How to Protect against Denial of Service Attacks: Refresher

Wednesday, October 03, 2012

Stephen Marchewitz


With all of the information about DoS attacks in recent months, it is easy to blame banks and say that they didn’t have the proper security controls in place to withstand this type of attack, but in reality things are not that simple.  So, how does this happen? Is it preventable? And, what can you do about it?

Many of us in the security field are fully aware of what a Denial of Service (DoS) attack is and ways to mitigate the impact. We can deploy firewalls with anti-DoS capabilities, anomaly detectors to analyze and pass through the legitimate packets, and perform system hardening. All of these controls can minimize or nullify most DoS attacks.


DDoS attacks, on the other hand are much more challenging to resolve and nearly impossible to prevent. The challenge stems from the taxonomical difference between a DoS and DDoS. A DoS is classified as an attack carried out by one system, whereas, a DDoS attack is carried out by multiple systems, which can reach numbers in the tens to hundreds of thousands. This difference changes the characteristics of the attack. In a DoS scenario, the threat agent is attacking the system by either exhausting the system resources or crashing it. Opposingly, a DDoS directly attacks a company’s bandwidth capacity. It does attack a system, in that it is flooding a specific IP or range of IP addresses; however, the direct attack is against the company’s bandwidth. It is common in a DDoS attack that the entire organization’s internet presence is out of commission, even if they are only attacking one system.

How to get ahead of it

Being proactive and setting up the controls in order to prevent a DDoS attack from affecting business operations is not possible, at least not from a corporate level currently. That taxonomical difference between DoS and DDoS means that deploying our conventional arsenal of tools will not lead to resolution. You can deploy firewalls, IDS/IPS/HIPS, anomaly detectors, application firewalls, and much more, but your bandwidth is already consumed by that point – game over. At the fore, you can stop the illegitimate packets from making their way to your system, but the attack already consumed your bandwidth, so you cannot respond back to the request. The only thing you can do is identify what the problem is, call your ISP, and pray that you still have a good working relationship with them.

Quick identification of DDoS is critical

The first step is identification. Being able to definitively define what the problem is can make the difference between a quick recovery or twiddling your figures wondering why you are still down after you applied additional controls. While prevention may be impossible, identification is relatively easy. This can be accomplished by having monitoring systems that analyze netflow for bandwidth trending, firewall logs for understanding what is being attacked, and an IDS to identify the type of traffic. By using some of these resources, you will be able to identify the attack quickly and effectively.

So how do ISPs resolve the issue? Networkers have lost all of their mystical abilities the moment the masses learned that it was possible for them to understand how to subnet. Instead, it is an eclectic approach utilizing remotely triggered black hole routing and analyzing backscatter. Using both of these tools in concert, allows an ISP to identify where the traffic is coming from.

Remotely Triggered Black Hole (RTBH) routing is the process of dropping traffic based on source or destination addresses. If the attacker is spoofing their source address, then the ISP will have to trigger the black hole based on the destination address. Yes, that is right; in order to stop the attack the ISP will have to impart its own Denial of Service. The ISP creates a trigger, which gets propagated through BGP, the internet’s routing protocol. In order to black hole the traffic, the ISP has the router send it to a “null” interface. The null interface is not a physical interface on a router, but a logical one that can be used to effectively drop traffic. Once the router drops the traffic, it provides a useful response. It sends an ICMP packet to the attacker’s source address. This response is known as backscatter. Now since the original source address has been spoofed, the value is not where the router sends the packet. Instead, the value is the router that sent it. When the router sends the ICMP response, it replies with its IP address as the source. The ISP records the router’s response and it provides them with a useful metric. If they notice one entry point into the network generating 100 ICMP responses, in relation to their RTBH configuration, then they can be assured that the attacker is not located off that entry point. However, if they noticed that one of the entry points has generated responses numbering 500,000 packets per second, they know it is one of the points of contention. This is usually an iterative process involving many ISPs. Each of these ISPs follows the same process until they are able to identify the offending networks. Once they are able to identify the attacker, then they are able to configure Access Control Lists (ACLs) in order to stop the DDoS.

Neutralizing the Threat
With additional help, companies are able to neutralize the current threat and resume business operations. We may never know the true motive behind that attack, but it serves as a stark reminder that the threat is real. In order to mitigate this threat, ISPs will need to combine their efforts. It would take a global effort on the part of the ISPs. Until then, the capabilities are there to deal with the issue when it arises on a per incident basis. Remember, in order to facilitate a quick recovery, verify that you have the tools in place to detect the attack, the knowledge resources that understand what to do, and a good relationship with your service provider. Help is out there if you need it.

Learn how SecureState can enhance your information security to protect your organization from a DDoS threat. Content compiled by the SecureState staff. 

Possibly Related Articles:
Network->General Enterprise Security
Denial of Service Attacks DDoS Network Security IDS/IPS
Post Rating I Like this!
Marc Quibell Let's say this is a common botnet. DDoS right? So, the scenario is, several unsuspecting Internet users are unknowingly DDoS'ing a target. So, my first question is, who are you going to blackhole and advertise through BGP? The target (since the sources will be random and spoofed)? So now you've brought down any routes to the target? You are talking about the ISP closest to the target correct? And then, the goal would be to, one-by-one, acl the sources (hundreds, thousands of them) closest to their source ISPs? Just trying to get this straight, thanks....
Stephen Marchewitz Correct..botnets are commonly used to launch DDoS attacks. However it’s worth noting that DDoS is a pretty generic term so there are a variety of ways to launch DDoS attacks and different types of attacks require different defenses to stop them. For the example you list in the comments a plan of attack would be to write a signature that detects the DDoS traffic sent out by the botnet and use that to generate ACLs to block the source traffic. For a common DDoS attack which simply floods the target with traffic it is recommend the ACLs be put in place at your ISP so your connection to the internet isn’t flooded.

It’s also worth noting that individuals who launch DDoS attacks often have a variety of methods they can use to try to take down a site. So once you block on attack type they will often switch to a new attack type. This is why having a good response plan is critical and it is important to remain vigilant once the first attack has been blocked.
If you'd like more info, feel free to email me and I can get some members of the SecureState team for discussion.
Marc Quibell Creating a sig to rewrite an acl places the processing overload on the device processing the ACL, and the device used to identify the malicious traffic. Namely your border router. But since you mentioned the ISP router, they wouldn't do something like that without a fee. Some ISP's already offer DDoS mitigation services. I know for sure that AT&T offers these services.

Some of the best DDoS prevention tools come in a reverse-proxy package, if folks are looking to take care of this internally. Nginx is an open-sourced reverse-proxy that can be configured to mitigate the most common forms of DDoS attacks.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.