In early days of the Web, no one heard of a Distributed Denial of Service (DDoS) attack; malware came to us through other vectors. Then in early 2000, a series of them DDoS attacks knocked off the air such popular websites as Yahoo, CNN, and Amazon. Today, DDoS attacks are thicker than fleas on a hound-dog, and are more complex than ever. They can hit your sites and your customers’ sites from more angles and they can knock out a website for minutes or even days.
Fortunately, the security defenses have been keeping up.
How bad is it? Proxleic, a DDoS mitigation company, reported that from the fourth quarter of 2012 to the fourth quarter of 2013, total DDoS attacks increased by 26%. The biggest attack Proxleic had to cope with in 2013 peaked at 170 Gigabits per second. So, tell me, how fast is your Internet connection?
In the early days, DDoS attacks went after the Internet’s TCP/IP protocol. Assaults like the Ping of Death used an IP packet that exceeded the IP standard’s maximum 65,536 byte size. When this fat packet arrived, it crashed systems with IP fragments that had overlapping fields.
Then, as now, there are also DDoS assaults that try to overwhelm a server and/or Internet collection with too much traffic. In these, multiple attacker sites try to accomplish this with either a stream of TCP/IP requests, such as in a SYN flood or by what might appear to be legitimate Web server requests. Other DDoS attacks go after your Web servers themselves rather than the Internet connection by devouring server resources. With these, if you even had infinite bandwidth, a site could still be taken down.
DDoS Botnets used to be made up almost entirely of malware-infected Windows PCs. Now, even poorly secured mobile devices are getting into the act.
The process is not particularly complicated or technical. You can rent a botnet suitable for launching a DDoS attack for a few bucks an hour. Or, if you have your own botnet, you can do it yourself with Low Orbit Ion Cannon (LOIC).
LOIC, which uses Twitter to co-ordinate its attacks, is a brute-force program. It just fires multiple simultaneous requests for a non-existent page on the target’s website. All an attacker has to do is pick a target, hit the button, and watch the trouble begin. Simple, but effective. Just ask MasterCard and Visa, which were smacked around by LOIC in 2010.
It’s only got worse since then. Banks are getting hit all the time. You don’t hear about it because the last thing a financial institution wants to do is admit its site went down from an attack.
The attackers have grown more effective, or at least they have more technical options. Today, besides those early attack techniques there are two major kinds of attacks: DNS (Domain Name System) attacks and HTTP floods. DNS attacks have three current varieties: UDP floods, NSQUERY, and NXDOMAIN.
In an UDP flood, the attacker tries to overwhelm the DNS server by forcing it to verify multiple UDP packets until the server runs out of processor power. NSQUERY tries to overwhelm DNS servers with a flood of legitimate DNS requests, while NXDOMAIN does its damage by asking a DNS server for thousands of website look-ups for non-existent websites.
The simplest HTTP flood is the attacker repeating the same request over and over and over… you get the idea. It’s like someone who keeps calling your telephone even if you don’t answer. Another variation, the recursive-get DDoS, asks for a page, and then recursively asks for every individual Web page, graphic, whatever, on your site.
Finally, there’s the sweetly-named but deceptively deadly SlowLoris. This attack works by opening connections to your Web server and then sending just enough data in an HTTP header, five bytes, every 299 seconds. Five bytes is just enough to keep the connections open; in time it fills up your Webserver connection table, and down goes your server.
So what can you do?
First, if you’re hit by DDoS attacks a lot, go the professionals. Companies such as Arbor Networks and Prolexic can help you survive in an increasingly hostile Web environment. As with other security specialties, unless you have a bunch of CCIEs on staff, use the experts.
Next, DDoS defense has to be in depth. You can’t rely on firewalls, intrusion-prevention systems (IPSs), and load balancers. They can and they will be knocked out. You need the help of your upstream ISP to slow down DDoS attacks before they hit your perimeter.
You must also be able to understand and recognize the attacks when they happen. I wasn’t kidding about the CCIEs. To spot and fight slow attacks or one that go after your front-end facing Web apps you need people who can do deep-packet inspections. You can’t spot SlowLoris by looking for traffic spikes. It doesn’t have them.
Have backup servers and ISP connections ready. Every second your business is out of service from a DDoS is a second that your customers are not making money – and a guarantee of customer complaints. If a site is down, have a mirror, a cloud-based site, something that you can bring up in a hurry to keep servicing your customers.
Last, but not least, just because you’ve fended off a DDoS attack don’t assume that the attack is over, or that the initial incident was even the main attack. It may have been a distraction for an attempt to pull data from your systems or a trick to try to plant malware into your company.
Yes, I know the network staff will want to give everyone high-fives when the attack is done and the Web servers are humming along nicely again. Get another cup of coffee and start checking your system’s security. You may be very, very glad you did.
I wish I could give you some magic word—Abracadabra!—that would make it easy and simple to stop DDoS attacks. There isn’t one. Hard work and eternal vigilance is the only way to deal with DDoS attacks.
That said, the defenses are getting better. They’re just not good enough yet to make DDoS attacks a thing of the past. Here’s hoping they get there sometime within our life-times. I must confess I’m not holding my breath.