DOS attacks’ methods develop subtlety to gain impact: What to do now
DDoS and DoS attacks are a technical issue that cause organizations damage. Denial of service (DoS) and distributed denial of service (DDoS) attacks are a serious business problem, though their management and mitigation are probably best left to the IT department, who (one hopes) would have the technical nous and provision to combat them.
DDoS attacks will never cease, as, like mass-spamming, they achieve their end in enough cases to justify their existence. The current fashionable rush to make business use of the Internet of Things (IoT), which often uses off-the-shelf hardware with embedded systems on chips (SOC), increases the number of devices left open (via telnet & other common protocols) with little realistic security built in: the presence of default authorization credentials is a common factor.
The current US president’s edicts concerning zombie botnets address his domestic enforcement agencies’ abilities to close ‘nets down, rather than prevent their creation. Politicians’ posturing, as usual, reveals their (or their advisors’) tenuous grip on technical reality.
For the uninitiated, here’s a crib sheet to help explain some of the tech:
- DDoS vs. DoS attacks – the latter can be stopped by blocking traffic from single Internet address (IP address). DDOS attacks come from multiple, that is distributed, sources, all aimed at the same target(s).
- Volumetric attacks – these work on a literal volume of traffic. For instance, UDP flood attacks (often using reflection & amplification techniques) swamp a network.
- Protocol attacks – such as SYN floods that exploit the call-and-response nature of some data protocols. By starting communications but then not completing them, services are left in a cycle of a never-closed comms loop.
- Application attacks – these target particular applications such as DNS or web services, for instance sending repeated HTTP requests to a web server.
While DDoS attacks can’t be prevented, steps can be taken to make it harder for an attacker to render a network unresponsive. Once an attack has started, the challenge is to mitigate and minimize effects as quickly as possible.
The speed of response is key here: the latest attack types ramp up in seconds, disable target systems and then move on, returning several hours later to repeat the process. The speed of the start of the attack brings down susceptible networks which take several hours to recover.
Mitigation steps that can be taken include:
- Locate servers across multiple data centers.
- Ensure that the data centers are located on different ISP networks.
- Each data center should have diverse data paths and have no notable bottlenecks nor single points of failure.
- Use of hybrid solutions that divide mitigation between local security infrastructure & cloud-based solutions.
- Outsource (at least partially) to experts such as those listed below.
- Ensure the latest hardware is in place.
- Scale up bandwidth to allow capacity for DDoS attacks (although this step is something of a gamble – how much bandwidth is enough to absorb tomorrow’s attacks?)
- Test resilience by running trials. Ensure that DDoS attack exercises become part of larger Disaster Recovery planning.
The prevailing reason why DoS attacks can exist is entrenched in more naive times. When the Internet was envisaged, its misuse was not predicted, nor, to a degree, even countenanced.
For the future, therefore, ISPs may have to take a greater policing role. The Internet Engineering Task Force, for instance, have suggested DDoS Open Threat Signaling, or DOTS, by which an attacked system would appeal for assistance to “scrub” data.
All solutions such as DOTS require ISPs’ and other bodies’ cooperation. Asking an ISP to block traffic, for instance, may be asking it to block traffic to and/or from its customers – mistakes will cost money and reputation. Additionally, who’ll pay for the hardware that scrubs data? Who’ll pay for such tech’s upkeep and maintenance?
Until there’s a change in the Internet’s methods and topology so the environment is a great deal safer (which may, of course, be never), prudent organizations would do well to consider one of the following solution providers, not only as a key part of a protection & mitigation system, but also as a starting point for advice and consultancy on security as a whole.
As DOSarrest completes its 11th year in the cloud based DDoS Protection service it has seen its fair share of attacks while protecting its global customer base.
Looking back over the last decade there are 2 obvious trends, attacks are larger and more importantly, attacks have become incredibly sophisticated.
DOsarrest have first-hand experience with this trend and know you have to be ahead of the curve if you want to deliver solid DDoS mitigation services. This is why in 2017, it has completely redeveloped their backend and front-end software, upgraded all of its routers, increased its capacity, added a second node in Asia, and installed a big data engine cluster.
The company’s offering is based on the highest levels of support and visibility, with all services manned by trained personnel 24/7. Performance and stats are viewable in real-time and service uptime & quality is guaranteed by load balancing and failover provisions.
But of course, the bottom line is the standard of security provided. By seamlessly pushing DNS updates in the event of an attack, traffic to and from attacked site(s) is directed to DOSarrest’s servers, where it is cleaned and forwarded to the real host site.
DOSarrest’s global presence (multiple cleansing nodes are located across the globe), means that page-load times are barely affected and critical services are maintained without interruption. Read their full profile…
The US company came to prominence in the news in recent times as it went against its own published ideology of the support for freedom of speech when it stopped its provision to white supremacist site, The Daily Stormer. The site was brought down by hackers shortly afterwards.
Cloudflare sits between the sites it protects and the Internet, providing protection from DDoS attacks, DNS and reverse DNS services.
The company was started in 2009 and claims to add 20,000 new sites every day to its client roster. While it began as a security company, Cloudflare is now described as a content delivery network (CDN), providing website optimization on the fly to its clients.
Among the methods it uses to “speed up the Internet”, Cloudflare offers:
- Image compression
- Mobile optimizations (both device and browser)
- Dynamic content caching, using proprietorial Railgun technology.
The latter tech has probably the most real-world effect, as sites’ contents can be transmitted more quickly from Cloudflare caches than from their clients’ sites.
With regards security, Cloudflare Web Application Firewall (WAF) service, for example, protects a website from common security vulnerabilities such as SQL injection, cross-site scripting, and cross-site forgery requests without any changes to clients’ infrastructure.
Arbor Networks like their visualizations: their Digital Attack Map shows the latest attacks’ sources and targets, and can be pointed to show detail on any continent and in individual countries.
A recent study by industry analysts Quadrant Knowledge Solutions has identified Arbor Networks as the global market and technology leader in providing DDoS mitigation solutions.
“The study analyzed the current competitive landscape and compared the technological capabilities of key vendors in providing DDoS mitigation solutions. Arbor Networks was clearly identified as the global market and technology leader,” says Arbor Network’s territory manager for Sub-Saharan Africa, Bryan Hamman.
Arbor’s protection against DDoS attacks involves a multi-layered approach, combining cloud-based and on-premises protection. Hamman adds, “When it comes to protecting an organization’s network from online attacks, we need to understand that the average DDoS attack is expected to reach 1.2 Gbps by the end of 2017, enough to overwhelm a company’s e-mail and online services in minutes.”
Arbor recognizes that smaller companies and SMEs are subject to the same risks and possess the same data types as a larger enterprise, and their solutions are therefore suitable for every organization. However, it does note that smaller companies often do not have the resources needed to deal with the latest DDoS attacks.
*Some of the companies featured in this article are commercial partners of Tech Wire Asia