So you’re under attack. What now?
The economics of the Distributed Denial of Service (DDoS) attack tend to work in favour of the aggressor and not those attempting to protect online assets.
Most DDoS attacks, which most commonly involve a group of attackers flooding a web site with excessive amounts of requests in an effort to prevent it providing service, tend to be small-scale and short-lived. But in rare cases such attacks have brought server clusters – and sometimes entire companies – to their knees.
The question many Australian organisations have faced of late: is a DDoS attack worth defending against? And if you are unfortunate enough to be under attack, what should you do?
Assessing the risk in advance
Jose Nazario security researcher at Arbor Networks told iTNews businesses often wait until it is too late to prepare a strategy and only think mitigation once under attack.
“That’s not the right time try to figure who my service provider is, how do I contact them or to scream and beg them to help,” he said. “That’s the wrong time.”
Instead, organisations need to include DDoS mitigation as part of their contingency planning, he said.
Key questions customers should ask their service providers are: What protection is available? How does the customer request that protection? What does this protection cost? What is the expected response time? Who is the service provider’s main contact when an event occurs?
“These are pretty obvious questions, but they’re things that people forget,” Nazario said.
Today iTnews spoke to several IT security gurus to discuss mitigation strategies.
1. Beat it with bandwidth
The most basic response to a request or traffic flood is to have sufficient additional bandwidth to withstand an attack.
Larry Bloch, chief executive of Australian web host NetRegistry, believes the best protection is superior infrastructure.
The web host was recently caught in the crossfire of 4Chan users’ “Operation: Payback” DDoS against anti-piracy lobbyist Australian Federation Against Copyright Theft (AFACT).
The attackers directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth at a cluster of servers that hosted AFACT’s website. But the attack had a wider impact since it targeted a load balancer that was servicing thousands of the host’s clients.
“The only real way to reliably protect yourself against this level of attack is to have bigger iron than the attackers – with more network bandwidth, more raw processing power,” Bloch told iTnews.
But competing with multiple distributed computing resources is expensive and difficult to manage, he concedes.
While bandwidth is viewed as an essential mitigation strategy, it can quickly become very expensive defence.
“Unless you’re monetising that bandwidth, you’re investment is a really expensive insurance policy,” said Nazario. “It’s an arms race that you’re always going to lose.”
Highlighting the problem, spokesperson for DDoS protection service Prolexic, Greg Burns, pointed out that the largest attack the company had responded was 103 Gbps in size.
“Transit of this traffic can be expensive – if not impossible – as most businesses [only] have bandwidth availability that is a small fraction of this,” Burns said.
Prolexic expects to see attacks of this size with greater frequency as attackers attempt to blow past today’s carrier-grade DDoS defenses built to cope with 10 Gbps attacks.
Similarly, Prolexic has noted that attackers are turning to more sophisticated methods, such as targeting applications with “low and slow” attacks on layer 7 applications, encrypting attack traffic and attempting to mimic real traffic behaviour.
In other words, having excess bandwidth may win today’s battles, but not tomorrow’s.
NetRegistry engineers had responded to the attack aimed at AFACT using a technique called “geo-blocking”.
The engineers identified that malicious traffic was predominantly coming from Chile and Columbia. With less than one percent of traffic coming from these counties on a given day, compared to say the US, NetRegistry opted to block all traffic from these countries.
“Network engineers simply have to make a series of decisions to minimise collateral damage,” Bloch said.
But Prolexic’s Burns believes that on this occasion, the web host got lucky.
“This tool may work for some businesses, but Prolexic believes that limiting any business from receiving requests from an entire region is unnecessary and is – in some way – admitting defeat,” he said.
Had the attack on AFACT been launched from the US, Europe or Asia, it is unlikely NetRegistry could have relied on blocking an entire nation’s incoming traffic.
Cases in point were two recent attacks on wholesale IP network provider Vocus Communications.
In March, an attack against web hosting firm Web24 took down part of Vocus’ network and was believed to have come from Asia, Russia and the United States.
In May, the firm suffered a second DDoS attack that was part of a wider attack on US servers.
