Making DDoS prevention a priority

In the Web world, distributed denial-of-service attacks can take out entire sites rather quickly. Mitigating the risk should be top of mind when building network architecture.

Anonymous

Security and network management vendors Prolexic and Arbor Networks recently reported that distributed-denial-of-service attacks are on the rise. What can we do to make prevention a forethought?

According to Prolexic Chief Technology Officer Paul Sop, the recent trends include a shorter attack duration, but a bigger packet-per-second attack volume. This "bigger packet-per-second attack volume" is likely going to be generated by a DDoS (distributed denial of system), which is a coordinated attack from lots of dispersed nodes usually with a few central controllers.

A recent high-profile example was the hacker group "Anonymous" allegedly using the LOIC tool (Low Orbit Ion Cannon). While Anonymous' use of LOIC was originally opt-in--end users would download the tool and choose to participate in the attack--the tool was allegedly later changed to a more traditional "botnet" or "zombie" style, in which clicking a link would perform a "drive-by download" to install the tool and target it without the user's permission.

Whereas older DoS attacks would affect servers by using up resources--signaling the start of a conversation, with no intention to actually converse--a DDoS typically is designed to affect the network by creating so much traffic that the WAN link(s) become saturated, unable to carry "normal" traffic. You may have noticed at home that, if you stream a video, your Web browsing gets slowed down. A DDoS is the same concept taken to an industrialized (and weaponized) scale.

I asked Jim MacLeod, product manager at WildPackets his recommendation on thwarting these attacks. Via e-mail, e said that traditional approaches to DoS mitigation such as using ACLs (access control lists) or firewall rules to keep attack traffic from reaching the server are not adequate because three factors in a DDoS require a different reaction.

First, the attack is against the network infrastructure, not the servers. A firewall can only protect what's behind it, so if it's on premise, it can't prevent the WAN link from being flooded. DDoS responses often require coordination with the WAN carrier to block the traffic upstream.

Second, the attack is going to come from a large number of IP addresses. The scale will make it impossible to add entries by hand for each node. While it's possible to filter aggregated blocks of addresses to create fewer rules faster, the "wolves among the sheep" nature of botnets implies that the addresses will be widely dispersed rather than clustered together, so a lot of legitimate traffic would potentially be blocked too.

Finally, the speed at which the attack commences--sometimes referred to as a "thundering herd" effect--doesn't leave much time to react to counter the problem.

MacLeod suggests that the key to combating DDoS attacks is to turn the attack's strength into its weakness. Industrial-scale attacks will be diverse in source addresses, but fairly homogenous above the IP layer. Many of these attacks are surprisingly simple from a protocol perspective, but they rely on brute force, not cleverness. What you need to find is a signature or behavior within the packets common to the attack traffic, but not on your normal traffic. If your packet analyzer dashboard has visualizations or expert analysis, your tool may even identify a useful characteristic for you.

While I've touched on preventing network attacks before --this should serve as a reminder that if you don't have a DDoS mitigation plan already, now is a good time to create one before it's too late.

About the author

Dave Rosenberg has more than 15 years of technology and marketing experience that spans from Bell Labs to startup IPOs to open-source and cloud software companies. He is CEO and founder of Nodeable, co-founder of MuleSoft, and managing director for Hardy Way. He is an adviser to DataStax, IT Database, and Puppet Labs.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Delete your photos by mistake?

Whether you've deleted everything on your memory card or there's been a data corruption, here's a way to recover those photos.