Distribute This Denial of Service Checklist
By Paul Rubens
August 27, 2004
A distributed denial of service (DDoS) attack on your corporate Web site can be a terrifying thing. First traffic levels start rising, then your network gets clogged. Before long your servers stop coping, and within a few minutes your customers find your Web site is unreachable. As far as the Internet is concerned, your company has ceased to exist.
The important thing to realize about DDoS attacks is that they aren't going to go away, and there's no way of preventing them. They have been around for a very long time, and they are getting easier to carry out. That's because there are increasing numbers of poorly secured home PCs with always-on Internet connections just waiting to be discovered and taken over by hackers. These compromised PCs are incorporated into attack networks, where they remain dormant until a short burst of command and control traffic activates them and turns them into crazed attack zombies, firing off data at a target host until -- the hacker hopes -- it disappears under a deluge of unwanted packets.
"Most DDoS attacks start as sharp spikes in traffic, but if you can't tell the difference between a flash crowd of legitimate visitors and the start of a DDoS attack you are already in trouble."
As a responsible network administrator, it's prudent to assume that if it hasn't faced one yet it's only a matter of time before your organization faces a DDoS attack. This could be orchestrated by some mindless teenaged cretin, or, as a number of gambling sites have discovered, by more sinister underworld blackmailers. Whoever it happens to be, the important question is what can you do to mitigate the damage it could cause?
Getting to Know Your Net
"As with any disaster, the key to surviving a DDoS attack is planning ahead," says Allen Householder, Internet security analyst at US-CERT, a partnership between the Department of Homeland Security and the public and private sectors established to protect the nation's Internet infrastructure.
An important first step is to familiarize yourself with your typical inbound traffic profile, Householder advises. "The more you know about what your normal traffic looks like the better the position you are in to spot when its profile changes," he says. "Most DDoS attacks start as sharp spikes in traffic, but if you can't tell the difference between a flash crowd of legitimate visitors and the start of a DDoS attack you are already in trouble." There are plenty of network tools on the market which enable you to look at traffic flows and protocols, and if you can see the traffic going across your network you can analyze it and see if it changes.
Bandwidth is also worth considering. The principal of a DDoS attack is that your entire system becomes overwhelmed by too much traffic, and the smaller the pipe into your organization the easier it will be to overwhelm it. "Having excess capacity is always a good thing," says Householder. "But we have witnessed attacks that have taken down the largest portals, so you are never going to have enough capacity to handle all circumstances."
And having a monstrous amount of bandwidth available is only any use if your servers can handle the requests fired at them. It's wise to over-provision to cope with peaks in expected demand, and you may design your infrastructure to cope with traffic which is, say, 50 or 100 per cent higher than normal levels. But during a DDoS attack traffic may jump to a thousand times the normal levels, and who can afford to have a thousand times the resources normally required held in reserve in case of a DDoS attack? Even then, there would be no guarantee that would be enough.
The Managed Hosting Option
It's possible to make the case that Web sites stand the best chance of surviving a DDoS attack if the servers are sited in a large managed hosting facility. That's because there's likely to be very large amounts of bandwidth, servers and other network infrastructure available -- far more than is required for your site alone. During an attack it would be far easier to commit some of these resources to supporting your Web presence.
"A DDoS attack overwhelms your network infrastructure, and the smaller that is, the easier it is to overwhelm it, says Paul Froutan, VP of Engineering at San Antonio, Texas-based managed hosting company Rackspace. "At our facilities we have gigs of connectivity and big switches, so we are less likely to be overwhelmed," he says.
Of course big bandwidth means that instead of overwhelming your network connection, a DDoS attack just overwhelms the next weak link: your servers. Hosting companies like Rackspace also use -- and share the cost of -- DDoS mitigation devices such as Cisco Guard. These spot traffic anomalies to help detect DDoS attacks, and then divert traffic destined to a site under attack, enabling it to be filtered so that legitimate traffic is passed through while attack traffic is rejected. In practice up to 90 percent of unwanted traffic can be stopped using mitigation devices, Froutan says, giving your Web presence a good chance of remaining visible to most, if not all, Internet users. Of course there is nothing to stop your organization from buying its own mitigation device, but clearly there are economies of scale to be had when a hosting facility owns and manages one for all its customers together. Engineers at a hosting facility are also likely to face DDoS attacks more regularly than those at a single organization, so the speed of response is likely to be quicker.
Grin and Bear It? Or Step Out of the Way?
There are other measures that can be taken to mitigate the effect of an attack, and some of these are very simple. You could rate limit your router to prevent your Web server being overwhelmed -- some legitimate traffic would get through, which is better than no traffic at all. You could simply take your Web server offline for the duration of the attack, although some would argue that by doing this you are effectively doing the DDoS attacker's work for him, by ensuring the attack successfully makes your server unreachable.
And there are steps you can take if you are well enough prepared. For example, you can seek help from your upstream provider -- but only if you know who to contact and how to contact them.
So which of these measures should you take to mitigate the damage a DDoS attack could cause? Each organization is different, and it's really up to you to run your own cost-benefit analysis before deciding. One thing is for sure though: Ignoring the very real threat of DDoS attack is likely to cost your organization dearly, both in monetary terms and in the reputation you have with your customers.