May 2009

You are currently browsing the monthly archive for May 2009.

Reflections on a DDoS Attack

May 25, 2009 in Denial of Service

attacksize2008_31871

In the past few months, there has been a noticeable increase in the number of DDoS (distributed denial of service) attacks being launched against large and small targets on the Internet.  For example, during the last 120 days, all suffered large scale DDoS attacks that affected their ability to operate normally.  These attacks have also been directed at smaller web site operators, with sometimes devasting effects.

I recently worked with a client who was the target of DDoS attack.  This client operates a number of medium volume web sites.  The attack lasted over a week and caused interruptions to the business as well as to the visitors of the sites.  Below are some of the lessons learned from dealing with this incident and how you can help mitigate such attacks against your own networks or those of your clients.

1)  The most important thing you can do to mitigate a DDoS attack is have an incident response plan in place prior to the attack.  Don’t wait until you are in the heat of the moment to figure out how you will react.  You must have a plan in place before the attack begins so that you will be prepared and everyone will know what their responsibilities are.  The plan should include the incident response team, the team leader, internal communications mechanisms, involvement with service providers, public relations, outside security vendors, and any other people who need to be involved with the response.

2)  A high quality firewall, properly placed in the network architecture can mitigate many types of DoS attacks.  Most leading firewalls, from vendors such as Juniper, Cisco, Checkpoint and Fortinet, can detect and block SYN, ICMP, and UDP floods.  They are also capable of blocking other types of DoS attacks based on protocol anomalies and signatures.  But what we found to be most useful was source IP rate limiting.  This defense mechanism allows the adminsitrator to define a limit on the number of sessions that a single IP can establish.  During a DoS attack, it is typical to see very high numbers of connections from the attacking systems, even when the attack is distributed.

3)  No defense mechanism is very helpful if you don’t have much bandwidth.  If bandwidth is limited, a DoS attack can saturate the network and prevent legitimate users from being able to connect to your systems.  No firewall can help in this situation.  This is why it is important to have a good relationship with your hosting provider or ISP and have a plan in place to deal with these types of attacks.  Ensure that your provider can add additional bandwidth if necessary and that charges will limited due to the situation.

4)  Some attacks operate at the application layer and as a result, can be much more difficult to address.  Many firewalls have limited capacity to deal with application layer attacks.  This capability is becoming more common, but still may not be helpful if the attacking systems are sending massive numbers of GET requests for example.  Another tool you should have in your arsenal is a reverse proxy, an application layer firewall and and IPS.  These tools will give you additional capabilities to write your own rules and block more sophisticated application layer attacks.

5)  Finally, in the event that a DoS attack is sustained and the above mentioned mitigation techniques are not proving successful, there are DDoS mitigation service providers that can be very effective at mitigating these attacks.  These services tend to be very expensive and usually need to be in place prior to the attack.  It requires routing your traffic through the service provider’s network so that when an attack occurs, mitigation can be applied and the traffic scrubbed.  Companies such as Tata Communications, Prolexic, and AT&T all offer this type of service.  If you are a large enterprise, you can purchase your own hardware to mitigate DDoS attacks from vendors such as Arbor or Cisco.  Plan to spend a significant sum on such devices.

Denial of service attacks can be very difficult and expensive to defend against.  It is very important to plan ahead for this eventuality as waiting until the attack is in progress will lead to more downtime, greater expense, dissatisfied customers and unhappy management.  If you manage even a moderately popular web site, start planning now for how you will respond to a DoS attack.  Odds are that it is only a matter of time before you will have to face this situation.

Airport Security Theater

May 17, 2009 in Risk Management

airlines_security

has written extensively on the airport security practices that have been implemented since the 9/11 attacks and for the most part, he views them as “security theater”. This term is used to describe security countermeasures that provide the feeling of improved security or safety, but in actuality provide little, if any, benefit. Examples of such practices include the No-Fly List, random searches of passengers, and the banning of liquids in containers larger than 3.4 ounces. None of these practices actually improve airline security at all, but rather provide the illusion of improving security.

I recently took a international flight on American Airlines where I experienced an egregious example of security theater. It was even worse than theater, because it didn’t even provide the illusion of added security. On the flight home, I had a piece of luggage that I had carried on as well as a backpack. Of course I went through the usual screening and security process where my bags were x-rayed and checked for prohibited items. However, prior to boarding the plane, all passengers had to submit their items for search again. There were about 5 AA staff who forced us to open our carry-ons so that they could look in the bags. This search was cursory at best, and if I had a hand gun, for example, in the bottom of the bag, it would not have been detected. The staff were not conducting a thorough search of the bags and in fact, seemed disinterested.

This type of security theater adds absolutely nothing to flight safety. My bags had already been examined when I went through the normal security process. If I had a prohibited item in my carry-on luggage, presumably it should have been detected then. The second search was pointless. Such countermeasures cost money for the airlines, passengers, and tax payers while providing zero value.

One of the hallmarks of risk management is performing a risk analysis. A risk analysis should include an assessment of the value of the asset being protected, the cost of the countermeasure and the probability of the loss of the asset. If the cost of the countemeasure outweighs the amount of the expected loss of the asset, then the countermeasure should not be implemented. As an example, if the value of the plane is $10,000,000, but the probability of a terrorist planting a bomb on the plane is .01%, then the loss expectancy is $1000. I don’t know the actual probability of a terrorist attack on any particular plane, but I suspect it is VERY low and .01% is probably not unreasonable. Having 5 or 6 staff search the bags of every passenger on a flight certainly costs more than $1000 in terms of lost time, inconvenience and employee salaries. Based on typical risk analysis it appears this countermeasure is not a good use of limited resources. Thus, I can only conclude that this is being done to provide the illusion of security, in other words, security theater.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved