDoS prevention services. They work by redirecting your traffic to them during a DDoS attack. They clean it and send it back to you. This all happens in the cloud, so your Internet pipes don't become overwhelmed. A few examples of ISP that offer DDoS services are AT&T's Internet Protect and Verizon Business's DoS Defense Mitigation.

Filtering Techniques to Battle Bots

RFC3704 Filtering

Basic ACL filters. The main premise of RFC3704 is that packets should be sourced from valid, allocated address space, consistent with the topology and space allocation. To this end there is a list of all unused or reserved IP addresses, those you should never see coming in from the Internet. If you do see them, then it is positively a spoofed source IP and should be dropped. The name of this list is the bogon list You should check with your ISP to see if they will manage this filtering for you in the cloud before the bogus traffic enters (and fills) you Internet link. A bogon list changes pretty frequently, about once a month, so if the ISP won't do it for you then you'll have to manage your own bogon ACL rules (or find another ISP). This updating could be scripted as well.

Black Hole Filtering

This is a common technique that is very efficient. Typically, this needs to be done in conjunction with your ISP. RTBH filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. It uses BGP host routes to route traffic heading to victim servers to a null0 next hop. RTBH has several variations but one stands out as is worth special mention. Performing RTBH with your ISP (check with your ISP for support, they should) lets them drop the traffic in the cloud for you thus preventing a DoS on your pipe. Block Hole filtering is a large topic, if you're interested in learning more about it, I'd suggest reading this whitepaper Remotely Triggered Black Hole filtering (RTBH).

Cisco IPS 7.0 Source IP Reputation Filtering

Cisco recently released the IPS 7.0 code upgrade. This upgrade includes a feature called global correlation. In a nutshell, global correlation checks the reputation score of every source IP address it sees. If the source's reputation is bad the IPS sensor can drop the traffic or raise the Risk Rating value of a signature hit. Now here is Cisco's description of what Global Correlation does:

IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier.

You can configure Global Correlation so that your sensors are aware of network devices with a reputation for malicious activity, and can take action against them.

One of the ways Cisco refines the SensorBase is by taking in feeds from the deployed Cisco 7.0 IPS sensors. Companies can choose to opt in or out of the program.

The SensorBase that the Cisco IPS uses is full of different threat categories, two of which are Botnet harvesters and previous DoS offenders. Therefore, when you are under attack from a Botnet DDoS attack the Sensor will drop all of the traffic coming from bad reputation sources. This process happens before the signatures are used and is very inexpensive to the sensors' resources (CPU, backplane, etc). This makes it an ideal method to utilize during a DDoS attack. It is also why the Cisco IPS checks the SensorBase before processing its IPS signatures.

Many Botnet DDoS attacks use SSL to your web servers. This helps the attacker hide his payload from any inspection engines you may have. However, given that Global Correlation only uses the reputation score of the source IP address to makes its decision it has no issues defending against SSL DDoS attacks. No other IPS vendor has added reputation to their IPS solution so they would be unable to defend against any form of SSL DDoS attack. Some IPS vendors do have the ability to open up and look inside SSL packets by decrypting them on the fly. However, this process is too expensive on the IPS's resources (CPU, backplane, memory, etc) to be used in a DDoS attack. It would simply move the traffic bottleneck to the sensor itself.

Of course, if the DDoS attack is saturating your link this tactic likely won't work. But if the DDoS attack is just overwhelming some servers and not all your bandwidth then this works great. Global Correlation is not a silver bullet but rather another tool in your toolbox.

Other Tips for Security

IP Source Guard

This one isn't part of the top 5, but I thought it worth mentioning nonetheless. Another tip is to turn on IP Source Guard on your switches. This prevents a host from sending out spoofed packets in the event that it becomes a bot itself.

This is not so much a defense tool but rather a good citizen tool, although it would help dampen an internal spoofed DDoS attack. If every company had IP Source Guard enabled it would help reduce the number of spoofed DDoS attacks we have. An added benefit of having this feature enabled is it can help you identify hosts that are part of a Botnet on your network. When the malware launches its spoofed attack the switch port can be automatically locked down (error disabled) and report this event to your security monitoring station. Or you could just have it report the event and keep the port up but drop all traffic except the real IP address sources traffic.

If someone has some other tactics for protecting against DDoS attacks please share them. Here are some helpful links:

Verizon Data Breach Investigations Report (pdf)

Arbor Networks Infrastructure Security Report


Subscribe to the Best of PCWorld Newsletter