Don’t be its next victim: DDoS, simple but deadly

In the world of network security, many efforts are concentrated to prevent security holes in operating systems, hardware, software, and even the actual physical presence of the physical hardware to prevent unauthorized access to system resources.

There is little doubt that exposure of internal system resources to unauthorized access by the ways of leak, brute force password hacks, SQL Injection, Zero-day attacks, or social engineering can be devastating. However, with user precaution such as strong passwords with salted hashes, these vulnerability can be tightened. Application vulnerabilities can be patched, and it is a always good-practice to stay up to date with the most recent signature/definition databases.

However, what you do NOT have control of is the line that connects you to the outside world, and that link is a crucial business component for any modern business. If you have a website you have a web server, and that server can contain many different contents. Video game companies have game servers that hosts players, E-Commerce platforms holds product data and client information, Cloud Services hosts many user data, etc. etc. Many SMBs also have started integrating their traditional land-lines to VoIP which also runs over the internet.

This link can become stressed and overwhelmed by a lot of users. Traditionally, we think of that as a good indication of business, more user = more business. But, what if all these traffics that’s overwhelming the servers are actually fake traffic DESIGNED to saturate your link? That is known as a DoS or Denial of Service attack.

DoS attacks are incredibly simple to perform, there are many many utilities out there are can craft packets and send to a specific destination. While most single DoS attacks from a single hosts usually can’t generate enough traffic (say from a consumer-grade PC), a DoS attacks from a powerful multi-core CPU can still overwhelm small business links and servers.

With the advent of PC Clusters, the force of DoS can be even greater, and with the amount of infected computers many attackers have access to what is called a Botnet, and these botnet can range from small to giant cluster of computers over the entire internet all awaiting command from the attacker to issue DoS attacks. And when these Botnet or attacks from multiple sources, DoS becomes DDoS, Distributed Denial of Service Attacks.

Common DDoS Methodologies:

  • UDP Packet Flood – Flooding Server with a slew of UDP packets that does not require any response. It consumes bandwidth and server resources to process the packets.
  • TCP SYN Flood – Flooding Server with a slew of TCP SYN packets (Synchronization required for TCP connections) and does not respond with the proper ACK (Acknolwedgement packets to complete the TCP SYN) when Server requests a SYN-ACK. This results in half-open TCP connections which takes up bandwidth and server resources.

Simplified DDOS Diagram
Attackers from different locations are able to synchronize and send malformed/malicious/fake packets all at the same time, causing congestion for legitimate traffics.
DDoS can either cause congestion or even take out the entire resource link resulting in unresponsive servers. These attacks can’t be prevented with just user caution as the server hosts have no control of incoming traffics from the internet. Once you are connected to the web, you are open to contacts. If you are a service provider, you begin receiving user complaints of unresponsive applications, or if you are a E-Commerce platform, you have customers unable to buy from you resulting in real lost of revenue.

However, not all is lost. There are some DDoS prevention methods and most of time involves in a hardware that filters out good and bad packets.

Common DDoS Guard:

  • Set aggressive half-open connection limits and/or drop half-open connections limit.
  • Disabling IPs through monitoring Server Request/Packets Sent over Time.

Appliances such as this from ARBOR networks monitors traffic and can set temporary or permanent limits on various parameters
While setting aggressive half-open policies can reduce traffic, it also affects legitimate user since they also haev to utilize those half-open connections for their initial session. The second method in which an appliance monitors traffic and counts packets over time from every source is the most reliable and efficient way to filter out unwanted traffic towards the server. Although some firewalls have this function, it is best to have a dedicate appliance which handles this type of monitoring because they are made with a single purpose, and usually comes with larger set of options.

Finally, there is one thing to note about these appliances. These appliances ONLY monitors the traffic at YOUR point of the connections, which leaves the question what happens to the link from my CPE to my ISP? Although this type of appliance can relief stress on server resources, it does not do very well at relieving bandwidth stresses. If you would like to go a step further, ARBOR Networks also has an appliance which monitors traffic and can send requests to the ISP which then implements Upstream Blocking from malicious IPs. However, this means it’ll also require the cooperation of the ISP.

Although simple in execution, DDoS is a real and imminent threat and can cause real lost of revenue for many organization especially with the many tools out there such as the LOIC – Low Orbit Ion Cannon, a open-source program that is intended for network stress test.