Distributed Denial of Service (DDoS) attacks are one of the largest threats in today’s cyber landscape. They are very difficult to defend against and are potentially very costly. They remain a prime attack tool for hacktivists and other groups, and are also a counter measure tool for the White Hats. Indeed, a unit of GCHQ – The Joint Threat Intelligence Group (JTRIG) use DDoS attacks against both Anonymous and LulzSec ICQ chat rooms.
DDoS can be categorised into two common attacks:
- Bandwidth Attack – The attacker attempts to overwhelm either the bandwidth available to the target or overwhelm the resources of the perimeter devices protecting the target. The most common form of bandwidth attack is packet-flooding. Large numbers of seemingly legitimate TCP, UDP, or ICMP packets are directed to the target. An example would be a SYN flood.
- Application Attack – This is an attempt to exploit the known working behaviour of a protocol (e.g. ‘HTTP:’ ) to consume all available resources on the target device. An example would be a HTTP flood request.
A large scale, well designed DDoS will be very difficult to prevent. DDoS attacks have been reported at over 200 gbps (gigabits per second) and no locally based solution exists that can stop an attack that large. For some time, internet service providers (ISPs) have been investing in DDoS mitigation techniques, as this is a vital tool that can be used to protect their customers. If the attack is successfully prevented at the ISP level, then the potential victim has been protected, likely without even realising it. A word of caution though, ISPs are not traditionally security orientated, they sell bandwidth, and operating DDoS prevention services are costly and require specialised knowledge. Ask your ISP what they are doing for you today and are there any protections in place? What about your investments in the Cloud, even if your applications are held by Amazon, Google, Rackspace etc.?
So, what if you don’t have ISP DDoS protection?
Well the good news is that many existing products already have DDoS mitigation capabilities. Of course, should the DDoS attack exceed your bandwidth limit, then all the products in the world won’t make much difference, but there are measures that can be put in place that would at least give the victim a greater chance to mitigate the effects of the attack.
Firewalls are not purposely designed to prevent DDoS attacks and as we’ve already seen, this traditional form of defence is unlikely to be completely effective, but they do have mechanisms that can mitigate an attack. Ensure that all detection signatures are up to date and any IPS DDoS functionality is enabled. If packet rate and TCP flow control functionality is available, utilise it. If geographical protections are available, use those too – a large proportion of DDoS attacks come from China – this won’t stop spoofed attacks, but we do what we can with the tools available.
Similarly, dedicated intrusion detection and prevention systems are likely to include behavioural techniques and rate limiting. Make sure any IP blacklists are in place and utilise all the tools you have at your disposal.
Dedicated DDoS appliances are as good as it gets when it comes to on premise solutions and are likely to protect you up to your bandwidth limit, freeing your Firewalls and other protections to continue processing legitimate traffic. However, these are not suitable for all. For example, these appliances are typically CAPEX heavy and so are unsuited to the SMB community.
Attacks will continue to grow in size and complexity as the attack tools become more sophisticated and the reliance on the internet to transact business continues to increase. As the attacks grow, so too does the cost; businesses and individuals must act to protect their services. On-premise solutions integrated into other protection technology continue to be badly placed and are unsuitable to prevent DDoS. The fact is, they can only mitigate and true protection lies in the Cloud.
To contact Nettitude's editor, please email email@example.com.