Defying DDoS: Lessons for enterprises

A year ago, no one would have thought The SCO Group would be the target of one of the biggest distributed denial-of-service attacks in history. But earlier this month, the company's Web site was knocked offline by just such an attack.

A year ago, no one would have thought The SCO Group would be the target of one of the biggest distributed denial-of-service attacks in history. But earlier this month, the company's Web site was knocked offline by just such an attack.

Most companies don't generate the animosity that would provoke such an attack, but the Lindon, Utah-based company is suing IBM for alleging donating SCO-owned code to the Linux kernel. If successful, the suit would be a major blow to the open source operating system.

Just last week, network worm Doomjuice-A surfaced. It's programmed to launch a DDoS attack on Microsoft's homepage, but IT didn't spread enough to pose much of a threat. And Microsoft is pretty adept at dealing with DDoS attacks.

The only companies who would face such an attack are those who "are treading on thin ice already" with the hacker and virus writing communities, said Richard Stiennon, vice president of research for network security at Stamford, Conn.-base analysis firm Gartner Inc. Also, large online retailers may face attack because they are so well known, and knocking them offline would make a lot of noise.

"The run-of-the-mill company probably wouldn't be the target of such a DDoS attack," Stiennon said. But company XYZ may have to worry about inadvertent attacks that come from worms such as Nimda or Code Red. Such malware can slam a company's site so hard that it could buckle under the load.

Stiennon stressed it's possible to withstand a major DDoS attack but it does require some planning. First, a company needs to make sure it has a good amount of server and network capacity. It should also consider load balancing for its site so it "becomes a moving target," he said.

Company officials can talk with ISPs to see if the latter can separate traffic associated with an attack. For example, an ISP can block the IP range of an attacker, Stiennon said.

Having a redundant network connection with a different IP range is also a good defense if its main pipe is targeted. Companies can also invest in products that can block attack packets.

SCO took a novel approach and switched its site to a different domain name (from www.sco.com to www.thescogroup.com). Such a tactic wouldn't cost much for a company and could be a clever way of getting around an attack.

Another strategy is prioritizing resources on the site, pulling streaming media or large file downloads from their site to allow requests for more important things get through, Stiennon said.

SCO could have learned a lot from Spamhaus, a group dedicated to getting rid of spam. The group's Web site has been hit continually by DDoS attacks, many of which come at between 100 and 500 megabytes per second. In November the site withstood three concurrent attacks, said Steve Linford, founder of Spamhaus. The group has 26 DNS servers, all on different networks. The site itself is load-balanced across a number of servers on networks large enough to shoulder DDoS attacks, Linford said.

"We feel that keeping the site online is a must, otherwise the attacker wins," he said. "Also, with each attack we learned more about who was attacking us, their motives, the extent of their resources and therefore how to better defend ourselves."

Dig deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close