Distributed denial-of-service attack defense
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
There's no doubt that those persons behind recent high-profile distributed denial-of-service (DDoS) attacks have...
a deep understanding of the inner workings of the Internet. This knowledge and a lack of basic security in many key Internet protocols means that enterprises are at a disadvantage when it comes to defending themselves against these types of attack.
That's why enterprises, governments and industry groups have been working on broad industry initiatives to reduce the occurrence of powerful DDoS attacks. In most countries, acts have been passed outlawing DDoS attacks -- such as the Computer Fraud and Abuse Act in the U.S. and the Computer Misuse Act in the UK -- but legislation against cybercrime is ineffective as a deterrent.
In this tip, I will discuss a number of other initiatives aimed at reducing the occurrence and power of distributed denial-of-service attacks.
Measuring the threat of DDoS attacks
The fact that DDoS attacks are now powerful enough to threaten U.S. critical infrastructure explains why various government agencies are starting to mandate that DDoS mitigation plans be put in place. For example, financial institutions regulated by the Federal Financial Institutions Examination Council must now monitor for DDoS attacks and have an activate incident response plan and ensure sufficient staffing for the duration of an attack, including the use of pre-contracted third-party servicers, if appropriate. They are also being encouraged to share attack details with the Financial Services Information Sharing and Analysis Center and law enforcement authorities to help other institutions identify and mitigate new threats and tactics.
Global cooperation against cyberthreats like DDoS attacks is improving. Because botnets are a major menace and popular DDoS weapon, the FBI and the Department of Homeland Security share with over a 100 other countries the IP addresses of thousands of computers they believe to be infected with DDoS malware. The White House Cybersecurity Office, the Departments of Commerce and Homeland Security and the Industry Botnet Group are also working closely together to combat botnets. The dismantling of botnets certainly helps improve the security situation, but this is a never-ending task.
Preventing DDoS attacks
The long-term answer to preventing DDoS attacks is to strengthen the Internet protocols that attackers use to initiate an attack and to mandate that systems be upgraded to benefit from best practices. For example, many DDoS attacks work because attackers can generate traffic with spoofed source IP addresses. IETF Best Common Practices document BCP 38 recommends that network operators filter packets entering their networks from downstream customers and discard any packets that have a source address not in their address range. This stops hackers from sending packets claiming to originate from another network -- i.e., spoofing. However, applying BCP 38 is an expense with no direct or immediate benefit and so is not extensively implemented despite the benefits to the broader community.
Network administrators can improve the overall security of the Internet by ensuring that they are following other best practices. For instance, they should be familiar with the DDoS Quick Guide from the Department of Homeland Security and also be implementing advice provided by projects such as the Open Resolver Project. Open resolvers are used in DNS-amplification DDoS attacks by answering recursive queries for hosts outside of their domain. The project has compiled a list of 28 million resolvers that pose a significant threat and provides details on configuring DNS servers to reduce the threat of DNS-amplification attacks.
As always, ensuring the latest versions of software are installed can make systems less vulnerable to hackers looking to harness their resources as part of a DDoS attack. For example, be sure to update DNS servers running BIND as the Internet Systems Consortium has now integrated Response Rate Limiting (RRL) into the latest versions. RRL helps mitigate DNS amplification attacks by detecting patterns that suggest abuse and reduces the rate at which the replies are sent. Be sure to also update Network Time Protocol servers, since all versions prior to 4.2.7 are vulnerable to being used in an NTP amplification attack.
While large enterprises such as financial institutions are obvious targets for certain attackers, they at least have the money and resources to implement the latest security technologies and best practices. Smaller organizations with limited resources, though, still have potentially powerful adversaries. This is one reason Google launched Project Shield: to allow those running news, human rights or election-related websites to publish their content through Google's vast DDoS mitigation infrastructure. These types of initiatives aim mainly to dissipate the effects of a DDoS attack by ensuring potential victims have enough resources to withstand an attack.
Full sharing of DDoS mitigation resources and implementation of industry best practices may take time and resources and not provide any immediate payback, but the Internet is a community project and the battle against DDoS attacks is a shared responsibility. Unless everyone plays their part, no number of initiatives will rid us of the curse of DDoS attacks.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).