Distributed Denial of Service Attacks: Protect Your Site from this Growing Threat

Not only do these attacks cost online organizations millions in lost revenues, they damage reputations and customer relationships.

Until recently, the tools used to mitigate DDoS attacks were inadequate. Traditional security solutions, such as routers, firewalls, and intrusion detection devices, were never designed to protect against DDoS attacks. While newer DDoS mitigation hardware devices do provide intrusion prevention capabilities that can proactively guard against DDoS attacks, these solutions are unable to withstand the rapidly increasing magnitudes of today’s attacks, which have grown 3X over the past year and now reach over 10Gbps.

This article describes:

• The growing DDoS threat to online organizations today
• Anatomy of a Denial of Service Attack
• Why existing solutions are unable to address DDoS threats
• The steps and technologies necessary to protect today’s online organizations

Distributed denial of service (DDoS) attacks—in which compromised PCs controlled by remote attackers inundate a victim’s network resources with the intent of crashing the victim’s web or application servers—are among the most serious threats on the Internet today. Twenty five percent of respondents to the 2006 CSI/FBI Computer Crime and Security Survey performed by the Computer Security Institute had experienced a DDoS Attack. Worldwide, as many as 10,000 such attacks occur each day.

DDoS attacks, moreover, are growing larger and more destructive. While the largest attacks in 2005 were 3.5Gbps, attack sizes have grown by 3X during 2006 to more than 10Gpbs. With this size of attack at their disposal, attackers now have the capacity to take out entire hosting/co-location facilities by brute force.

The costs of these attacks can be monumental. Forrester, IDC, and the Yankee Group estimate that the cost of a 24-hour outage for a large e-commerce company would approach $30 million. The cost to a financial institution would almost certainly be greater. Victims of these attacks also suffer from lost credibility and customer/partner confidence.

Anatomy of a Denial of Service Attack

DDoS attacks are among the nastiest and most difficult of all Internet attacks to address. These attacks are very easy to launch, hard to track, and it is difficult to deny the requests of attackers without also refusing legitimate requests for service.

Distributed denial of service (DDoS) attacks originate from a group of computers (often called a botnet), which are typically personal computers with broadband internet connections that viruses have compromised. The virus creator remotely controls these infected machines (often called zombies), using them to collectively "flood" a network with fake packets, thereby preventing legitimate network traffic from accessing a system. The distributed nature of these attacks makes them especially difficult to stop or prevent. With enough slave hosts, these attacks can bring down even the largest and most well-connected websites.

Regardless of whether they originate from one or many machines, denial of service attacks are highly disruptive. With increased bandwidth and the computing horsepower of today’s PCs and servers, even a single zombie is able to generate attacks comprised of hundreds of Megabits per second, that can cause as much damage to unprepared targets as distributed attacks. Enterprises, therefore, must treat all types of DDoS attacks with respect.

Current Solutions—And Why They Fail

Today, online organizations can turn to hardware designed specifically to mitigate DDoS attacks. While organizations can purchase these solutions themselves, many internet service providers (ISPs) have also begun offering these DDoS mitigation devices on their networks.

Typically billed as plug-and-play, one-size-fits-all solutions, these DDoS mitigation devices employ newer intrusion prevention technology that not only inspects traffic, but also takes proactive action to mitigate attacks based on rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that IP address or port while allowing unaffected traffic to flow unimpeded. These mitigation systems can perform complex monitoring and analysis, such as watching and responding to both individual packets and overall traffic patterns.

Unfortunately, these solutions suffer from performance limitations. Regardless of the horsepower of the hardware included with the solution, the rapidly increasing size of today’s attacks means that any static hardware device will ultimately be unable to keep up with attacks. After hardware devices reach their limits, they allow “attack leakage” back onto the system, hurting the network. Modifying these solutions to add capacity is a slow process that can take days to years—far slower than the rate at which attack sizes are increasing.

Networks themselves can also be a bottleneck. Should a high packet per second DDoS attack cause a network or upstream router to fail, the network can crash before the mitigation hardware has a chance to do its job.

To make matters worse, very intelligent people launch DDoS attacks and can alter an attack in real time based on its outcome. As these attackers become familiar with the various types of DDoS mitigation hardware, they are able to come up with ways to circumvent these devices.

When ISPs provide DDoS mitigation hardware on their networks, their NOC staff are unable to fight back against constantly changing types of DDoS attacks because they are not trained experts in DDoS attacks. Moreover, most ISP service level agreements (SLAs) are typically limited to a GigE connection, which is 1Gbps, while today’s attacks can reach 10 Gbps.

Fighting Back: Requirements for a Solution

As this article has shown, modern DDOS attacks are characterized by increasingly large sizes that often attack multiple locations at once, simultaneously using multiple attack types to overwhelm all layers of the OSI model. To make matters worse, attackers are very adept at modifying their attacks to circumvent solutions as they are unveiled. This DDoS attacks are an ever changing problem, akin to an arms race. As a result, mitigating DDoS attacks requires a highly scalable and holistic approach that can identify sources of attacks wherever possible (in order to directly block these attacks), use multiple pieces and types of equipment to protect every OSI layer, as well as take advantage of DDoS experts who can react immediately as new types of attacks arise.

Over the past several years, a new breed of outsourced, managed service providers has begun to address the challenges posed by today’s massive DDoS attacks by providing:

• High capacity and scalability
• Complete monitoring and filtering at all OSI layers
• Multiple routing options
• Adaptability to new attacks
• Service Level Agreements

High-capacity and scalability

In order to handle today’s massive attacks, online organizations need tremendous amounts of bandwidth for routing network traffic away from their website, huge processing capacity to filter this traffic, and the ability to deliver purified traffic back to the site. Organizations of all sizes find that acquiring the requisite bandwidth and processing capacity is an expensive proposition, particularly when these resources will be used infrequently.

Today, managed service provider companies are able to spread the cost of these resources over many customers, providing a type of insurance policy that customers can use on an as needed basis. As a result, managed service providers are able to purchase massive amounts of resources that can scale to handle the largest attacks in a manner that is cost effective for each customer. For example, one such service provider employs the services of 12 Tier-1 providers that can manage more than 30 gigs of traffic as well as more than 10 Terahertz of computing power with the ability to process 40,000,000 packets per second.

In addition to purchasing resources for their own network, managed service providers are also setting up peering partnerships to exchange network traffic with large numbers of corporations and networks. Peering allows managed service providers to increase the size of their networks (and therefore the size of attacks they can defend against) without significant additional costs that would be otherwise passed to customers. Peering also increases the quality of service to customers because it greatly shortens the path to get traffic back and forth to the managed service providers’ network. Shortening the path also reduces the likelihood of third-party carriers’ issues interrupting traffic flowing to and from the customer.

Providing multiple bandwidth arrangements protects customers from the largest of DDoS attacks. This gives managed service providers a substantial advantage over any one ISP that must rely on its own backbone.

Complete Monitoring and Filtering at all OSI Layers

Because they handle only DDoS attacks, state-of-the-art managed service providers are able to devote the services of DDoS experts to develop filtering solutions that handle all layers of the OSI model, including:

Filtering at the Border

Filtering at the border blocks traffic to restricted ports from an extensive list of infected hosts and limits traffic to allowed protocols. It also includes filtering for bogon packets--packets from an area of IP address space reserved but not yet allocated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIS) that are useless or forged for illegitimate purposes.

Protocol Verification

Next, these solutions filter packets by verifying that Layer 3 network switching and routing protocols and Layer 4 transport protocols are being used correctly. This helps the solution mitigate against packet floods.

Stateful Packet Inspection

Stateful packet inspection filtering verifies state by ensuring that the three-way TCP/IP handshake is completed. This verification is used to block SYN Floods and other similar attempts to consume system resources.

Application Layer Filtering

Many attackers attempt to overwhelm system resources by establishing valid connections. Filtering at the application layer prevents this type of Get and Resource Flood attack. This layer collects and filters source IP based rate limiting information. It can also enact customized security policies, such as blocking traffic from specified ports.

String matching/Algorithmic Filtering

String matching and algorithmic filtering monitors traffic for unusual behavior and flags anomalies. Engineers can then examine these anomalies to determine whether the activity should be blocked on the network. Once an activity is determined to be malicious, it is labeled in the system and blocked at the border.

Multiple Routing Choices

Organizations using managed filtering service require various options for connecting their networks to the filtering service that vary according to their corporate requirements. Managed service providers are able to provide multiple routing choices.

Adaptability to New Attacks

A managed service has the advantage of employing teams of DDoS mitigation experts that have seen every type of attack, every size of attack, and every variation of attack and are always available to react in real-time to new attacks. Vast experience with the newest and largest attacks enables a managed service provider to remain one step ahead of attackers.

Service Level Agreements

Managed service organizations can guarantee the effectiveness of their service by offering strong service level agreements.