Organizations are becoming increasingly aware of the threat that Distributed Denial of Service (DDoS) attacks can pose to the availability of any on-line services which they offer. Now, if an organization offers on-line services to customers, employees or business partners then they are open to attack. And, unfortunately the chances of being attacked have never been higher.
So, what are these DDoS attacks? A DoS (Denial of Service) attack is simply an attempt by an attacker to exhaust the resources available to a network, application or service so that genuine users cannot gain access. The majority of attacks that we see today are what we call Distributed DoS (DDoS) attacks—these are just DoS attacks launched from multiple different hosts simultaneously; and, in the case of a botnet, we could be talking about 10s, 100s or even 1,000s of machines.
DDoS attacks vary significantly, and there are thousands of different ways an attack can be carried out (attack vectors), but an attack vector will generally fall into one of three broad categories:
- Volumetric Attacks: Attempt to consume the bandwidth either within the target network/service , or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.
- TCP State-Exhaustion Attacks: These attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves. Even high capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.
- Application Layer Attacks: These target some aspect of an application or service at Layer-7. These are the most deadly kind of attacks as they can be very effective with as few as one attacking machine generating a low traffic rate (this makes these attacks very difficult to pro-actively detect and mitigate). These attacks have come to prevalence over the past three or four years and simple application layer flood attacks (HTTP GET flood etc.) have been one of the most common DDoS attacks seen in the wild.
Within these categories the actual attack vectors being used are evolving continuously. We have seen a dramatic acceleration of innovation on the part of the hacker community. Not only are they , with new and more complex attack tools being produced by the hacker community. And, it appears that no one is safe from attack.
Over the past year we have seen the types and sizes of organizations being targeted broaden substantially. It is not just financial institutions and gaming sites which are being targeted, we have seen government departments hit, e-commerce sites and even pizza delivery companies being targeted. Why this change? Well, there are a number of reasons:
1. Attack tools are easy to find and download from the Internet. Anyone can download them and anyone can use them—and they do. The availability and awareness of attack tools has really made DDoS attacks accessible to any person, organization or state who is looking for a way to impact another internet user. And, we should not assume that attacks generated by individuals will be only be effective against other individual; some of the attack vectors incorporated in the readily available attack tools are stealthy and complex, and can be effective against commercial systems with just a single attack source—if it is not configured/protected appropriately. More of a concern though is what happens when many people download the same tool and direct it towards a common target. In this case we effectively have a ‘volunteer’ botnet and more significant volumes of traffic can be generated, impacting larger and better protected targets.
2. Botnets offering DDoS services are easy to hire. There may be recession in many parts of the world, but the botnet economy continues to flourish. It is easy to hire a botnet to carry out a DDoS campaign on your behalf. Numerous sites offer this ‘service’, it is easy to pay and the rates are very reasonable—$5 per hour, $40 per day. This has lead to DDoS being used a competitive ‘weapon’ between rival businesses.
- Attack motivations have shifted over the past couple of years. Some attacks are still motivated by extortion and blackmail, business competition and purely to gain an advantage in a virtual gaming world—but—ideological hacktvism and internet vandalism have come the fore as motivations. In the 2011 Arbor Worldwide Infrastructure Security Report ideological hacktivism and internet vandalism were voted the number one and two motivations behind the attacks monitored by the network operators who responded to the survey on which the report is based. This shift in motivations has lead to a much broader range of organizations being targeted by groups such as Anonymous.
So, what should we be doing to protect ourselves from the DDoS threat? Well, there are a number of things that we can all do to reduce our threat surface and minimise the impact of any attack, without using specialised solutions:
- Know your network: Understand the types and volumes of traffic on your network, in detail. Know where traffic comes in, where it goes out, what it is etc., and understand how much there should be for a given time of day and day of week. If we can have this level of visibility of our traffic at layers 3, 4 and 7 then we can pro-actively identify changes from the norm which might indicate an attack, or reconnaissance activity prior to an attack. If we now something is happening, or about to happen, we can then alter our security posture appropriately.
- Know who to call: If you are under attack, or feel an attack might be about to commence, knowing who to call is very important (but is often overlooked). It is imperative that we know ‘who’ within our organizations, our service providers and our managed security partners is there to help us and ‘how’ we should contact them. If we do not have this information to hand, or the information we have is out-dated, our ability to respond has already been compromised.
Know what to do: Develop an internal incident handling process, and insist on a documented process for interactions with any managed security service partners. Having an incident handling process provides an important structure for dealing with an incident, when stress levels can be high. Incident handling processes can allow incidents to be dealt with more quickly and can prevent people from taking ‘risks’ with security to try and solve an immediate problem (we have all seen the news stories about DDoS being used a smoke screen for data exfiltration).
- Know how to do it: Ensure that your staff practice using the incident handling process and that all of the tools at your disposal operate effectively and efficiently. Just having an incident handling process isn’t enough—it must be regularly tested and proven to work.
- Know what to block: If you operate on-line services, restrict access to those services to only the protocols and ports which are required. If you have a large number of repeat users/important customers develop a white-list of their addresses so that their traffic can be passed during an attack even if everything else must be dropped. Getting visibility of the traffic on your network (know your network) will help identify the ports, protocols and repeat users for this.
- Know where to block it: Use the infrastructure you have wisely. If you need to restrict access to an on-line, service or block attack traffic should you use your firewalls? You can, but many routers and switches support stateless Access Control Lists, implemented in hardware. This makes them ideal for controlling the traffic reaching our servers/enforcing a white-list. And, can even be used to drop the traffic from sources identified as sending attack traffic. Dropping traffic here, rather than on any stateful firewall reduces our threat surface. Firewalls can exhaust their state tables and some attacks exploit this—routers and switches do not have this issue. Also, leverage your relationships with your service providers. Blocking traffic before it reaches your network perimeter protects your upstream links from becoming saturated during an attack. Some service providers have automated processes whereby customer can have traffic to/from particular sources blocked in this way.
All of the above can help us to minimise the impact of a DDoS attack, but they only provide partial protection from the threat. If our online services are important then services and solutions are available which can effectively deal with DDoS attacks. These specialised solutions and services are based around products known as Intelligent DDoS Mitigation Systems (IDMS).
IDMS can be deployed at the perimeter of an organizations network, where they can react proactively to even the most stealthy attack vector. Or, they can be deployed within the cloud (service provider) where they can deal with higher magnitude attacks which could saturate an organization’s internet connectivity. The best services and solutions offer an integrated ‘hybrid’ approach comprising of both elements working closely together, to completely protect an organizations on-line presence