How to Deny DDoS Attacks

Over the past couple of years, DDoS attacks haven't just become more sophisticated -- they've gone mainstream to the point that attackers aren't shy about using them brazenly in the name of social and political activism. Perpetrators rarely face any form of punishment, and it doesn't help that some judges have deemed the practice legal.

"It's no longer hidden. It's very, very public, it's well known," said Neal Quinn, VP of operations at Prolexic, a company that specializes in mitigating DDoS attacks. "And I'm not just talking about the Anonymous group, but all manner of people who openly use DDoS to make their point. It's mainstream. It's the most striking change over the last 18 to 24 months."

DDoS attacks have always been more difficult to prevent than other sorts of attacks. For one, most DDoS attacks don't take advantage of a poorly coded vulnerability; they are simply exhausting resources. Each year, I have several friends who have their sites or services taken down for at least several days as they battle DDoS attacks. Only one of those attacks ever resulted in a conviction.

Contributing to the public acceptance -- or at least tolerance -- of DDoS attack is the fact that many segments of our society support them for social and political reasons, according to Quinn. Political action groups often meet in public forums, discuss targets, announce their plans to the press, then attack. In some cases, target organizations become bigger scapegoats when they try to take legal action against the offenders, as opposed to quietly enduring the attacks.

Technologically speaking, DDoS attacks continue to grow larger and larger. It used to be that 1Gbps attacks were considered huge. Quinn said his company routinely sees attacks above 20Gbps.

But the most difficult challenge has been DDoS attackers' increasing sophistication as they've moved from targeting Layers 3 and 4 (routing and transport) to Layer 7 (the application layer). They've learned, for example, how to determine which elements comprise a victim's most popular Web page, honing in on which ones take the most time to load and have the least amount of redundancy.

"Attackers are now spending a much longer period of time researching their targets and the applications they are running, trying to figure out where they can cause the most pain with a particular application," Quinn said. "For example, they may do reconnaissance to figure out what URL post will cause the most resource-consuming Web page refresh."

The most sophisticated DDoS hackers have attacked with many vectors, one at a time, thus increasing the pain. That tactic makes defending all the more difficult. For example, the attacker may begin with a simple ICMP or UDP flood and ratchet up traffic to make it harder for the victim to handle. Once the victim gets control of the ICMP or UDP flood, the attacker may switch over to TCP. When the victim starts getting a handle on the new protocol flood, the attacker can ratchet up the number of bots and amount of traffic to make the initial hit seem quaint.

A growing number of DDoS victims have found that attackers are using these types of multipronged, multiday assaults as ruses to draw attention from more damaging attacks elsewhere on the network. "When the victim company is hit with a DDoS, it usually causes a little panic and the customer brings their best and brightest resources to bear on the problem. This takes those same individuals away from their other monitoring duties," Quinn said.

I have friends who have successfully put down attack after attack, only to have their service providers let them go because the host can't handle all the bogus traffic. The partner will acknowledge it isn't fair -- but they'll get the customer off nonetheless.

Prolexic's Quinn offered some advice on how companies can fend off DDoS attacks. "First, make performance optimization as a general rule," he said. "Make sure your hosts and devices are configured for best performance. Most vendors have anti-DDoS settings you can configure on assets that are likely to be targeted by DDoS attacks."

Second, make sure no single element that lacks redundancy doesn't become a weak link on any Web server or service. Don't let the attackers be the first ones that analyze your websites for performance issues and security risks.

Third, Quinn advised that organizations have sufficient bandwidth and CPU overhead to handle DDoS attacks. Your utilization planning should include how to handle the resulting extreme traffic. Determine whether you have a quick way to handle huge traffic overloads, such as through peering agreements, cloud services, or DDoS mitigation service agreements.

Fourth, Quinn recommended that organizations keep their DNS records' TTL (time-to-live) settings low enough to ensure that changes are detected quickly. This is an instance of less being more.

Fifth, be configured for early alerting. That way you can be quickly alerted when your site is under attack and becomes unresponsive. "Make sure you have good internal and external monitoring. There are plenty of these types of services out there," Quinn said.

Finally, "make sure anti-DDoS is part of your regular incident response plan," Quinn said. Know ahead of time who you have to call when a big attack hits and how everyone will react, step by step, as it intensifies. You want your response to be smooth enough that you're always ahead of the attackers -- causing them the frustration they hoped to inflict on you.

This story, "How to deny DDoS attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments