Five ways to defend against a DDoS attack

So you're under attack. What now?

The economics of the Distributed Denial of Service (DDoS) attack tend to work in favour of the aggressor and not those attempting to protect online assets.

Most DDoS attacks, which most commonly involve a group of attackers flooding a web site with excessive amounts of requests in an effort to prevent it providing service, tend to be small-scale and short-lived. But in rare cases such attacks have brought server clusters - and sometimes entire companies - to their knees.

The question many Australian organisations have faced of late: is a DDoS attack worth defending against? And if you are unfortunate enough to be under attack, what should you do?

Assessing the risk in advance

Jose Nazario security researcher at Arbor Networks told iTNews businesses often wait until it is too late to prepare a strategy and only think mitigation once under attack.

"That's not the right time try to figure who my service provider is, how do I contact them or to scream and beg them to help," he said. "That's the wrong time."

Instead, organisations need to include DDoS mitigation as part of their contingency planning, he said.

Key questions customers should ask their service providers are: What protection is available? How does the customer request that protection? What does this protection cost? What is the expected response time? Who is the service provider's main contact when an event occurs?

"These are pretty obvious questions, but they're things that people forget," Nazario said.

Today iTnews spoke to several IT security gurus to discuss mitigation strategies.

1. Beat it with bandwidth

The most basic response to a request or traffic flood is to have sufficient additional bandwidth to withstand an attack.

Larry Bloch, chief executive of Australian web host NetRegistry, believes the best protection is superior infrastructure.

The web host was recently caught in the crossfire of 4Chan users' "Operation: Payback" DDoS against anti-piracy lobbyist Australian Federation Against Copyright Theft (AFACT).

The attackers directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth at a cluster of servers that hosted AFACT's website. But the attack had a wider impact since it targeted a load balancer that was servicing thousands of the host's clients.

"The only real way to reliably protect yourself against this level of attack is to have bigger iron than the attackers - with more network bandwidth, more raw processing power," Bloch told iTnews.

But competing with multiple distributed computing resources is expensive and difficult to manage, he concedes.

While bandwidth is viewed as an essential mitigation strategy, it can quickly become very expensive defence.

"Unless you're monetising that bandwidth, you're investment is a really expensive insurance policy," said Nazario. "It's an arms race that you're always going to lose."

Highlighting the problem, spokesperson for DDoS protection service Prolexic, Greg Burns, pointed out that the largest attack the company had responded was 103 Gbps in size.

"Transit of this traffic can be expensive - if not impossible - as most businesses [only] have bandwidth availability that is a small fraction of this," Burns said.

Prolexic expects to see attacks of this size with greater frequency as attackers attempt to blow past today's carrier-grade DDoS defenses built to cope with 10 Gbps attacks.

Similarly, Prolexic has noted that attackers are turning to more sophisticated methods, such as targeting applications with "low and slow" attacks on layer 7 applications, encrypting attack traffic and attempting to mimic real traffic behaviour.

In other words, having excess bandwidth may win today's battles, but not tomorrow's.

2. Geo-blocking

NetRegistry engineers had responded to the attack aimed at AFACT using a technique called "geo-blocking".

The engineers identified that malicious traffic was predominantly coming from Chile and Columbia. With less than one percent of traffic coming from these counties on a given day, compared to say the US, NetRegistry opted to block all traffic from these countries.

"Network engineers simply have to make a series of decisions to minimise collateral damage," Bloch said.

But Prolexic's Burns believes that on this occasion, the web host got lucky.

"This tool may work for some businesses, but Prolexic believes that limiting any business from receiving requests from an entire region is unnecessary and is - in some way - admitting defeat," he said.

Had the attack on AFACT been launched from the US, Europe or Asia, it is unlikely NetRegistry could have relied on blocking an entire nation's incoming traffic.

Cases in point were two recent attacks on wholesale IP network provider Vocus Communications.

In March, an attack against web hosting firm Web24 took down part of Vocus' network and was believed to have come from Asia, Russia and the United States.

In May, the firm suffered a second DDoS attack that was part of a wider attack on US servers.

By July, the company invested in additional protection from Arbor Networks, ending its reliance on network technicians to write scripts to manually detect and block malicious traffic.

Read on for more: Hiding behind giants, deploying reverse proxies and other measures...