Distributed Denial of Service Attacks: Protection Methods and Best Practices

December 10, 2015 | Garrett Gross
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

In two recent blog entries, I discussed botnets — best practices in botnet detection and dealing with botnet command & control servers.

This time I’ll be exploring one of their most commonplace tasks: distributed denial of service attacks.

What is a distributed denial of service attack?

The fundamental premise of distributed denial of service attacks is simple: flooding services or public websites with so much network traffic they can’t function properly (or at all). This can take a devastating toll on targeted organizations — shutting off their revenue streams, and damaging both their brands and customer relationships, with a single stroke.

Historically, distributed denial of service attacks have taken several common forms:

  • Basic denial of service (DoS) simply involves a single computer/source slamming the targeted site or service with excessive requests (e.g., to view the site or run a search function).
  • Distributed denial of service (DDoS) is a variation in which a botnet is used to generate the traffic. Because the botnet is distributed over hosts in many locations, it’s slower and harder for an organization to mount an effective defense. Simple rules, such as blocking a particular domain or IP range, no longer apply.
  • Reflected distributed denial of service is still more sophisticated yet. Here, the botnet poses as the targeted site, using spoofed IP addresses, and tricks other servers/services (not associated with the botnet) into overwhelming the target. For instance, a botnet might persuade public servers that have enabled the Network Time Protocol (NTP) into sending excessive network traffic to the target.

The goal of the attacker is the same in all cases. If the site’s architecture can’t block the traffic, or scale to meet the demand level, the site or service is effectively taken offline, and the organization suffers significant business consequences. Attackers often leverage this fact to extort payments in a modern-day version of the protection racket.

Distributed denial of service attack examples

According to Akamai, distributed denial of service attacks have seen a year-over-year increase of more than 132%. This is a trend that has been only increasing over time, so if you haven’t been hit . . . you will be. In fact, experts predict that in the near future all Internet-connected businesses will find this to be an at-least annual event.

“Half of the q2 2015 DDoS attacks employed multiple attack vectors, a trend that has continued for the past year. Multi-vector attacks typically leverage attack toolkits from the DDoS-for hire underground.”

Akamai State of the Internet Security Q2 2015 Report

Here are some recent headlines to contemplate:

Distributed Denial of Service Attack Example – DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks

Distributed Denial of Service Attack Example – XOR DDoS Attack Tool Being Used to Launch Over 20 Daily Attacks

Distributed Denial of Service Attack Example – GitHub Wobbles Under DDoS Attack

Distributed denial of service attack mitigation and protection techniques

DDoS attacks launched by botnets truly have two victims: the targeted organization (whose services/sites are shut down) and the hosts of the botnet (whose architectures are being commandeered to perform illegal actions, while legitimate business activity is compromised).

So mitigating and protecting against distributed denial of service really means addressing both scenarios. Common steps would certainly include:

  1. Applying all relevant security patches, as quickly as possible after they are published, to all relevant endpoints
  2. Shutting down unnecessary services/ports when possible (such as NTP or UDP)
  3. Standard botnet protection as described here in my earlier blog entries

Distributed denial of attack response options

Beyond this, organizations have a variety of effective denial of service attack protection options.

One, called network ingress filtering, is codified by the Internet Engineering Task Force as BCP 38. It contains best practices to detect and handle any incoming traffic that uses spoofed IP addresses; spoofed packets are simply discarded before being sent to servers. This technique is particularly effective against distributed denial of service attacks when used by an organization’s Internet Service Provider (ISP), so arranging with the ISP to implement is well worth the time.

Another powerful response to distributed denial of service attacks: contract with a third-party provider that specializes in filtering such attacks. Essentially, if an attack should occur, incoming traffic can be routed to the contractor to scrub, which then sends back only the legitimate traffic to the organization. The scrubbing process involves sophisticated algorithms that examine packets in various respects (IP address, HTTP header information, etc.) and is often itself operating in a high-performance, scalable cloud architecture, to ensure it can handle even the largest attacks.

Dedicated network solutions/appliances, deployed internally, are also available to help organizations cope with distributed denial of service attacks. These work in a roughly similar fashion — by creating a baseline of expected traffic, they can detect and respond to a DDoS attack, scrubbing out false traffic and forwarding only what is left to services. However, since this approach still requires consuming limited internal resources such as bandwidth and processing power, it’s typically not as scalable in handling the most devastating attacks as a third-party specialist.

Also important, though it feels counter-intuitive to security professionals: advertising to the public that the organization is prepared for distributed denial of service attacks. If an attacker perceives in advance that a DDoS attack isn’t likely to be successful, the odds fall that the attack will be launched in the first place! (Compare this to not just installing a security system in your home, but advertising its existence with a sign in your front yard.)

The future of distributed denial of service attack detection, protection, and mitigation

DDoS attacks continue to evolve. Today, for instance, advanced persistent threat (APT) attacks can flood both a targeted organization and its ISP via scheduled sequences of many different attack vectors (such as the application layer, cross-site scripting, and SYN packet floods) — and they can last for a period of weeks.

So, going forward, organizations will have to develop a defensive strategy of equal sophistication. They will need to take advantage of all the techniques described above, and new ones as they emerge, to create a layered, multifaceted security architecture that prevents and defends against the effects of distributed denial of service attacks as comprehensively as possible.

Garrett Gross

About the Author: Garrett Gross
Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.
Read more posts from Garrett Gross ›

TAGS:

‹ BACK TO ALL BLOGS