In the past few months, there has been a noticeable increase in the number of DDoS (distributed denial of service) attacks being launched against large and small targets on the Internet. For example, during the last 120 days, all suffered large scale DDoS attacks that affected their ability to operate normally. These attacks have also been directed at smaller web site operators, with sometimes devasting effects.
I recently worked with a client who was the target of DDoS attack. This client operates a number of medium volume web sites. The attack lasted over a week and caused interruptions to the business as well as to the visitors of the sites. Below are some of the lessons learned from dealing with this incident and how you can help mitigate such attacks against your own networks or those of your clients.
1) The most important thing you can do to mitigate a DDoS attack is have an incident response plan in place prior to the attack. Don’t wait until you are in the heat of the moment to figure out how you will react. You must have a plan in place before the attack begins so that you will be prepared and everyone will know what their responsibilities are. The plan should include the incident response team, the team leader, internal communications mechanisms, involvement with service providers, public relations, outside security vendors, and any other people who need to be involved with the response.
2) A high quality firewall, properly placed in the network architecture can mitigate many types of DoS attacks. Most leading firewalls, from vendors such as Juniper, Cisco, Checkpoint and Fortinet, can detect and block SYN, ICMP, and UDP floods. They are also capable of blocking other types of DoS attacks based on protocol anomalies and signatures. But what we found to be most useful was source IP rate limiting. This defense mechanism allows the adminsitrator to define a limit on the number of sessions that a single IP can establish. During a DoS attack, it is typical to see very high numbers of connections from the attacking systems, even when the attack is distributed.
3) No defense mechanism is very helpful if you don’t have much bandwidth. If bandwidth is limited, a DoS attack can saturate the network and prevent legitimate users from being able to connect to your systems. No firewall can help in this situation. This is why it is important to have a good relationship with your hosting provider or ISP and have a plan in place to deal with these types of attacks. Ensure that your provider can add additional bandwidth if necessary and that charges will limited due to the situation.
4) Some attacks operate at the application layer and as a result, can be much more difficult to address. Many firewalls have limited capacity to deal with application layer attacks. This capability is becoming more common, but still may not be helpful if the attacking systems are sending massive numbers of GET requests for example. Another tool you should have in your arsenal is a reverse proxy, an application layer firewall and and IPS. These tools will give you additional capabilities to write your own rules and block more sophisticated application layer attacks.
5) Finally, in the event that a DoS attack is sustained and the above mentioned mitigation techniques are not proving successful, there are DDoS mitigation service providers that can be very effective at mitigating these attacks. These services tend to be very expensive and usually need to be in place prior to the attack. It requires routing your traffic through the service provider’s network so that when an attack occurs, mitigation can be applied and the traffic scrubbed. Companies such as Tata Communications, Prolexic, and AT&T all offer this type of service. If you are a large enterprise, you can purchase your own hardware to mitigate DDoS attacks from vendors such as Arbor or Cisco. Plan to spend a significant sum on such devices.
Denial of service attacks can be very difficult and expensive to defend against. It is very important to plan ahead for this eventuality as waiting until the attack is in progress will lead to more downtime, greater expense, dissatisfied customers and unhappy management. If you manage even a moderately popular web site, start planning now for how you will respond to a DoS attack. Odds are that it is only a matter of time before you will have to face this situation.