May 19, 2011 DISTRIBUTED DENIAL OF SERVICE (DDOS)

Distributed Denial of Service Attacks

Should Your Organization Be Concerned About DDoS Attacks?

Perhaps!!

In simple terms, a DDoS attack occurs when a network receives too many TCP/IP packets per second for its resources to be able to handle.   How many packets per second it takes to create such an attack depends on the bandwidth of the network and the speed of the protection devices, routers and switches outside the network itself.   The consequence though is always the same – Internet connectivity comes to a complete halt, users can’t do anything on the Internet.   It’s analogous to being in a rush hour traffic jam.

Delivering a DDoS is no easy task; it takes a concerted attack from thousands of computers to clog up a network.  The attacker needs to have at his disposal a network of workstations (a botnet) to which he can command to all to start sending traffic to a certain IP.

I saw this about 5 years ago; a company started receiving 15 million DNS queries per second!    A DNS query is very small; less than 60 bytes.  But when you get 15 million per second, you are getting hit by a very large amount of data.   It’s hard for many devices to cope with such traffic, and very few companies have the ability to cope with such use of bandwidth.  They didn’t!   And even the ISP had difficulty dealing with it.

This type of attack is very targeted and clearly implies the desire to cause a disruption.  Given how dependent we all are on the Internet, a DDoS can result in loss of some kind.

A few years ago this had become a means of extortion towards companies that conducted their business on the web.   Several articles appeared about online poker companies being targeted; if they paid the ransom they would be left alone; if they didn’t, their website would practically become inoperable for a long time, and that meant heavy revenue losses for such companies.

The only possible mitigation in a situation like this is to be able to reroute your legitimate traffic somewhere else, so that the network receiving the DDoS becomes less relevant to the company business.

One way to thwart such a situation is to seek the collaboration of the ISP; depending on the size of the attack, sometimes only the ISP may be able to fend it off by setting up rules and routes to forward that traffic somewhere else.

Scanning and filtering this traffic is not possible, simply because the sheer intent of the attack is to overwhelm the devices that are scanning it.  So even if every single packet is blocked, the number of packets is such that the device defending the network will not be able to keep up.  So, a defense by scan and drop in this case does not work – it can make things worse.

Service providers that depend on the Internet for their livelihood (and who doesn’t anymore?) should at least keep such possibilities in mind in their risk assessment.

There is no material gain for a hacker to pursue a DDoS.  Hackers try to remain anonymous; extortion implies a contact of some kind with the victim.   The likelihood of this happening is low because it wastes resources that the hackers can dedicate to direct attacks aimed at stealing information, which have a more immediate ROI – yes, hackers do seem to think in terms of ROI as businesses do.

Nevertheless, someone could have a reason to carry such an attack; hence the reason to assess the risk and be prepared with countermeasures.

Such measures can go from a possible increase in bandwidth to simply absorb the attack; to an agreement with the ISP to forward the traffic somewhere else; to secondary connections to be used during the attack, like a backdoor to maintain access to the internet.  This should be likened to a disaster situation, and a disaster recovery plan should be considered  to be able to maintain Internet connectivity and be able to conduct business even under such conditions.