Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Defense is the best offense for preventing DoS attacks

Expert Michael Cobb discusses how developing a response plan in conjunction with service providers can help enterprises better thwart DoS attacks.

My website, which runs PHP on Windows Server, was recently hit by a denial-of-service attack. The attacker has been using a proxy to change the IP. What is the best way to stop this attack? Is preventing DoS attacks a possibility?

It is impossible to stop a malicious third party from launching a denial-of-service (DoS) attack against a publicly available website -- it doesn't matter what type of Web server or scripting language is used. The adage "defense is the best offense" proves true in this case; enterprises would be wise to have an action plan in place for mitigating the effects of an attack when it happens. Spoofed attacks can be successfully launched even by an attacker with limited resources, and those using botnets can generate the volume of traffic required to take down or severely disrupt even large, heavily defended sites.

DoS and distributed DoS (DDoS) attacks attempt to make a resource, such as a website, email or entire network, unavailable to its intended users. There are various techniques that can be used, but the aim is to overwhelm the target with requests and data so it responds so slowly that it is either unusable or crashes completely. Those behind a DoS attack always modify or spoof the source addresses in the attack packets to hide their identity, making it difficult for the victim to distinguish them from those sent by legitimate users.

Spoofing is only effective in Layer 3 User Datagram Protocol attacks because UDP is a stateless protocol and doesn't require a connection handshake. The domain name system protocol uses UDP and has been operated in reflection and amplification DDoS attacks to generate massive amounts of traffic. Such an attack against Spamhaus last year was estimated to have peaked at 300 Gbps. An attack of this scale can only be thwarted by using a service such as CloudFlare or Akamai's KONA service, both of which can prevent attack traffic from being concentrated on any one location. By using anycast, a network addressing and routing methodology, these services diffuse the impact of a DDoS attack by spreading requests to geographically dispersed servers. Enterprises may wish to adopt this type of service if their websites are subject to frequent and sustained DDoS attacks.

Smaller scale DoS attacks can be detected and mitigated by various network perimeter appliances such as firewalls or intrusion detection systems. Additionally, many hosting service providers offer add-on DDoS mitigation services, including proprietary detection, monitoring and mitigation tools. Some providers also have security teams that can react in real-time to changing attack characteristics. However, they won't necessarily have the ability to absorb large-scale attacks.

The escalating strength and sophistication of today's threats means enterprises need a strategy in place for preventing DoS attacks quickly. Publicly available services should be run on dedicated servers so only the ports required for that service need to be open. A response plan should be drawn up in conjunction with the service providers involved so that important decisions, such as when to reroute traffic to be scrubbed, don't have to be made in the heat of the moment. While spoofed denial-of-service attacks can't be stopped, having a well-drilled team working to a tested response plan, which has been drawn up in collaboration with the relevant service providers, can keep the disruption to a minimum.

Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on DDoS attack detection and prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What about a service such as Verizon's DDOS, especially as compared to CloudFlare or Akamai's KONA service?