Dan Wiley, head of incident response at Check Point, looks at the growing prevalence of DDoS as an attack vector, and gives a four-step guide to mitigating their impact.
Until recently, if you wanted to protest a company's policies, you'd gather a group of likeminded people, make some signs, and stand outside their place of business for a very public display of protest. But now, people increasingly go online, purchase an inexpensive DDoS toolkit, enter the web address of the company they're targeting, and the company's website is defaced, or their network taken offline. It's easy, convenient, cheap: and it's becoming increasingly common, with more and more companies being bombarded every day.
Recent Check Point research suggests that DDoS attacks are unlikely to go away anytime soon. Our latest Security Report found that in 2014, DDoS was the attack vector most commonly-used against businesses, accounting for 60 percent of all attack types. What's more, the volume of such attacks multiplied sixfold, occurring 48 times per day in 2014 compared to eight times per day in 2013, across a broad range of industry sectors from national and local government departments, to online service providers and educational facilities.
A recent high-profile incident targeted the computer systems of the Polish national airline, grounding a number of flights and preventing the airline from creating its flight plans in time for departures. Some commentators have downplayed the significance of the incident as 'just a simple DDoS attack', as it did not affect communications between the airline and its planes, or other critical systems. However, it was still enough to stop flights, disrupt schedules and strand passengers: highlighting just how effective this technique can be. We're also seeing a steady increase in DDoS attacks being used as a tool for extortion, where specific groups threaten to execute an attack unless the organization pays them in Bitcoins.
As systems get ever more interconnected and interdependent, such a simple disruption of one link in the communications chain can trigger a domino effect, in turn causing significant outages and impacting business. So how does a DDoS attack actually work - and how can organizations defend themselves?
DDoS DNA
The basic element of a DDoS attack is sending a tidal wave of online requests to a website or service, tying up resources so that the site or service eventually becomes inaccessible to legitimate requests, grinds to a halt, or crashes. The attacks usually involves one of four possible types:
Volumetric attack: These employ millions of user datagram protocol (UDP) packets on port 80, which is what a web server typically ‘listens to’ or expects to receive from Web clients. This attack jams the main website connection with fake requests, meaning web pages and services cannot be delivered.
DNS reflection: a more sophisticated attack which causes a system to respond to a bombardment of external queries by sending out more queries of its own, effectively paralyzing a system by causing it to generate (or reflect) as much traffic as it is receiving.
SYN flooding: an attack type which targets a specific host, and it involves sending multiple SYN (synchronization) requests to a server, which the server tries to respond to. Eventually, this will consume enough resources so that the host is unresponsive to legitimate traffic.
Slow attacks open as many connections as possible to a server and keep those connections open as long as possible by sending bits of data right before the transmission control protocol (TCP) sessions time out. The traffic is low, but the volume of slow connections congests inbound network ports.
Defending against these attack types is challenging, because an attacker may well blend the types of attack to make mitigation more difficult, using cheap high-volume methods alongside more sophisticated and targeted approaches. However, there are four key steps that organizations can employ to help mitigate the impact of DDoS attacks.
1. Engage a scrubbing service to handle large volumetric attacks
When faced with large volume DDoS incidents, the first thing an organization needs to consider is the option to route their Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream of communications. These providers are the first line of protection for large volumetric attacks, as they have the necessary tools and bandwidth to clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual traffic is allowed.
2. Use a dedicated DDoS mitigation appliance to isolate, and remediate attacks
The complexity of DDoS attacks and the tendency to combine volumetric and application methods requires a combination of mitigation methods. The most effective way to cope with the application and 'low and slow' elements of these multi-vector attacks is to use an on premise, dedicated appliance. Firewalls and intrusion prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of protection through specialized technologies that identify and block advanced DDoS activity in real-time.
3. Tuning firewalls to handle large connection rates
The firewall or security gateway will also be an important piece of networking equipment during DDoS attacks. Administrators should adjust their firewall settings in order to recognize and handle volumetric and application-layer attacks. Depending on the capabilities of the firewall, protections can also be activated to block DDoS packets and improve firewall performance while under attack.
4. Develop a strategy to protect applications from DDoS attacks
As well as using security solutions, administrators should also consider tuning their web servers, and modifying their load balancing and content delivery strategies to ensure the best possible uptime. This should also include safeguards against multiple login attempts - for example, automated activities can be blocked by including web pages with offer details, so that users much click on ‘accept’ or ‘no thanks’ buttons in order to continue deeper into website content. Content analysis can also help: simple steps such as ensuring there are no large image or PDF files hosted on high-value servers can make a big difference.
DDoS continues to grow in popularity as an attack tool, simply because it's relatively easy and cheap to do, and it continues to be effective. By understanding how DDoS attacks are perpetrated, and implementing the above methods, organizations will be better placed to mitigate the impact of attacks on their business.
