Last week's distributed denial-of-service attack against the Internet's infrastructure demonstrates the powerlessness...
of individual enterprises in defending against these assaults.
Attackers flooded the 13 root Domain Name System (DNS) servers with packets in hopes of blocking requests from legitimate users. DNS servers are known as the Internet's directories; they translate domain names into IP addresses and vice versa.
While unsuccessful, the attacks demonstrate that denial-of-service attacks must be dealt with as far upstream as possible. In other words, there isn't much that individual companies can do prevent from getting hit by these attacks, experts said.
The theory behind DDoS attacks isn't complex. The attackers are analogous to people who repeatedly dial a phone number. It's unlikely legitimate calls can get through because the bogus calls dominate.
At a minimum, companies can take precautions to prevent their systems from being used as "callers" in DDoS attacks. Keeping systems patched and configured properly would lessen the pool of systems that attackers can hijack, said Paul Robertson, director of risk assessment at Herndon, Va.-based TruSecure Corp.
Additionally, companies should make sure their outbound traffic is legitimately addressed. While this wouldn't prevent attacks, it would be useful in tracing attacks back to systems that are being used. Companies would rather know sooner than later that their systems are being used in such attacks, Robertson said.
"Besides, there really isn't much you can do [to prevent DDoS attacks]," he said.
On the other hand, service providers can help prevent DDoS attacks by monitoring for increased network activities at specific customers. ISPs have gotten better at this over the last two years, Robertson said.
Customers can demand this type of protection while negotiating with providers, much as they would for better and cheaper service, said Ted Julian, co-founder and chief strategist for Arbor Networks, which manufacturers appliances to detect DDoS attacks. "You can write it into the [service-level agreement] in specific language about what they will do if you experience DDoS attacks," he said.
Julian sees offering such protection as a differentiator for ISPs. All T1 lines are about the same, but providers can offer customers something different such as DDoS protections.
The first step in protecting systems from DDoS attack is getting a handle on normal network activity. This baseline allows monitors to know when an attack may be afoot. The surest way of dealing with such attacks is at the edge, namely at the specific routers or firewalls getting hit, Julian said.
The federal government is very aware of the dangers of DDoS attacks and also realize that it is a service provider problem, Julian said.
It would be great if everyone kept their systems patched, but getting that to happen may not be practical. In other words, it would be easier to get the service providers, either through tax credits or mandates, to address the DDoS problem than to get millions of users to patch their systems, Julian said.