Let’s say you’re throwing a party for your recent job-promotion. You invite all your friends and colleagues. But before they show up, many other guys, total strangers to you, come, get into the party uninvited, have all the food and drinks, hit the dance floor and now when your invited guests arrive, you’ve no place to accommodate and no food/beverages to provide them. Bizarre, right?That’s what happens when your organization’s IT infrastructure faces a DDoS(Distributed Denial-of Service) attack. Still don’t get it? Let’s make it easier for you. Time for a love story.
Say Romeo wishes to talk to Juliett. He sends her a text-message. Juliett gets this message, blushes and replies-“I got your message Romeo, lets talk”. Romeo gets this message, everything is so cherry. Romeo and Juliett now carry on a romantic chat. Life is good.
But Juliett is a popular girl in town. Some jealous, heartbroken and mischievous fellas distribute her number to everyone and now Juliett is getting a truck load of messages. They fill-up all her phone memory and she is not able to get Romeo’s messages. Now, Romeo, the person who actually wants to talk to her is aggravated and he concludes that cell phone towers are conspiring against their love. Romeo is sad. Life is bad.
And now time for you to connect the dots and draw the analogies. In computing, a DDoS attack is an attempt to make a machine or network resource unavailable to its intended users by saturating the target machine with heavy external communication requests, so that it cannot respond to legitimate traffic or responds so slowly as to be rendered essentially unavailable. For instance, if Bank X’s website suffers from a DDos attack, then it becomes inaccessible to Bank X’s customer, which in turn will cause inconvenience to him as he’ll not be able to use online payment or other service options, thereby also hurting the bank’s reputation and causing short term financial losses.
So if you own a professional website, this is how a DDoS attack will affect you:
Hmm. I understand the basic premise. I think I know how to deal with it.
Really? You haven’t understood anything at all. A toddler can prevent his diapers from getting spoiled better than you can prevent your website from a DDoS attack at this point.To defend yourself from a DDoS attack,you need to understand the whole threat landscape and the number of ways in which your website/server can be targeted.
Every organization, large or small, is now a potential target:
Until recently, some level of technical skill was required to launch a DDoS attack, and attackers tended to focus on the largest and
On 6th August, 2009, Twitter was the target of denial of service attack (DDoS). On that morning for two hours nobody could access their Twitter account. Thus they wouldn’t post any new tweets or interact with other tweeters. While such attacks are well covered by the media , what is less known is the number of attacks targeting smaller businesses for a wide range of reasons. Some recent examples include the CEO of Russia’s Largest online payment processing firm, ChronoPay, being arrested in 2011 for hiring a hacker to DDoS a rival firm. So if you considered your organization invulnerable and not big enough to attract DDoS, it’s time for you to rethink. most visible companies and government entities. But not now. A thriving underground economy brazenly advertises easy-to-use DDoS tools and“botnets for hire” that can help a teenager sitting in pajamas attack your website even before having his first sip of morning coffee . This means anyone with a personal grudge or political grievance can easily sponsor or launch an attack.
Attacks continue to get larger and more complex: Lets deal with the ‘larger’ part first.High-bandwidth attacks—also called volumetric attacks—flood the network with illicit traffic generated by botnets. The variety and size of volumetric threats has grown rapidly over the last few years. The average size of DDoS attacks has increased by 27 percent in 2012 and is now consistently in excess of 1 Gbps, a level that had previously functioned as an unofficial benchmark for large attacks.
Now, the ‘complexity’ of attacks. Very recently application-layer attacks are targeting enterprises. Rather than the usual volumetric network-layer attack which floods the network, the application-layer attack targets applications within websites, such as forms that require the site to perform requests for information. These attacks are far more difficult to identify, because they appear to be legitimate requests. Further, these attacks consume far less bandwidth than traditional DDoS attacks that flood a network with traffic. In the absence of such intense traffic spikes, victim organisations may not even realize they are under attack and look for more benign explanations for unresponsive websites, such as application or system issues. Because application-layer attacks do not require huge volumes of traffic, the attackers require fewer resources, that is, they can be executed even by a single computer, rendering websites inaccessible to legitimate users.
Ok. I understand the gravity of threat. But I already have Firewall and other security systems installed to protect myself.
No. You are trying to counter a bazooka attack with a pocket knife. Attacks that flood the network with illicit traffic render existing infrastructure devices such as Firewall and Intrusion Prevention Systems useless. To add to the problem, because these devices(Firewall etc.) maintain information for every session established between a client on the Internet and the corresponding server, they themselves become the targets of DDoS attacks. More than 40% of those who have deployed these devices experienced critical firewall and/or IPS failure as a direct result of DDoS attacks during the attack.
This is getting ridiculous. I am feeling more helpless than Thakur in ‘Sholay’. What do I do now?
Not an issue, Jai and Veeru are here. Jai will help you with the technical infrastructure you need and Veeru will guide you through the financial aspects. Veeru first.
The first thing you need to do for preparing against a DDoS is incorporating DDoS threat risk into your IT Security Budgets. Gain an understanding of the cost of service outages. In other words, determine what the hourly cost will be to your business if the website is down or disabled due to an attack. The hourly cost of downtime will be unique to each business but generally comprises the following elements:
And now the technical aspects. Defending against Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.A list of prevention and response tools is provided below:
Application front end hardware:
Application front end hardware works just like the frisking you go through before entering the cinema hall. It is an intelligent hardware placed on the network before traffic reaches the servers. It analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous.
IPS based prevention:
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. An IPS analyzes traffic granularly and continuously monitors the traffic pattern to identify any anomaly. It lets the legitimate traffic flow while blocking the DoS attack traffic. However, IPS which work on content recognition cannot block cases which are a combination of high-bandwidth and application based attacks. To stop both of these types of attacks, a layered base approach can be used.
DDS based defense:
As already told, IPS are effective only if the attacks have signatures associated with them. However, the recent trend among the attacks is to have legitimate content but bad intent.(Like your neighbours who have an ever-smiling face in front of you, but are secretly jealous of your kid getting into an IIT) .
DDS for the rescue! More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent.
Blackholing and sinkholing:
With blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface, non-existent server, etc). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.
Sinkholing routes to a valid IP address which analyzes traffic and rejects bad ones. Sinkholing is not efficient for most severe attacks.
All traffic is passed through a “cleaning center” or a “scrubbing center” via various methods such as proxies, tunnels or even direct circuits, which separate “bad” and only sends good traffic beyond to the server.
Finally, after going through everything, remember that in case you do face a DDoS attack, it’s not easy to trace the source because attackers can cover their tracks by a number of methods. They can attack by using fake IP, zombies, proxy or attack from an underground network. This is why online organizations should ensure that they are protected well from DDoS attacks at all time so that their business does not suffer any unnecessary downfall due to malicious attackers. As they say, prevention is better than cure.
Any other tips/advice that I’ve missed? Use the comments section.
To learn how to combat with WordPress security, click here.