Technology
Microfine™ Granularity
Adaptive Threshold Estimation
Virtual Identifiers
Scan Prevention
Source Tracking
Protocol Anomaly
Custom ASICs
White Papers
FAQs
Overview Presentation
DoS Articles
 

Best Practices for Distributed Denial of Service (DDoS) Attack Mitigation

Overview of Attacks

Computer network security is a challenge as old as the Internet itself. The sophistication and infamy of network-based system attacks has kept pace with the security technology and hackers only feel more challenged by the latest heuristics designed to foil their efforts. Some attackers exploit system weaknesses for political purposes, disgruntled about the state of software or hardware in the market today. Others target specific systems out of spite or a grudge against a specific company. Yet others, are simply in search of the infamy of bringing a high-traffic site to its knees with a denial of service (DoS) attack. In such an attack, the hacker attempts to consume all the resources of a networked system so that no other users can be served. The implications for victims range from a nuisance to millions of dollars in lost revenue.

Consequences of Attacks

Any computer can be infected, and the consequences can range from a nuisance pop-up ad to thousands of dollars in costs for replacement or repair. For this reason, Anti-Virus (AV) software for all PCs should be a mandatory element of any network security strategy. But you certainly cannot enforce your organizational policies on all users on the Internet. That's where the problem begins. Such machines can be easy target of infection and therefore acts as tools in the hands of hackers and hactivists.

Whether you measure cost in terms of lost revenue, lost productivity, or actual repair/restore expenses, the cost of losing a server to an attack is far more severe than losing a laptop or desktop. Servers that host hundreds or thousands of internal users, partners, and revenue-bearing services are usually the targets of hackers, because this is where the pain is felt most. Protecting these valuable assets appropriately is paramount.

Wikileaks related incident further brought DDoS attacks to highlight recently. Mastercard, Visa, and many other sites have been target of DDoS attacks. Such attacks can cause both financial and reputation loss.

Distributed Denial of Service Attacks
In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to dozens, hundreds, or even thousands of other computers. These computers are known as agents or bots, because they will act on behalf of the hackers to launch an attack against target systems. the network of such computers is called a BotNet.


To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.

At a predetermined time, the botmaster will cause all of these zombies to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers.


E-commerce sites, domain name servers, web servers, and email servers are all vulnerable to these types of attacks. IT managers must take steps to protect their systems - and their businesses- from irreparable damage.

Best Practices for DDoS Attack Mitigation
The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.

 


DDoS Mitigation Using DDoS Mitigation Hardware Appliances

Visibility in the network is the next important key to DDoS mitigation. The administrators need to know what services are running on their network, where the most traffic is, where the excess bandwidth is, whether there is a worm outbreak, whether there is a non-mission-critical large file download causing outage to mission-critical services, and so on. Administrators need to identify the network slowdown causes. For network planning purposes, they need to gain visibility into inventory, dependency and usage of the network. They must be able to leverage visibility into the network to improve consolidation, segmentation and disaster recovery planning projects. This will help them budget cost allocation for network resources.


This approach not only improves the performance of the physical network, but it gives administrators the flexibility and insight they need to introduce new services and create new revenue opportunities. Visibility into the network helps administrators by providing a clear understanding of the nature of all traffic flows crossing the network, through inspection of the packets on the network.


IntruGuard’s IG2000 helps monitor and control network activity, helping administrators optimize the network

for long-term service improvements and mitigate short-term problems before they impact service levels. It collects usage statistics on a continuous basis, offering real-time visibility into all aspects of the network. This helps network administrators understand the past and the present, as well as make intelligent forecasts on future behaviors to preempt potential network issues. The devices can report on abnormal phenomena as they happen and automatically mitigate them and maintain service levels.


The IG2000 provides visibility of the network traffic at the highest level of granularity in the industry. Packet rates in two directions to different network segments for various network Layer 2, 3, 4 and 7 header parameters are available for visualization and control of bandwidth or access.


With this kind of granularity shown over historic and current data, the administrator and operations person can easily spot deviations. The system maintains a dynamic baseline based on past average, trends and seasonality for each of the preceding and can easily take actions to prevent overages.
This visibility and past and present reporting is useful for compliance reporting such as Sarbanes Oxley (SoX).

A full year’s worth of traffic and event information is archived in the system for reporting purpose.
After granular visibility comes the automated mitigation. IG2000 provides automated mitigation from slow, fast, stealth, non-stealth, spoofed and non-spoofed attacks. These include such common attacks as SYN flood, botnet floods, port floods, fragment floods, ICMP floods and so on. Besides mitigating attacks, the systems report the attack events and their details via easy-to-use GUI, SNMP traps or email/pager notifications. Easy-to-interpret management reports summarize the past incidents at a macro level.

