Make Stopping DDoS a Priority
With DDoS attacks on the rise, the traditional approaches to stopping them aren’t adequate anymore.
Whereas older DoS attacks would affect servers by using up resources–signaling the start of a conversation, with no intention to actually converse–a DDoS typically is designed to affect the network by creating so much traffic that the WAN link(s) become saturated, unable to carry “normal” traffic. You may have noticed at home that, if you stream a video, your Web browsing gets slowed down. A DDoS is the same concept taken to an industrialized (and weaponized) scale.
I asked Jim MacLeod, product manager at WildPackets his recommendation on thwarting these attacks. Via e-mail, e said that traditional approaches to DoS mitigation such as using ACLs (access control lists) or firewall rules to keep attack traffic from reaching the server are not adequate because three factors in a DDoS require a different reaction.
First, the attack is against the network infrastructure, not the servers. A firewall can only protect what’s behind it, so if it’s on premise, it can’t prevent the WAN link from being flooded. DDoS responses often require coordination with the WAN carrier to block the traffic upstream.
Second, the attack is going to come from a large number of IP addresses. The scale will make it impossible to add entries by hand for each node. While it’s possible to filter aggregated blocks of addresses to create fewer rules faster, the “wolves among the sheep” nature of botnets implies that the addresses will be widely dispersed rather than clustered together, so a lot of legitimate traffic would potentially be blocked too.
Finally, the speed at which the attack commences–sometimes referred to as a “thundering herd” effect–doesn’t leave much time to react to counter the problem.
So the best approach?
MacLeod suggests that the key to combating DDoS attacks is to turn the attack’s strength into its weakness. Industrial-scale attacks will be diverse in source addresses, but fairly homogenous above the IP layer. Many of these attacks are surprisingly simple from a protocol perspective, but they rely on brute force, not cleverness. What you need to find is a signature or behavior within the packets common to the attack traffic, but not on your normal traffic. If your packet analyzer dashboard has visualizations or expert analysis, your tool may even identify a useful characteristic for you.
The ultimate key to making prevention a priority is to have a mitigation plan.
- DDoS: When Size Matters… Or Not? (paulsparrows.wordpress.com)
- DDoS Tools Flourish, Give Attackers Many Options (informationweek.com)
- 10 Strategies To Fight Anonymous DDoS Attacks (informationweek.com)
Posted on February 9, 2012, in attacks, Cybersecurity, Network Administration, Security tips and tagged Arbor Networks, Data rate units, Denial-of-service attack, Internet service provider, IP address, Prolexic Technologies, Radware, WildPackets. Bookmark the permalink. Comments Off on Make Stopping DDoS a Priority.