Denial of service attacks
IT Pro Guide: A denial of service attack can happen at any time. It can destroy your server and your reputation overnight. You can't stop it, but you can reduce its effect. Marcus Austin shows explains how
A DDoS (distributed denial of service) attack quickly overwhelms a company's server, router, firewall or network link with traffic. If successful, the attack floods the network with effectively 'network spam' and it attacks so completely that legitimate traffic cannot be processed, and the server and therefore the company cannot function. The results can be disastrous; customers go elsewhere, and possibly stay away permanently, and reputations are damaged. In many instances your service provider will cut off your server - known as black hole filtering or null0 - and may also charge you for the bandwidth. So not only will you lose revenue you'll also being charged for the privilege of it.
According to a CSI/FBI Computer Crime and Security Survey, in 2004 DDoS attacks were the second-most costly security incident overall for organizations. And Yankee Group, Small and Medium Business Infrastructure Survey, from December 2004 found that 12 per cent of smaller companies had also reported a DDoS attack in the previous 12 months. At the end of 2004 Gartner predicted that half of all Internet-connected businesses would experience some sort of DDoS attack in the next two years. Yet it's still relatively hard to find too many IT personnel who are losing sleep over it.
Mitigate not eradicate
There is nothing you can do to stop an attack, as Mike Prettejohn Director of web traffic analyst firm Netcraft points out: 'The first thing to get straight is this: you cannot stop a well constructed DDoS attack, if it uses spoofed - but legitimate IP addresses - uses HTTP requests and is requesting legitimate pages such as an SCO-type attack then all you can do is reduce the effects of the attack.' The SCO attack was orchestrated at IT firm SCO and utilised a MyDoom virus/worm outbreak that at one point utilised between 25,000 and 50,000 machines in the attack.
Most of the DDoS attacks are criminal in nature. They're there to extort money from your company by bringing down your site. If you're a transactional web site in the gambling arena then you're a prime target. Next up come ecommerce sites. The more you stand to lose by your site being down, then the more you're likely to be a target. You're also a target if your site is in an area where there's some controversy: anything to do with the UK military became a target for DDoS after the invasion of Iraq and any site that has dealings with hunting, animal testing and so on is also a target.
Responding effectively to DDoS attacks is becoming increasingly challenging. In the past, filtering specific source addresses was enough to stop basic DoS attacks. Today's DDoS attacks - distributed by definition - often use tens to hundreds of thousands of sources, courtesy of broadband-connected computers that have been infiltrated by hackers and turned into 'zombies'. Zombie traffic resembles legitimate user traffic; separating them can be extremely difficult, and often requires large computing resources.
As Prettejohn points out, one of the easiest ways of mitigating DDoS attacks 'is to throw money at the problem. More bandwidth and more servers will solve the problem'. Dominic Monkhouse is MD of hosting company RackSpace, the only company to offer a guarantee on traffic. 'One of the ways to reduce the effect of a DDoS is to "out bandwidth" the attackers. Some of the attacks we have seen have peaked at over 1.5Gbs - a typical attack will be 10-100Mbs - so we have a capacity of 8Gb although an orchestrated attack could still bring even the biggest network down,' he says.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Spreading fast
Monkhouse believes that DDoS is set to get worse. 'Fast broadband connections and users like my mother, who don't know what a firewall is, are opening up the number of potential sources of an attack. In the past attacks came from universities as there were large numbers of users, and the bandwidth available was high. Today it takes just a few minutes between a computer getting broadband access to the net and someone coming along trying to turn the computer into a zombie capable of a DDos attack.'
As attacks are normally aimed at specific IP addresses one way to reduce the effect is to use multiple IP addresses and to do load balancing so that the effect of the DDoS is then spread over multiple machines. Sites that get heavy regular traffic like eBay, Google etc or sites that have unpredictable peaks in traffic like the Live8 site all use a combination of multiple servers and very sophisticated load balancing techniques. While emulating eBay etc will be out of the reach of most companies, the techniques used by Live8 which used an Oracle grid network, running on standard Blade servers is more achievable, but it is still out of the range of most.
Dedicated hardware
A cheaper way to reduce the risk of a DDoS is to install hardware that actively fights the attacks, or and even cheaper way is to share the cost of the devices by using a hosting company where they have the hardware installed. Rackspace uses a combination of Cisco and Arbor Networks devices that sit in front of the clients' sites and monitors net traffic blocking any unusual traffic and it's been successfully used on numerous occasions to stop DDoS attacks. It's even possible to fit the devices after the anti-DDoS hardware after the attack has started.
While most DDos attacks are short-lived, some can last for a lot longer. Monkhouse says: 'We have seen sustained attacks that have lasted from just a few days to on occasions several weeks after which they will peter down.' He adds: 'DDos attacks tend to peak over weekends - the attackers will harness machines that are not being watched as the operators are away on holiday.'
While you can't prevent an attack, you can reduce the effects of the attack, and if you can reduce the effects for a day or so it's unlikely that it will come back again - at least from those perpetrators as they will generally move onto their next target.
DDoS attacks are an increasing challenge and will not go away. The important thing to understand is that it's better to have a plan and a list of contacts to talk to at your service provider BEFORE it happens. Preparation and planning are, by far, the best methods for mitigating DDoS attacks and risks.
Five top tips to mitigating DDoS
1. Tracing the Attackers
One of the most common reactions would be an attempt to trace the attacker. However, a DDoS comes from multiple sources and will always spoof addresses, so tracing a DDoS attack can take time and requires extensive co-operation from other service providers. But if you're lucky and it's all coming from just a few providers then you can either ask them to stop packets being sent to your address or add filters at your end to filter out packets from specific addresses.
2. Rate limiting
A good option is to 'rate limit' the offending traffic type, so if the attack is via a particular port or via http or ftp, then that route in to the server is shut down. The problem with this, however, is that it will also limit legitimate traffic coming through that port.
3. Return visitors only
Prettejohn recommends limiting access to addresses that have previously used the server and rejecting any new customers: 'It's a bit like a bread shop only selling to regular customers when there's a bread shortage. By just accepting traffic from regulars - which can be built up from a simple trawl through the server logs - you can still maintain relationships, whilst rejecting the attack traffic.'
4. Text only site versions
Another way to reduce the effect of a DDoS is to restrict the processor time used to respond to the requests. Instead of serving a page or pages full of rich-media types, an alternative text-only page could be put in its place. Ideally there should be an automatic process that strips out rich media as a server starts to get overloaded. In addition, dynamic pages could be replaced by static pages to speed up server response.
5. Black hole filtering
The final solution, if all else fails, is to take the server offline by pointing the traffic to the edge. Black hole filtering works by forwarding all traffic to an imaginary interface known as Null0 - effectively all the traffic is 'lost' - which minimises the DDoS impact so that the rest of the network is protected.