The concept of Distributed Denial of Service (DDoS) attacks has entered the mainstream public consciousness after huge websites like Change.org, WordPress, and several government and news websites from different countries have recently been victims to a series of attacks.
Dubbed the modern instrument of cyber-war, a quick and simple way to describe DDoS is that under the tactic, malicious codes infect computers to trigger mass attacks against targeted websites, causing it to be inaccessible to legitimate traffic. DDoS attacks, although unsophisticated, are difficult to defend against and in this piece, you’ll find out why.
Probably the biggest misconception on DDoS attacks is that once you have a single protective software installed and are running on a well-known Internet platform or host, you’re already safe — recent attacks to major websites have disproved that. We are very lucky to have guys from Radware, an integrated application delivery solutions company that specializes on DDoS prevention and mitigation, to take us on a closer look on DDoS attacks.
Radware told us that even much bigger targets have been deprived of basic Internet connectivity in the past, including Internet infrastructures of entire countries – whose citizens were unable to use the Internet during ongoing DDoS attacks.
A lot of these attacks succeeded because many businesses and networks are still ill-equipped when it comes to facing DoS attacks – while security managers are fairly well versed in choosing the most fitting technologies to counter threats such as intrusions, worms and web application exploitations – there is a common misconception among the security community that these same technologies can also be relied upon for DoS protection.
An example would be the Intrusion Prevention System, which mostly focuses on signature-based technology. The IPS solution contains pre-defined rules or signatures for identifying known malicious traffic. It commonly uses specialized hardware for the detection of such traffic at high throughput rates as well as the parsing of complex layer-7 protocols and the normalization of traffic to avoid various evasion techniques. In addition, it traditionally provides basic “Anti-DoS” features such as rate-limits.
Protecting against DoS attacks, Distributed or not, does not typically require the aforementioned functionality (e.g. signature-based detection, traffic normalization) – each request, sent as part of a DoS attack, can seen completely legitimate in itself rendering signature-detection useless and rate-limit features typically limit legitimate traffic just as they do illegitimate traffic – bringing the condition of DoS to the IPS instead of the entity under attack as the IPS starts blocking legitimate traffic.
Most traditional IPS solutions are therefore incapable of protecting against DDoS attacks.
The manual, ineffective way
Once affected while unprepared, although it requires technical expertise, one could try to manually analyze the traffic, distinguish the attack characteristics from the norm – then try to block the attack by using the attack characteristics based on methods depending upon the attack type. Radware explains:
If the flood is stateful (requiring the completion of a full TCP handshake, assuring the source IP addresses are not spoofed), for instance an HTTP flood – and it is easy to pick up who the attacker is by cross referencing layer-7 HTTP transaction statistics per IP address, those IP addresses can be safely blacklisted at the router ACL.
The issue is that doing the above manually can be very time consuming and will often not produce any results if the attack is too intense for commodity hardware to handle.
The best effort to prevent DDoS attacks
An Anti-DoS solution must be comprised of both Anti-DDoS technology and Anti-DDoS emergency response services in order to be effective, and reach a 100% DDoS prevention:
I. Anti-DDoS technology
- Mitigation performance – high rate DDoS must be mitigated by specialized hardware to withstand the attack load while allowing legitimate traffic to pass through – e.g. Anti-DDoS solutions using ASIC-based DDoS Mitigation Engines
- Reducing reaction time – Network Behavioral Analysis (NBA) technology should be utilized to automatically and accurately distinguish attack traffic from legitimate traffic – at all layers including layer-7 (e.g. HTTP)
- Blocking multiple attack vectors – using NBA, IPS and DoS technologies within a single Anti-DDoS solution ensures no attack is overlooked during a multi-vector attack campaign
II. Anti-DDoS services
- Emergency response – using advanced Anti-DDoS technology must be complemented by proven, experienced and knowledgeable security engineers who are well versed in DDoS attack mitigation and the operation of the chosen Anti-DDoS solution. A centralized 24×7 service of this sort (e.g. provided by an Anti-DDoS vendor) can guarantee the necessary human factor to mitigate DDoS attacks as efficiently as possible
Should you worry?
When affected, the direct impact is simply a “Denial of Service” – the service under attack will stop responding – sometimes, the entire network of the service under attack can stop responding, if the attack is strong enough to affect network equipment at the perimeter of the target (e.g. firewalls).
The key element shared by all the targets of DDoS attacks has been the inability to cope with a decade-old threat. However, this is not to do with a lack of preparation but more of falling victims of a dedicated, coordinated attacks by hacktivists, as we may call them.
While not a direct impact of DoS – such attacks can be launched not only to bring down a service but also to serve as a diversion, while infiltrating into other servers in the organization and wrecking havoc – compromising sensitive information, planting malicious code and more.
Unless you’re a major blog or site that are specifically targeted by hackers, you don’t have too much to worry about. However, if you are, it would be best to have a team dedicated to monitoring and mitigating such attacks, or just get an expert third-party solutions provider to do it.