Distributed denial of service attacks are frustrating — they’re frustrating for the company under attack, and frustrating for the web host. They can also be costly in terms of business and goodwill lost. Fortunately, there are ways to deal with them, if you are willing to prepare for the possibility of a DDoS before it happens.
You may not have seen them very much in the news recently, but distributed denial of service attacks (DDoS) have not gone away. If anything, these attacks – or at least their potential – have become scarier over time as malicious hackers have worked on improving their methods. The increase in home-based broadband Internet connections, for example, means that hackers can now more easily infect a larger number of machines with fast, powerful connections to the Internet and make them do their bidding.
Let’s back up a second and define what we mean by a distributed denial of service attack. A DDoS attack is an attempt to disrupt the service of a computer network and/or company website by overwhelming the processing capacity of the system or by flooding the bandwidth of the business. It is a blatant attempt to consume the system’s resources, to the point that genuine, legitimate users (i.e. website visitors) are denied access.
Hackers engage in DDoS attacks via a two-step process. First, they infect computers with viruses and Trojans that allow them to control the machines remotely. They will then use these computers, known as “zombies,” to overwhelm other systems. These zombie networks can become quite large.
In October 2005, Dutch police arrested three people who’d created a zombie network comprising at least 100,000 computers. Some reports estimate the network was more like 1.5 million machines strong. The three who had created the network were using it to extort money from U.S. companies. It must have worked something like a high-tech version of the classic clich? of the mob protection racket: “Nice company website you have there. Be a shame if it crashed and all your customers couldn’t get through.”
Since many commercial websites now rely on a constant Internet presence, this threat carries a real bite behind it. And with that many machines at a hacker’s command, even a hardened company such as Microsoft is not immune to a DDoS attack. It’s just the thing for the technology wizard with “different” morals who wants to make some money or a political statement.
Dealing with the problems raised by DDoS attacks often requires lots of communication between the company being victimized and the ISP. If you’re hosting a website that is under attack, that’s you; if you’re a web hosting reseller, you’re still that company’s line of communication to the folks who are handling the servers. Needless to say, it helps to know what you’re up against.
Types of Attacks
An ordinary denial of service attack comes in three basic types. These include consumption of computational resources, such as bandwidth, disk space, or CPU time; disruption of configuration information, such as routing information; and disruption of physical network components. A distributed denial of service attack, as mentioned above, is usually an attempt to consume resources and deny them to other users.
These attacks often take the form of some kind of “flood.” For example, a SYN flood exploits a feature of the TCP connection to overwhelm the system. In a SYN flood, the victim system receives a flood of packets, often with a forged sender address. These are treated like connection requests; the dedicated server
opens a connection, but because the address isn’t real, it doesn’t receive a response. So the server is sitting there, having received requests for a connection, with a bunch of half-open connections, waiting for responses that never come. When all of the connections a server is able to make are filled with these half-open requests, no one else can connect until the attack is over, including legitimate users.
Let me bring you back to the subject of zombies for a moment. A single computer can make thousands of requests on a server. A hacker with a single computer at his command thus isn’t that big of a threat to large companies. Multiply that by only a few hundred zombies, however, and suddenly millions of packets can be generated. Get enough zombies into the act, and any company can be brought to its knees.
One form of “DDoS attack” worth mentioning here is the unintentional attack. This happens when a website faces a swarm of legitimate visitors and can’t deliver the bandwidth needed. You may have heard of “the Slashdot effect,” where an extremely popular site such as Slashdot posts a story with a link to a less well-prepared site as part of the story. Site owners love getting that kind of publicity, but it can be quite painful to deal with the results.
Fortunately, there are things that can be done to deal with distributed denial of service attacks. While they can’t be completely prevented, there are steps that companies and ISPs can take to prepare for an attack that will mitigate the damage. Once an attack is underway, certain actions can be taken that may help limit its duration.
Before an attack occurs, you need to determine which parts of your online presence are most critical to the functioning of your business. The reason for this is simple: your Internet connection probably handles a variety of tasks, including outbound web traffic, incoming web traffic, SMTP email and DNS traffic. If your connection cannot handle all of that at once, as happens during a DDoS attack, which tasks have priority? Once you have set a policy for that issue, your technical fixes can fall into place.
Some attacks can be screened against. For example, you can have a router configured to screen packets before they enter your company’s network. Indeed, screening routers are commonly used today, and will prevent the standard spoofing DDoS attacks. If a screening router is also configured to filter outbound packets, it can make sure that your company does not become the source of a DDoS attack.
Certain types of DDoS attacks can be hard enough to detect that a screening router wouldn’t pick them up. Before an attack occurs, then, you need to understand what your normal user behavior and traffic is like, so that you can spot it when something out of the ordinary happens. If you currently have network monitoring tools, you’ll want to check whether they support the detection of anomalous traffic patterns.
You can also use something called an Intrusion Detection System (IDS) to detect anomalies. An IDS may even be able to reconfigure routers or firewalls when it detects something abnormal. There will naturally be a delay between the detection and the reconfiguring. At least one security company claims that using an IDS carries a certain risk – if an attacker can trigger the IDS to reconfigure the system, for example, it could lead to a self-denial of service. Your mileage may vary.
Firewalls can be good to use along with other defenses. Like screening routers, they can be used to filter packets. Typically, they don’t deal with this task as well as screening routers, so firewalls should not be used as the first line of defense against a DDoS attack. There are now companies that make dedicated DDoS prevention products, which may be worth investigating.
Taking various steps to filter traffic at the company end is a good start. These filters should be in place and working as a matter of course. But if the traffic between your company and the ISP is saturated by the DDoS attack, it’s time to escalate your defenses. You will need to contact your ISP to help you manage the attack.
The ISP has more bandwidth and is closer to the source of the attack, so they should be able to provide more effective filtering. The ISP will usually filter based on two factors: the source and destination IP addresses of the traffic, and the type of traffic. If there are detection mechanisms in place, these should be able to identify the sources of the attack – and the ISP should be informed.
If you’re lucky, distinct IP addresses can be identified, and the ISP can filter those individually. Sometimes, however, you can’t get a better identifier than another entire network (or even another country). This is in part because many attacks use spoofed packets that don’t reveal their real IP addresses. The ISP will then have to work with those further upstream to figure out where the traffic is coming from. Once the ISP knows what router(s) the traffic is coming from, the owner can be contacted and informed of the situation.
Meanwhile, if the router(s) can’t be immediately identified, some tough decisions may need to be made, and quickly. Again, you and your ISP will need to communicate closely – will the actions that need to be taken block legitimate users out of the network, and if so, how many? Would it be a fair trade-off?
ISPs can also permit certain types of traffic while denying others. This is another reason why it is important to determine which parts of your online presence are most critical to your business. The ISP can then give those services priority, mitigating some of the pain of the DDoS attack.
Sometimes a fix can be easily accomplished, at least temporarily. If the target of the DDoS attack is a single machine, a simple IP address change can end the flood. This is especially helpful for key servers (such as email or database servers) under attack. Another option, which might work for large companies, is to “throw bandwidth” at the attack and wait it out. It is neither the best nor the least expensive solution, but it might provide a temporary fix.
DDoS attacks must be taken seriously. The key is to be prepared in advance: have your detection systems in place, know your normal traffic, and be on good terms with your ISP. The two of you must start the investigation and mitigation as soon as possible once the attack begins. You and your ISP will need to work together. It is a time-consuming process; even a very large company may take several hours to halt an attack. But it can’t be ignored; lack of preparation will only make things much worse. You owe your customers better than that.