Distributed Denial of Service (DDOS) attacks are a significant threat to the availability of any company’s networks and systems. In the last 18 months, the press has reported many high profile DDOS attacks costing the victims many hundreds of thousands of pounds.
The press reports have focused on the denial of service to web servers. However, the majority of companies use the same Internet connectivity for hosting their web servers as they do for all other aspects of business, including e-mail and external web server access. Therefore, it is likely that if a company’s web server is under DDOS attack then all Internet connectivity will be lost or affected.
DDOS Dissected
DDOS attack tools are freely available on the web for all and have been specially designed to be easy to use. Tools such as Trinoo, TFN, Stacheldraft and TFN2K are just waiting for the next disgruntled employee or script kiddie.
DDOS attacks work by using remotely controlled computers to generate more requests of a device than it can serve. The attackers gain access to machines and install a zombie client upon them; these zombies can then be remotely controlled by a master. Each zombie could generate thousands of requests of a server, with hundreds of zombies; millions of packets can be generated. With enough zombies, even the biggest web sites or Internet pipes can be filled.
Ultimately companies can do nothing to protect themselves if the attacker is able to flood the entire Internet pipe. This would require intervention from the ISP to filter or block the attack within the ISP network.
Prevention
There are a number of measures companies can take to defend themselves from DDOS attacks. Attacking machines often use spoofed constantly changing source IP addresses which makes the attack difficult to identify and block.
Determining which traffic is genuine and which is part of an attack is the hardest part. Many solutions in the market today use filtering or thresholding to prevent attacks. This approach is very analogue and has the effect of either allowing traffic to the victim machine or blocking it all. This approach in itself is a Denial of Service, if a protecting device can be made to think it’s under attack and it blocks all traffic.
Screening Routers
Routers connecting to the Internet pipes can be configured to screen packets before entering the corporate network. The use of screening routers is common in today’s networks and typical configuration will prevent standard spoofing DDOS attacks (RFC 2267 discusses this in more detail). The following is an example of a standard anti- spoofing Cisco access list that would help prevent DDOS attacks:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any
The screening router can also be used to ensure the companies networks are not used as a DDOS source. This is achieved by filtering outbound packets and ensuring that the source IP address of all packets is equal to that of the company’s IP address space and not spoofed.
The screening router could also be used to rate limit the number of outgoing TCP SYN packets. This is an example of thresholding, which can lead to the blocking of genuine traffic.
Intrusion Detection Systems
Intrusion Detection Systems can be used to help prevent DDOS attacks. IDS’s can baseline the normal traffic flows or be configured with details of the normal traffic flow and then detect anomalies against this baseline.
Many IDS’s are capable of re-configuring routers or firewalls on the detection of an anomaly. Since the IDS has to detect and then reconfigure a 3rd party device, there is a delay in any action being taken.
This approach is a very dangerous and a much debated prevention method. Again, it can lead to a self-denial of service if the attacker can trigger the IDS to make these updates.
Firewalls
Firewalls can be used in a very similar manner to routers to filter packets and threshold TCP SYN’s packets. Firewalls are typically not as good at dealing with these tasks as routers are. Therefore, it is recommended that the Firewall not be used as the first line of defence for DDOS attacks.
The following diagram illustrates the blocking all traffic phenomenon, where the attacker who is spoofing IP source addresses has caused the firewall to reach the TCP SYN threshold, therefore resetting all TCP connections. This means that any connection attempts from the genuine user will also be treated as an attack and reset.
With this type of defence, an attacker could happily perform a total denial of service for hours or days with little or no genuine traffic reaching the web sever during the attack.
The only benefit of this prevention method is that the Web server was not directly hit, as this often causes them to crash.
Solution
Internet Service Providers are in the best position to protect customers from DDOS attacks but very few are taking on this responsibility. Therefore, it is up to individual companies to protect themselves from these types of attack.
A dedicated DDOS prevention product is capable of differentiating between attack traffic and genuine traffic. This means that although availability may be reduced, an attacker is never able to deny access to all genuine users.
Another important feature that companies should look for in preventing DDOS attacks is the ability to block page flood attacks. Attackers can request web pages from a server with very small packets and therefore request large amounts of pages at speed. The WEBserver on the other hand has to serve larger amounts of traffic for each request, effectively causing an outbound flood.
This type of attack can be very difficult to prevent because identifying the attacker is a complicated task. However there are products on the market that use a baselineing approach to protect against page flood attacks.
Page flood attacks are being increasingly used as the basis of DDOS attacks and companies should look to protect themselves. The recommended solution is to use a dedicated device designed for the purpose of protecting companies against DDOS attacks. A dedicated device that is designed to specifically deal with these types of attacks will provide the best defence.
Prevention Requirements
Companies should look for products that can protect them against
the following types of DOS attacks:
- Checking IP options for anomalies
- Checking TCP sequence
- Validating IP Fragments
- Blocking Ping O’ Death attacks
- Blocking Land Attacks
- Blocking Broadcast Attacks (Smurf, fraggle)
- Blocking ICMP backwash Attacks
- Controlling SYN floods
- Controlling Connection Floods (Naptha)
- Controlling Page floods
- Controlling ICMP floods
- Controlling TCP floods
- Controlling UDP floods
- Controlling Other IP floods
- Controlling Outbound Bandwidth Floods
- Controlling Inbound bandwidth Floods
- Identify the Worst offending IP addresses
- Simple Inbound Port filtering
There are many products on the market that claim to be able to protect against the attacks listed above but few are capable of doing that and still providing availability to genuine users. Since availability is the primary aim of DDOS prevention, a product that effectively blocks all traffic is of no use.
The following table shows the DDOS protection capabilities of various security technologies:
An added bonus of using a dedicated DDOS prevention product is that it can protect against a flood of genuine traffic. News sites such as the BBC receive huge influxes of traffic at unpredictable times such as September 11th. This could cause them to become unavailable or worse still, cause them to fail under the load. A DDOS product would identify a portion of the traffic as a potential attack and therefore throttle the traffic back to a manageable level providing constant availability.
Summary
DDOS attacks are here to stay and they are likely to get more complicated and prevalent. Since ISP’s are doing little to protect their customers against such attacks, it is beholden upon individual companies to provide adequate protection.
Companies should take the DDOS threat seriously and recognise that it is not unique to large high profile Web facing companies. When this type of attack occurs, companies should understand that significant costs and brand damage would be incurred as a result. Therefore, companies should look to a dedicated DDOS prevention product to provide them with the capability of not only identifying and blocking attacks but also allowing genuine users continued access.
Trinity Security Services (Trinity) is a leading independent information
security solutions and services provider. Customers include a range of FTSE
250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering
solutions ranging from the technical such as IDS, VPN and E-commerce, to
strategic services including security policy and procedure development.
