Distributed Denial of Service (DDoS) attacks have been around for many years and are continuing to escalate in both frequency and sophistication. Once considered the tool of internet pranksters and self-styled activists trying to cause inconvenience, as well as loss of revenue and reputation, this has now become a very lucrative income stream for many in the cybercrime underground.
The Basics of DDoS Attacks
The goal of such an attack is to tie up an organization’s online systems to the point that legitimate visitors (customers, users, clients, etc.) are unable to connect.
This is done using one of two basic methods:
The attacker attempts to install malware on the target system which will begin to consume resources at such a rate that the system can no longer respond to logins, web queries or legitimate requests for resources. This can continue to the point that all effective servers crash, a condition known as ‘bringing down a site’.
In this method, the attacker floods the system with so many requests for access that legitimate queries and contacts are turned away. This is the cybernetic version of a picket line and is the most common method of DDoS attacks.
Most attacks of this kind are made from hundreds or even thousands of computers in various locations, making up the Distributed portion of the attack name. Many of the attack computers are being used without the consent of their owners through the installation a bot or zombie process on an unprotected PC or server. Once activated, the controlled systems will begin bombarding the target and effectively stopping on line trade and access.
Who is Profiting From DDoS Attacks?
There are a number of ways that people and groups are making money with DDoS attacks, including:
Businesses have been known to launch DDoS attacks at the online presence of one or more competitors with the goal of causing a sufficient disruption of trade to create a financial benefit for the attacker. This comes in the form of lost business for the target company and the potential of picking up some of the customers chased off by the effects of the attack.
The attacking company is then making money indirectly in the form of lower competition and increased trade.
In this scenario, a threat is sent to the potential victim that a denial of service attack will occur unless a specified ‘ransom’ is paid. In some cases, an initial show of force is staged for effect, large enough to get the victim’s attention but not so large as to provide too much information useful in mounting a defense.
In many cases, the target pays up and writes the expense off as cost of doing business.
Third Party Access
People and groups with the hardware and software capable of launching a large scale DDoS attack are now renting system access to other groups and individuals are looking to make an attack but don’t have the resources or expertise to make it happen.
There are a number of ways to prevent DDoS attacks and mitigate their effect should prevention fail:
Keep Your System Security Updated
Basics of computer security are still your best limiting the number of potential exploits available to potential attackers, thus decreasing the attractiveness of the target.
Multiple Layers of Access
Detecting and stopping the attacks as far away from the target system. This is accomplished with multiple perimeters of switches, routers and firewalls, each equipped with systems for handling DDoS attacks. In many cases, working with the networking connectivity provider can add an additional filter against external attacks.
In order to effectively defend against a DDoS attack, early detection is essential. For this, a significant amount of preparation and knowledge is required:
By becoming aware daily, weekly, and seasonal system access cycles, the presence of unusually high access requests can be a sign of an attack in progress.
A current list of ‘safe’ IP addresses and user IDs can be used to set up preferred access paths in the routers and firewalls. While this will not prevent new contacts from being repelled in a DDoS attack, it will allow current clients/users access to the system.
Maintaining a list of ‘dangerous’ IP addresses in all access devices is a basic defense against attack.
The point of using random computers to launch the attack is to prevent the target from blocking the IP addresses ahead of time by masking the attack, it is possible to classify contacts during the attack as hostile. This is done by analyzing the contact based on several criteria:
- Request Frequency: Too many requests per minute from the same URL indicates a bot or other automated program making the contact.
- Request Duration: Regular requests over a long period of time is also an indication of bot activity. A human user would pause or give up after a few failed attempts.
- Request Content: Most requests for service to a web site includes some information regarding the reason for the contact. This could be a part number, the URL of an information page, or other ‘normal’ query values. Requests with information that is meaningless, or unrelated to the target system site, can be classified as hostile.
- Port Requests: Requests for ports not normally used for on line contacts are also an indication of an attack.
Once a URL is classified as hostile, is must be added to the black list in every layer of the defense perimeter. This will gradually shut down the attack by rendering attacking systems ineffective.
Distributed Delivery of Service
On line site access can be spread over multiple systems which provides a variety of advantages. In addition to providing for load balancing and redundancy, it also spreads the internet access, diluting the effectiveness of any DDoS attack.
Responding to DDoS Attacks
Specific protocols must be established to respond to a DDoS attack, which should include:
- In house and third party contact information to alert individuals and organizations charged with helping with the response.
- Backup equipment and servers to swap out for infected units.
- Access codes to routers and firewalls to facilitate updating the black and white lists.
Logs of the attack should be compiled and analyzed for possible legal and civil action against the attacker. While finding the original source of the attack can be difficult given the nature of the method used, it does happen.
Preparation for DDoS Attacks
As with any risk situation, preparation is key. By working with IP providers, equipment vendors and security consultants, a prudent and effective system for detection, defense, and response can be created that will, if not prevent, at least minimize the effect.
Contact the HOSTING certified information security team for help in putting together a comprehensive DDoS plan to safeguard your information assets. You can also download our complimentary white paper, Avoiding the Breach: What You Need to Know About Online Security.