How to Prevent DoS Attacks
A Denial of Service attack can disrupt your organization's web site and network services. Here's how to defend yourself.
Denial of Service (DoS) attacks are among the most feared threats in today's cybersecurity landscape. Difficult to defend against and potentially costly, DoS attacks can cause outages of web sites and network services for organizations large and small. DoS attacks can also be lucrative for criminals, some of whom use these attacks to shake down businesses for anywhere from thousands to millions of dollars.
Any deliberate effort to cut off your web site or network from its intended users qualifies as a DoS attack. Such attacks have been successfully deployed against major online businesses including Visa and Mastercard, Twitter, and WordPress. DoS attacks effectively knock the services offline, costing lost business and negative publicity. They also force IT staff to expend valuable resources defending against the attackers.
If there is a silver lining to DoS attacks, it's this: The objective of the typical DoS attack is not to steal or expose confidential data. Most DoS attacks do not actually breach a company's network, they simply overwhelm it with traffic. In many recent cases, DoS attacks have been used by Anonymous and other hacktivist groups as a form of online protest against corporate and governmental targets whose policies or actions are at odds with the demonstrators.
The exception to this is when a DoS attack is used as a distraction to funnel attention and resources away while a targeted breach attack is being launched. Sony claims that Anonymous used that technique against them in a major 2011 attack that ultimately led to the theft of over 12 million customers' credit card data.
DoS vs. DDoS
The most easily executed type of DoS attack is one that is launched from a single origin. In this attack, a single machine somewhere on the Internet issues a barrage of network requests against a targeted victim machine. The requests themselves can take a variety of forms – for example, an attack might use ICMP flooding via ping requests, or HTTP requests against a web server.
Single-origin DoS attacks can be effective against undefended victims, but they have a few key limitations:
- Victims can block the originating IP address, either at the firewall level (to kill HTTP requests) or further upstream at the ISP level (to kill network-level floods).
- Security tools now exist to detect and prevent ICMP flood attacks. Web servers can be configured to detect and block HTTP request attacks.
- Enterprise products can identify and block single origin attacks as soon as they begin.
These days, the more nefarious type of DoS is called the DDoS, or Distributed Denial of Service attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
DDoS: The Rise of the Botnets
Where does an attacker even get thousands of machines to launch a DDoS? Distributed Denial of Service attacks are executed by a so-called botnet – a collection of computers around the world infected with an attacker's malware.
Malware infections can install silent software on a victim machine which places it under the control of a remote attacker. Successful botnets can be comprised of hundreds of thousands of infected machines, typically without the owners' knowledge. There big money in creating botnets – among other things, botnet creators rent out their creations to criminal enterprises who can use them to launch a DDoS.
Large-scale DDoS attacks are not random. The perpetrators choose their victim deliberately, either due to a grudge, revenge, or an attempt to bully them into meeting some demands – possibly including paying extortion. Renting a botnot to launch a DDoS can cost about $100 per day, so the duration of an attack is partially dependent on how well-funded the attacker.
Inside a DDoS
The specific mechanisms used by a DDoS to "drop" a web site or network can vary depending on the attacker's preferred strategy. One major difference between DDoS implementations is whether they target the computing resources of the victim's machine or the network resources.
An attack against a web server based on HTTP flooding – as many as 10,000 requests per second – can overwhelm the server software, eventually consuming the machine's memory, CPU time, and possibly even disk space (if the log files grow out of control).
An attack such as a SYN flood instead focuses on the TCP network, overloading it with unacknowledged packets. Depending on how an organization's network is managed, this kind of DDoS can not only overwhelm a server, it also can overload switches or other network resources, potentially impacing a victim's entire network, including casualties unrelated to the victim if they share network space with the same ISP.
HTTP and SYN floods are not the only weapons in a DDoS attacker's arsenal but they are among the most common. Other attack mechanisms may include UDP, ICMP and DNS floods, as well as mailbombs. A so-called "mixed DDoS" can incorporate several of these weapons into one attack.
Can a DDoS be stopped?
Let's start with the bad news: It is very difficult to defend against a sophisticated DDoS attack launched by a determined adversary.
Many organizations struck by a DDoS are left to scramble in an effort to stop the attack once it has already begun. Sometimes this requires coordination with the ISP that provides network access. This is especially true when an ISP is forced to "null route" a victim – meaning that to protect other customers, the ISP routes traffic intended for the victim into the trash. This of course effectively prevents all access, including from legitimate users.
One of the more well-known countermeasures against a SYN flood is the use of "SYN cookies" either in the server OS or, better yet for network efficiency, in a network security device at the network edge such as the Cisco Guard. SYN cookies provide a more efficient method for tracking incoming TCP connections lessening the chance for a typical SYN flood to overwhelm the stack.
An effective defense against an HTTP flood can be the deployment of a reverse proxy – in particular a collection of reverse proxies spread across multiple hosting locations. A reverse proxy is somewhat akin to a bouncer at a nightclub, deciding which guests are allowed into the party, where the real web server is. By deploying many bouncers in different locations, the crush of incoming traffic is split into fractions, lessening the possibility of the network becoming overwhelmed. Deploying this type of architecture can be done in the scramble after an attack has begun, or baked into the network architecture of a web site as a preventative defense.
The limitation with these DDoS defenses is that if the attacker can generate network traffic at a higher rate than your network's Internet connection can handle, it will be hard to avoid a meltdown. But what these defense strategies do accomplish is at least force the attacker to get a bigger gun.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.