By July, the company opted to outsource its DDoS protection to a third party, ending its reliance on network technicians to write scripts to manually detect and block malicious traffic.
3. Hide behind giants
The development of cloud computing platforms has introduced a variety of new options to provide resilience against a DDoS attack.
Some companies have migrated part of their infrastructure to distributed computing platforms such as content delivery networks Limelight or Akamai.
“Those are cheaper than buying more bandwidth, but it’s [still] not cheap,” said Nazario.
For those without deep pockets – such as small business and even government agencies – one strategy to beat DDoS has been to rely on the larger infrastructure sets of social network giants such as Google or Facebook.
These sites enable an organisation to continue to communicate with the world, at the cost of functionality and control.
“We have seen people do it on the cheap for themselves – such as a Georgian blogger that was moving stuff into Facebook and Google… basically piggy-backing on those providers’ massive infrastructure to absorb the hit,” said Nazario.
Desperate times called for a commensurate response by the Georgian Government, which turned to Google’s Blogger service to maintain outbound communications with Western nations while under a Russian cyber attack during their 2008 war.
But even the infrastructure of Google or Facebook – whilst larger and more sophisticated – isn’t immune to attack.
“It hasthe potential for¬ collateral damage because now people are attacking large infrastructure and if there is a significant attack it will disrupt a lot of people around the world,” warns Nazario.
4. The reverse proxy
Australian web host Bulletproof Networks recently deployed a similar albeit more sophisticated cloud-based response by hiving off attack traffic to Amazon’s EC2 cloud.
Responding to a sustained DDoS attack aimed at broadband forum Whirlpool, Bulletproof had attempted to mitigate the attack by blocking individual IP addresses.
The web host had asked its upstream providers Internode and Pacific Internet to block incoming HTTP traffic from several IP addresses in the United States and Denmark, but within minutes the attack source shifted.
Nazario argues that the process of identifying individual sources¬ is too labour-intensive.
“You need a highly trained human being to go over logs and packet traces to identify those malicious clients. It can take an hour or two or 24 hours, depending,” he said.
Within a few days, Bulletproof found a better solution. It¬ deployed a “reverse proxy” server in Amazon’s EC2 cloud which it used to bear the load of malicious HTTP traffic.
Amazon’s EC2 served up cached elements of Whirlpool, while legitimate traffic was served non-cached pages from Bulletproof’s Australian-hosted web servers.
5. Choose your neighbours carefully
Given the recent attack on AFACT, businesses might wonder whether it is possible to avoid fallout by refusing to share hosting infrastructure with a likely target.
That is assuming, of course, that a host would even tell you what other organisations share the same platform.
Bloch said it would not make sense from the host’s perspective.
“It is impossible for a sales person or automatic web sign-up tool to do a risk assessment on every customer request,” he said.
“Your question could just as well be: Are you in a shared box with someone with a successful marketing campaign?
“Every now and then somebody sets up a mini-site on a $10 a month hosting account, spends a million on television advertising and expects to cope with the demand on a shared service hosted on a single box.”
Conclusion: Weighing up the cost
IBRS analyst James Turner said that often the right questions are not asked in advance because the risk of a DDoS attack appears low while the cost of mitigation is high.
“For some organisations, it just won’t be worth the cost of mitigating,” he said. “But for others, it would be a crippling incident.
“This is classic risk analysis. If you are offline for an hour, how much money are you not making, or losing?”
As revealed in a recent iTnews poll [see right] – four in five readers feel there is no excuse for data breaches during a DDoS attack. This assumes that organisations have adequate defences in place.
In percentage terms, it remains highly unlikely that a legitimate business will be attacked, with the bulk of attacks launched against home users and small sites after disputes in online games or forums.
But should an organisation find itself a target, “proportionally it’s much more expensive to defend against a botnet attack than it is to execute one,” Turner said. “It’s inexpensive to set up a botnet, and an attacker can wreak a lot of damage.
“For organisations that are at risk of a botnet attack – potentially any online service from government to e-commerce – they need to understand the impact on their organisation of their customers losing access to their website.”
Brett Winterford contributed to this story.