When it Comes to DDoS Attacks, it’s Important to Remember That There Will Likely Never be a Single Silver Bullet.
Denial-of-Service (DoS) and Distributed Denial-of-Service Attacks (DDoS) are increasingly common problems for enterprise networks. DDoS campaigns are commonly used by hacktivists to embarrass or otherwise disrupt a target company or government agency. Unfortunately, the problem isn’t limited to hacktivist groups. Botnets controlled by criminal groups can recruit thousands and even millions of infected machines to join in a truly global DDoS attack, enabling the gang to essentially extort a ransom from the target network in order to stop the attack.
Regardless of the source, defending a network from these DDoS attacks has become an integral part of any IT threat prevention strategy. Defending a network from these sorts of attacks can be particularly challenging in that it requires a layered strategy that integrates multiple types of technology, both inside and outside of an enterprise.
In this column we will take a brief look at some anti-DDoS best practices and what an overall DDoS strategy could look like.
For many of us in network security, we often think of layered defenses beginning at the perimeter, and this works well for stopping exploits, malware and the like. However DDoS attacks are fundamentally about volume, and as such you want to start to staunch the flood of DDoS traffic as far upstream as possible. In this regard ISPs are increasingly important partners in the fight against DDoS attacks. ISPs can monitor Internet links and filter or black hole traffic to keep DDoS traffic from ever reaching the customer network in the first place. This requires IT to develop a working relationship with their ISP to fully understand what services they can provide, and then to build out a DDoS mitigation plan. The important lesson here, is don’t wait until you are in the midst of an attack. Know your contacts and the process for engaging with your ISP and how to escalate problems as needed.
At the risk of being obvious, one of the big challenges of dealing with a distributed denial-of-service attack is the fact that the attack is…distributed. There isn’t one lone IP address to ignore - there are thousands and thousands of machines around the world that are recruited into the attack, typically as part of a botnet. A potential option is to deny or limit traffic by policy coming from countries where you don’t do business. This wouldn’t solve the DDoS problem by itself obviously, but it could help reduce the footprint of an attack.
Of course, DoS attempts will eventually end up on your doorstep, and you will need to repel the attack and protect your assets. This is where DoS protection policies in a modern firewall are particularly powerful.
These rules target the various types of traffic floods such as SYN floods, UDP, and ICMP floods. You should also set rules for the maximum number of concurrent sessions to ensure that sessions can’t overwhelm resources. The ability to set thresholds is relatively simple. The key is to tune policies to look not only at the network as a whole, but also to establish more targeted thresholds for individual critical assets and IP addresses.
As an example, you may want to set an overall ceiling of SYN packets that should be allowed an entire network segment. However, you would also want to create a more targeted rule that specifies the total SYN packets that should be allowed going to a specific IP address on a critical server interface. By combining aggregate and specific DoS protections you can build in a great deal of protection not only for the network in general but also the critical systems and services that the network can’t live without.
Detection of DDoS Tools
The next step is identify and block DDoS tools used by attackers. Hacktivist groups will often rely on very simple tools or easily distributable scripts that can be used by users with basic computer skills. LOIC (the low-orbit ion cannon) has been a popular tool in various Anonymous projects as well as other hacktivist operations. Investigate your IPS and firewall solutions to ensure they can identify and block attacks driven by LOIC, Trinoo and related tools.
Controlling Botnets to Control DDoS
While it’s paramount to be prepared for the DDoS against your network, its also important to ensure that your network doesn’t contribute to an attack elsewhere. Many DDoS attacks are the work of botnets that leverage an army of infected machines to send traffic to a specific source. Finding machines that are infected by a botnet and blocking the all important command-and-control traffic will benefit your security in a number ways, and in the process will ensure that you are not an unwitting contributor to a DDoS attack.
When it comes to DDoS it’s always important to remember that there will likely never be a single silver bullet. Stopping DDoS attacks requires a blend of strong local security controls as well as efforts to mitigate the attack upstream. Using these techniques in coordinated way will help you to build an overall approach to coping with a DDoS attack.