DDoS: don't get stuck in denial

While this move brings many advantages with it, such as widening customer reach and reducing overheads, the emergence of organized crime in the online world means that business needs to be sharper than ever when it comes to security.

While viruses and worms usually steal the headlines, the growing threat of a distributed denial-of-service (DDoS) attack is a form of cybercrime to which no company can say 'they wouldn't target us'. Whilst the first well-documented attacks were against gambling sites and online payment systems, no company should consider itself immune. Especially when your organization will undoubtedly share its Internet Service Provider (ISP) with other businesses who rely on e-commerce and might be more desirable targets to criminals looking for extortion money.

The question you need to ask is - if the company's web site or ISP was unavailable for hours or days, would it effect the business in terms of lost revenues and damage to reputation? Most organizations would quickly answer 'yes'.

So what is a DDoS attack? The aim of a DDoS attack is to paralyze online systems. The attacker compromises a number of unprotected hosts and installs a 'demon' or 'trojan' onto the system. The trojan-infected hosts in turn act as handlers and are able to compromise other computers, which operate as agents for the attack.

Hundreds, or thousands of infected computers are needed to make a DDoS attack a success, but the process of compromising a host is automated. The attacker is able to send a continuous and tremendous stream of data requests from the comprised machine, which overwhelms the victim's site, ensuring it cannot provide any services. It is important to realize that the amount of data being sent to the victim will not only overload the victim's site, but will overload the ISPs connections to the victim and the whole data center. For this reason the protection mechanisms need to be implemented in the ISPs network and not in the data center. By the time the traffic hits the data center it is too late.

The cost of such an attack for businesses can be substantial. However, by securing the network with mechanisms that can identify and divert malicious traffic, the devastating effect of a DDoS attack can be managed. It is hard to estimate the number of DDoS attacks occurring, but a University of California study suggests around 2,000 a week.

Today, DDoS attacks are usually defended by mechanisms such as blackholing, router filtering, Firewalls or IDS. Although these tools possess crucial security features, they do not offer sufficient protection against the increasingly sophisticated attacks carried out.

Blackholing, for example, blocks all traffic going to the victim's network, and diverts all packages to a 'black hole', where it gets discarded. This method is not very efficient, since the victim loses all traffic, good and bad. Routers using access control lists (ACLs) that filter out malicious traffic, on the other hand, offer a better solution - however, since today's attackers use valid protocols and spoof valid IP addresses, ACLs are not able to detect malicious messages. In addition, since many large companies keep their servers in large data centers where online traffic is delivered through a single pipe, blackholing has the effect that not only the data of the initial target is destroyed, but also the data of the other hosted companies.

Firewalls also fail to protect a network from a DDoS attack, since they lie too far down the data flow to be able to defend the access link between the provider and the boarder of the router. Moreover, although firewalls are able to block invalid Internet Protocol (IP) addresses, hackers have found ways to use approved protocols in order to deliver their traffic, which renders firewalls helpless to a DDoS attack.

Intrusion Detection Systems (IDS) have the same problem, since they are generally placed in the data center, where it is too late to prevent the attack. And although IDS do an excellent job in detecting malicious behavior, they are unable to actually mitigate the results of a DDoS attack.

In essence, effective DDoS defense does not simply include detecting an attack, but also mitigating it. Moreover, all-round protection does not only include realization that an attack is occurring, but having a mechanism in place that is able to distinguish between good traffic and malicious attack. Complete DDoS protection must extend upstream for the protection of the access link extending from the service provider to the edge router at the fringe of the enterprise. On top of that, and important for any business, is a security mechanism that maintains reliable and cost-effective scalability.

The good news is that advanced technology to deal with DDoS attacks does exist. For example, special guard and detections systems are now available that instantly detect the attack on the target host, then divert the target hosts traffic to a separate location, from which malicious packages are filtered out and the legitimate traffic is redirected to the target. At the same time, non-targeted data traffic of other companies in the same data center run freely to the host.

By offering effective defense against DDoS attacks to their customers, enlightened ISPs are able to differentiate themselves from their competitors by putting forward a value added service. Energis and Pipex, two ISPs that are already offering complete DDoS protection to their customers, have had great success with preventing attacks by constantly monitoring the data flow across networks and diverting illegitimate packages intended for the target sites.

And while you may think that your organization doesn't have to demand this kind of protection from your ISP, remember that more attractive DDoS targets, such as gambling or e-commerce sites, share the same ISP as your organization - and when they are attacked, your organization will be affected if the appropriate defenses are not in place.

It's time to check what DDoS protection your ISP offers. Don't be stuck in denial.

The author is Senior Security Consultant, Cisco Systems