Defending Against DDoS (Distributed Denial-of-Service)

The site is down!  These are haunting words for most businesses, and today’s topic: the DDoS (Distributed Denial-of-Service) attack. This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques.  Your business is most likely heavily reliant upon specific incredibly, 1and this article provides an overview of the DDoS attack that could potentially take these critical systems down and techniques for combating the DDoS.

It is best to understand what the DoS and DDoS attacks are and how they work before discussing how to fight them.  DoS (Denial of Service) attacks disrupt the availability of key information systems so that legitimate users cannot access these resources.  The DDoS attack accomplishes the same thing by using a distributed set of computers or “bots” or “zombies” and it is incredibly powerful because it is using the power of thousands of computers and the bandwidth of many networks to perform the attack.  Both the DoS and DDoS result in lost sales, lost customer confidence, reduced productivity or increased work for support staff.  So how does the DDoS attack work?

Understanding the DDoS

DDoS attacks rely on the power of many distributed machines, so the first part of a DDoS attack is assembling an army of bots.  Attackers scour the Internet using automated tools to search for vulnerable machines.  These machines are then exploited and turned into bots by installing software on them that waits for commands from a command and control server.  These bots are used to enslave other bots until a sufficient army is assembled for the attack.

The attacker is now ready to initiate an attack with their bot army.  Attacks are initiated automatically or semi-automatically.  Automatic attacks already have the target programmed into them by the attacker, so the attack takes place as soon as the bot army is assembled.  This minimizes the interaction the attacker has with their bot army and makes it more difficult for them to be identified.  In semi-automatic attacks, instructions are sent to the bot army by the attacker through command and control servers once the bot army is assembled.

Some DDoS attacks called protocol attacks target a particular protocol or vulnerability, and others use brute-force.  Protocol attacks take advantage of a bug in the software or a feature of the communication to tie up resources of the target so that legitimate traffic cannot be serviced.  Brute-force attacks bombard the system with otherwise seemingly legitimate transactions.   Protocol attacks would seem like the more advanced method but they can be stopped by altering the system to remove the bug or changing the way the system operates so that the feature cannot be exploited.  The brute-force attack is no different from legitimate traffic except for its increased volume, so it is more difficult to combat.

So what can you do to prevent or mitigate DDoS?  We have selected five practical things you can do to protect against a DDoS attack.

Cloud screening

Cloud service providers have much higher capacity than individual companies.  Companies can pass traffic through a cloud service provider who can absorb DDoS traffic and only pass valid website requests on to the company’s site.

Infrastructure Improvements

Consider increasing bandwidth and server performance.  DDoS attacks attempt to overwhelm available resources so additional resources will allow you to withstand greater attacks.  This involves having more server space or bandwidth than necessary.  Such over-provisioning addresses the number one problem brought on by a DDoS attack, link, and equipment saturation.  Unfortunately, it can be difficult to determine how much extra hardware and bandwidth is necessary to sustain an attack as even some of the largest companies have succumbed to DDoS attacks.  When attacks fail, attackers often gather a larger bot army and try again.

Traffic Filtering

Consider configuring your firewall or IDS (Intrusion Detection System) to filter DDoS traffic, if the functionality is available, or consider upgrading to a system that does.  DDoS traffic filtering devices prevent SYN, TCP Flooding and other types of DDoS attacks.  Such devices typically analyze TCP flow control, conduct packet filtering and utilize blacklists and whitelists.

Real-Time Monitoring

Another way to protect your data against a DDoS attack is through real-time monitoring.  Real-time monitoring can identify a DDoS attack early.  Such a system must be actively monitored so that action can be taken quickly to resolve the situation.  DDoS attacks can ramp up quickly so administrators might not have much time to respond once an alert comes in.  Integration of site and device monitoring with SIEM can leverage existing technology to protect against this attack.

It should be noted that not all DDoS attacks happen immediately.  Some attacks are performed slowly so that they will not be noticed as easily.  They gradually increase the number of requests made to resources until the resources become unavailable.  It is important to have baselines of system performance and expected use so that these can be compared to existing data to classify traffic as legitimate or a potential DDoS attack.

Consider monitoring log file sizes and growth rates.  Some monitoring tools will create a more critical event and alert when a significant number of informational events are generated so that administrators can stay on top of problem areas.  Informational events might not appear in reports and individually they would not indicate a problem, but collectively they could indicate a DDoS attempt or some other hacking activity.

Log Maintenance 

Genuine users and DDoS attacks both log server events, and this can cause some services to reject connections if the log fills up.   As mentioned earlier, log file growth rates and sizes could indicate an attack but to prevent a full log from making a system unavailable you can either increase log file sizes, archive logs or roll the logs over.  If systems are set to refuse connections when the log is full, you should not implement log rollover because the refusal is a security mechanism meant to prevent unauthorized access.  In this case, you should either use archiving or larger log files to keep servers available.

Community

Finally, information security departments can work in close collaboration with the botnet hunter community.  DDoS attacks rely on bots to perform their work, but if the bots are known about, control of the bots can potentially be wrested out of the attacker’s hands. Knowing who to call that can nip the attack in the bud rather than allow it to get too big can save valuable time and effort.  Know who to call at your upstream service provider to help filter attacks.  Your Internet provider might have specialized equipment to help reduce DDoS attacks so put a plan in place to work with them to stop the attack.

The DDoS is an outside invasion, but not one that looks to install or plant something within the company in order to gain information.  Instead, this type of attack consistently hits the server with requests that business is halted.  DDoS can cause a lot of damage to organizations that rely on the availability of key information systems. That is why we have outlined the above five activities that can mitigate the effects of an attack.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

13 Comments

  1. Excellent story in that it contains a message worth repeating often. Commonly, network attacks are regarded as an until-it-happens-to-you scenario. But there is a significant probability of a computer network attack on many commercial network, and which specifically may track the amount of data retained by a client.

    1. Just for fun, u could invade the prtvaie irc server and take control of its admin machine 😛 leave a threatning message to never try that again :)Btw, what’s the utility name so we can avoid downloading it?

  2. We definitely need some way of defending against DDoS. It’s not right for the hackers to be able to take down web sites so easily.

  3. It is very tough to defend against a full force DDOS attack but many attacks are light-weight and done by those without heavy resources.

Leave a Reply