This DoS mitigation exceeds the PCI DSS Level 3 vulnerability requirements for compliance reporting besides meeting and exceeding all requirements for scans such as port scan, network scan and dark address scans. In addition, requirements related to all header and state anomalies are met and exceeded.
A large DDoS attack can easily overwhelm most mission critical servers and firewalls, it is clear that presence of a clean pipe solution helps the subsequent infrastructure which includes the network and node protection infrastructure.

Best Practices for DDoS Mitigation (Basic Users)

  • Update kernel to the latest release
  • Install all security updates
  • Disable unused and insecure services
  • Remove unused packages
  • Memory resources can be exhausted by filling up various kernel tables that are not tuned to be sufficiently large. Ensure that you understand various kernel tables.
  • Network card is gateway to the packets. Better network card means better handling of large number of packets. Better network card driver means better performance.
  • Choose a vendor such as Intel and model which is proven and a driver that’s already hardened.
  • Use NetFilter/iptables firewall to deny bad packets
  • Use Hashlimit module to identify IPs that are consuming resources
  • Use ipset module to block-lists of up to IP addresses that can be queried, loaded and unloaded from user-space.
  • Use command : netstat -plan|grep :80 |awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n to find out if port 80 is being attacked by too many IPs.
  • Use modules such as mod_evasive, mod_limitipconn to limit attacks from limited number of IPs.
  • Try mod_qos to improve quality of service.
  • Apache has its limits. You can try LiteSpeed.

Best Practices for DDoS Mitigation (Advanced Users)

Use Latest Technology

The hackers are pretty up-to-date on techniques. If your DDoS mitigation appliance is built around technology that was developed in early 2000s, it won't help you much as most of the current generation attacks would pass through.

Centralize monitoring

Look for appliances that allow you to centrally monitor all DDoS events and traffic in your network.  You can use SNMP, Cacti, MRTG to monitor traffic and attack levels and attack events. You can configure Syslog to get all attack events on a centralized server as well.

Get visibility into normal network traffic patterns

Look for appliances that allow you to get extremely granular visibility into your network traffic. Typically you should look for a 12 month round robin view of what normal traffic looks like and incorporate this information into a correlation engine for threat detection, alerts, and reporting.

Ensure alerting mechanisms

Look for appliances that give you a threshold based alerting mechanism for DDoS specific events. You can set threshold for different people to get alerts depending on the quantum of attack. You should be able to query a database for Top Attacks, Top Attackers, Top Attacked Destination, etc. You should be able to create custom queries in your custom applications/reports.

Filtering Mechanisms to Reduce False Positives

Look for appliances that filter traffic in different network layers as they inspect incoming packets using dynamic profiling (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technology to progressively filter harmful traffic upstream of the network.

Look for low latency

Latency, in this context, is the amount of time it takes a packet to go through an appliance. Look for appliances that don't affect your mission critical traffic by adding additional significant latency. Most switches and routers have low latency in the range of a < 50 microseconds. The anti-DDoS equipment should maintain similar latency levels. This latency should be maintained even during attacks.

Prefer hardware logic for DDoS mitigation

These days it is common for a $100 home router to claim that it has DDoS attack mitigation capability. Such claims have to withstand third party tests and real life. It is also easy to build Intel CPU based appliance running Linux with some behavioral capability built-in to claim anti-DDoS features. Many IPS appliances have IPS in hardware logic but anti-DDoS capability in software. Such appliances cannot handle attacks beyond a certain Mbps. 

Look for custom DDoS mitigation logic implemented in hardware as that alone can withstand large DDoS attacks. A granular approach to DDoS mitigation selectively mitigate attacks at highest possible layer so that attacks are stopped at most specific layer. This reduces the false positives.

Ability to monitor a large number of ports, sources, destinations, connections etc. helps in proper identification of attacks and attackers.

Look for Bypass and Redundancy

Look for internal or external bypass capability that ensures that your network traffic continues even if the appliance fails under some critical conditions. For multiple links, look for ability to cross conect appliances in a fail-over configuration. In addition, look for asymmetric traffic support because you may have traffic coming from one link and going through another.

Extensible Architecture

Anti-DDoS equipment must grow with your business. Look for appliances that have such capability to grow through licenses.

 

Openness in Architecture and Specifications

Anti-DDoS equipment should not be black magic. The specifications and operations should be clear to the users. What controls and visibility are available to the users should be well specified.

Reputed Third Party Validation

Look for third party validation for a solution you choose. That will mitigate some risks of your inability to actually do a test in your own labs. Many companies provide third party validation from random people who are probably paid by them with no previous experience of reviews - read them but should you trust them? That we leave it up to you .

Conclusion
Designing a security strategy for networked assets can be a daunting task. New threats demand new types of security elements. Traditional firewalls and content filters play an essential role in any network strategy, but neither can adequately defend against DDos attacks.

See also:

Understand the technology elements of DDoS mitigation

Strategies of protection from DDoS attacks.