Security and network management vendors Prolexic and Arbor Networks recently reported that distributed-denial-of-service attacks are on the rise. What can we do to make prevention a forethought?
According to Prolexic Chief Technology Officer Paul Sop, the recent trends include a shorter attack duration, but a bigger packet-per-second attack volume. This "bigger packet-per-second attack volume" is likely going to be generated by a DDoS (distributed denial of system), which is a coordinated attack from lots of dispersed nodes usually with a few central controllers.
A recent high-profile example was the hacker group "Anonymous" allegedly using the LOIC tool (Low Orbit Ion Cannon). While Anonymous' use of LOIC was originally opt-in--end users would download the tool and choose to participate in the attack--the tool was allegedly later changed to a more traditional "botnet" or "zombie" style, in which clicking a link would perform a "drive-by download" to install the tool and target it without the user's permission.
Whereas older DoS attacks would affect servers by using up resources--signaling the start of a conversation, with no intention to actually converse--a DDoS typically is designed to affect the network by creating so much traffic that the WAN link(s) become saturated, unable to carry "normal" traffic. You may have noticed at home that, if you stream a video, your Web browsing gets slowed down. A DDoS is the same concept taken to an industrialized (and weaponized) scale.
I asked Jim MacLeod, product manager at WildPackets his recommendation on thwarting these attacks. Via e-mail, e said that traditional approaches to DoS mitigation such as using ACLs (access control lists) or firewall rules to keep attack traffic from reaching the server are not adequate because three factors in a DDoS require a different reaction.
First, the attack is against the network infrastructure, not the servers. A firewall can only protect what's behind it, so if it's on premise, it can't prevent the WAN link from being flooded. DDoS responses often require coordination with the WAN carrier to block the traffic upstream.
Second, the attack is going to come from a large number of IP addresses. The scale will make it impossible to add entries by hand for each node. While it's possible to filter aggregated blocks of addresses to create fewer rules faster, the "wolves among the sheep" nature of botnets implies that the addresses will be widely dispersed rather than clustered together, so a lot of legitimate traffic would potentially be blocked too.
Finally, the speed at which the attack commences--sometimes referred to as a "thundering herd" effect--doesn't leave much time to react to counter the problem.
MacLeod suggests that the key to combating DDoS attacks is to turn the attack's strength into its weakness. Industrial-scale attacks will be diverse in source addresses, but fairly homogenous above the IP layer. Many of these attacks are surprisingly simple from a protocol perspective, but they rely on brute force, not cleverness. What you need to find is a signature or behavior within the packets common to the attack traffic, but not on your normal traffic. If your packet analyzer dashboard has visualizations or expert analysis, your tool may even identify a useful characteristic for you.
While I've touched on--this should serve as a reminder that if you don't have a DDoS mitigation plan already, now is a good time to create one before it's too late.