DDOS, the new black?

Published: 2011-03-04. Last Updated: 2011-03-04 13:17:59 UTC
by Mark Hofman (Version: 1)
14 comment(s)

In the last few weeks, maybe even months we've been seeing an increase in the number of Distributed Denial of Service (DDOS) attacks on different sites. Today, according to Ahnlabs in Korea, a number of government sites are under attack. Yesterday it was word press, and recently we also had sourceforge and no doubt a number of others that I've forgotten to mention. 

So is DDOS the new black?   We know that the majority of the malicious files and traffic we see are somehow related to making money, but realistically I can't quite see how this is doing the trick. How is money being made? Are the current attacks going to serve as examples? Give some money or else?  I don't know how effective that would be as most of the organisations seem to be dealing with the DDOS attacks relatively well.  

So why are we seeing these increases?  Are they being reported more?  Are they easier to do?  Are they test runs for something better later on, or maybe even nation states testing their processes.  Let us know if you've been under attack, recently.  I'd be interested to know how you dealt with it and if you have some packets you can share, even better.  If you know why you were targeted I'd be interested to know.  

Now for dealing with a DDOS attack. 

The best will be to stop the packets from reaching you in the first place.  To stop them as far away from your environment as possible, especially if link saturation is the problem.  This will likely need the cooperation of your ISP. You will find some are more willing to help you deal with an attack than others.  

If you manage to identify a particular characteristic of the packets being sent, then you might be able to get a firewall, router, IDS, or IPS to deal with the traffic.  These types of devices will be better at coping with this than your web or mail server.  Check you firewalls, many have the capability to drop traffic based on certain thresholds or characteristics and they may be enough to 

But lets put this in the context of an incident handling process. Hopefully you remember the six steps:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery 
  • Lessons Learned

Preparation

This will be the most important step.  Firstly you will need to decide what you are going to do in the event of a DDOS attack on your infrastructure.  Will you pull the plug yourself and just ride it out? or will you take steps ab and c to deal with the attack. Best to sort this out before it happens rather than whilst it is happening. 

Make sure  you understand what your ISP will and won't do for you in the event of a DDOS attack on your sites.  

If you have an approach to deal with the DDOS, make sure it is documented.  Nothing worse than having to figure things out whilst the attack is underway. 

Have the capability to grab packets in place.  They will be invaluable.

Identification

How do you identify an attack?  Often it is because someone receives a phone call saying "xyz is very slow/unavailable".  You may have an IDS/IPS/Firewall throwing up alert. So that is how you notice. 

What to do next.  Well hopefully you have managed to capture some packets, or at a minimum log records. You will need to look at these and see if you can identify a common factor. 

Containment

Using the information discovered, you may be able to configure an upstream device to drop the malicious packets. Your ISP or a vendor may be able to help mitigate the attack and contain the damage done. 

You will likely also need to examine the targets to ensure they have not been compromised. l 

Eradication

If the targets have been compromised you will need to deal with those.  Your incident handling plan, developed in the preparation stage, should have enough information to allow you to deal with this new issue.

Often when the attack is not successful it will drop off, so I guess it is self eradicating. 

Recovery 

Once the attack is over, determine what else may need to cleaned, replaced, hardened.

Lessons Learned

Standard practice after any incident is the lessons learned.  Go through the attack, see where you went wrong and where you went right. Develop an approach to deal with 

 

I've made a start, if you can add to it let us know via the contact form or comments. 

Cheers 

Mark H.

Keywords: DDOS
14 comment(s)

Comments

I think the money comes partly from selling DDoS attacks - somebody has a grievance against a company or site, and the big hacker networks will DDoS it for you if you can pay their asking price.
(D)DoS makes a handy diversion, if you're looking to do other things.
I understand perimeter defenses can get expense, but it amazes me how many networks allow the threat or attack to be taken directly to the server without any perimeter defense. It looks like a lot of budget Internet hosting providers do this.
The most effective DDoS attacks we saw in 2010 are short-term high-rate UDP floods against infrastructure devices that fall over when handling conns/sec. By the time the upstream can mitigate for you the attack is over, which I think is odd.

In examining the traces after the fact, we saw that they would attempt to touch a different port every packet. I thought it rather clever.
If it is a DDOS your ISP would have hardly any control to stop the attack which means that the only line of deffence are your perimeter security devices.If so what to learn from the "Lessons Learned Phase" Correct me if am wrong.

Reagrds:Haren
Most ISPs have a LOT of control of their network and can in most cases filter the attack upstream. It requires a lot of work and therefore is a product they sell (ddos mitigation isn't cheap).
WHAT IF the DDOS was throwing thousands or millions of "GET" requests to your public webserver. There really is no work around as you have a public site. You cant change the port because its just a basic http request. Your DNS will point to your new port. Your website will be down. No other way around it. Not that I know of.
All good comments thanks.
@dec0de HTTP in someways is easier, much more to identify and unless you have resources available that can browse the site simultaneously. If you are using a tool to generate the traffic there will be something specific that can be blocked. And for it to be effective it has to complete three way handshakes. That allows you to block parts of the internet you do not normally deal with.
@Haren, Your ISP will have control as it must traverse their network. If it is server resource exhaustion then they may not care. But if it is bandwidth exhaustion, they likely will as it will impact their infrastructure as well.
As Don says though. DDOS mitigation by the ISP will cost, but if they say they can't do anything at all, well ....
@MarkH, what would be some "baseline" mitigation measures that an ISP "should" be able to take in response to a DDoS?

Diary Archives