Defending Against Distributed Denial-Of-Service Attacks
By Nicolai Solling for “Intelligent CIO”
It is no secret that DDoS is a very real concern for a large number of Middle East enterprises. There is no shortage of organisations that are dealing with DDoS attacks, or struggling it their aftermath to rapidly restore and re-establishing services. And while it isn’t the complexity of attacks we have seen in the region that is impressive, it is the impact to employee and customer productivity and the consequential internal and external reputational damage that are a cause for growing concern, writes Nicolai Soling, Director of Technology Services at Help AG.
The most apparent problem with a DDoS attack is that services may be effected. It can be everything from the ability to browse the Internet to taking a specific website down. As we move more and more of our business applications to the internet, we are increasing our dependency and are relying more and more on these services being available.
And now attackers aren’t just employing DDoS alone. Realising that this attack presents a huge distraction for any IT organisation, it is now being increasingly leveraged to conceal other, more severe forms of attack. The sheer volume of logs that result from a DDoS attack may for instance mean that IT security operations miss out on identifying other events in their infrastructure that would otherwise throw up red flags.
The ease of attack
The scary part of DDoS attacks is that they are extremely easy to execute. Today, the tools and services are web-based, capacity is ample and the cost is shockingly low. Examples show some of the most popular services costs as little as $12.99/month for 1200 second attack bursts. DDoS botnets are very cheap and anyone with a payment source at hand can easily purchase them. There is rampant availability of commercial platforms which are disguised as stress testing services but in reality execute DDoS attacks and these can be easily discovered through a simple Google search.
The common misconception is that DDoS attacks require a very large amount of computing power but this is only partially true. While a network level attack, also called a volumetric attack, does in fact require abnormally high amounts of computing resources to be successful, equally damaging application level DDoS attacks could be executed with very little resources while still successfully creating an outage on an application. The services are also getting smarter in that their targets may not be a website, but could also follow users around such that when a targeted user is moving from one site to the other, the DDoS attacks moves with them!
Becoming a victim of DDoS depends on the nature of the organisation’s infrastructure. These attacks are typically generated from the Internet, which is why services connected to or relying on the internet are more vulnerable. If an organization utilises virtual private networks over a public infrastructure such as the internet, a seemingly simple DDoS may also impact the business’s ability to communicate between branches. Many organisations would be surprised to find just how easily they could be beaten by a DDoS attack so understanding the threat picture and building robustness against DDoS is key for any organisation.
Protecting against DDoS
Ensuring robustness against DDoS is a matter of making sure that you have greater capacity in your infrastructure than the people are able to attack you with. An example of this could be bandwidth. If someone is attacking your organization with 1 Gbit/sec of traffic and you only have a 10 Mbit/sec link, you cannot do much to drop the traffic. In fact, in such attacks, your service provider holds the key to fixing the issue by filtering out offending traffic.
Sometimes only small changes to how things are done can increase robustness by great levels. Scale is of course a very important factor in how you deal with an attack, but understanding the potential business impact is also important. If for instance you are running a web-shop as the primary way of selling your products, a DDoS could be a direct business impacting event, potentially even threatening your ability to exist as a company.
A key aspect of your response to when a packet flood is happening is to get as much data on the attack as possible and leverage this to create some form of logic in the attack so that you can identify the correct response and mitigation necessary. When looking at the mitigation capabilities, one of the approaches could be to employ protocol level scrubbing. But depending on what level the DDoS attack is happening at, the intelligence into the application, session table size as well as communication to the ISP are also extremely important aspects.
The scenario mentioned above is an example of a volumetric or network based attack wherein the attacker is just focused on utilising your bandwidth or the session tables of your network and security devices. On the other hand, protecting against other types of attacks it is very much about ensuring your systems are placed in the correct manner and that you have built your infrastructure in the correct way. DDoS attacks are not sophisticated.
They are created with speed in mind and therefore, if you can be more intelligent in your infrastructure than the attacks and are capable of dropping offending traffic at a greater rate than the attack, you will have come a long way. Any organisation should also respect and understand that dealing with a DDoS attack is a specialist job.
Interestingly, it is not only organisations that can contribute to addressing the threat of DDoS. Everyday internet users too can play an important role. One of the interesting things about DDoS is that the delivery method was historically from infected machines participating in BOTNETs. Today the commercial DDoS clouds are actually delivered from public cloud services, that readily deliver both computing resources and bandwidth for a very limited cost.
However, BOTNET’s are still an important attack vector, specifically dealing with large scale attacks. Hence, the issue of BOTNETs needs to be tackled for the benefit of any user on the internet. The internet community spends billions on account of the nuisance of botnets and any Internet Citizen should therefore avoid becoming part of it.
Good ways to avoid becoming infected are to ensure that you always keep your system updated, only install software from trustworthy sources, avoid pirated software packages and avoid opening attachments from unknown sources. As such, protecting yourself from botnets is not different to how you protect yourself against malware, virus and hacking. Anyone, individual or organization, should follow those behaviours and the internet will become a safer place.
About the Author
Nicolai Solling is the Director of Technology Services at Help AG, a regional IT Security company. As one of the Middle East’s foremost IT experts, he regularly comments on the latest threats faced by both home users and enterprise organisations.