Strategies of Protection from Distributed Denial of Service (DDoS) Attacks

Computer network security is a challenge as old as the Internet itself. The sophistication and infamy of network-based system attacks has kept pace with the security technology and hackers only feel more challenged by the latest heuristics designed to foil their efforts. Some attackers exploit system weaknesses for political purposes, disgruntled about the state of software or hardware in the market today. Others target specific systems out of spite or a grudge against a specific company. Yet others, are simply in search of the infamy of bringing a high-traffic site to its knees with a denial of service (DoS) attack. In such an attack, the hacker attempts to consume all the resources of a networked system so that no other users can be served. The implications for victims range from a nuisance to millions of dollars in lost revenue.

Consequences of Attacks

Any computer can be infected, and the consequences can range from a nuisance pop-up ad to thousands of dollars in costs for replacement or repair. For this reason, Anti-Virus (AV) software for all PCs should be a mandatory element of any network security strategy. But whether you measure cost in terms of lost revenue, lost productivity, or actual repair/restore expenses, the cost of losing a server to an attack is far more severe than losing a laptop or desktop. Servers that host hundreds or thousands of internal users, partners, and revenue-bearing services are usually the targets of hackers, because this is where the pain is felt most. Protecting these valuable assets appropriately is paramount.

In early 2000, the industry saw a new kind of 'worm' attack, in which hundreds or thousands of (sometimes unsuspecting) systems were employed to simultaneously bombard a target host, paralyzing its productivity. Several high traffic sites such as Amazon.com, Buy.com, CNN, Yahoo, and eBAY were affected by these Distributed Denial of Service (DDoS) attacks. Because each attacking system looks innocent, advanced techniques are required to separate the 'bad' traffic from the 'good' traffic. This chapter will touch on some of today's proposed solutions to protect against DDoS.

Distributed Denial of Service Attacks
In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to dozens, hundreds, or even thousands of other computers. These computers are known as 'agents' or 'zombies', because they will act on behalf of the hackers to launch an attack against target systems. the network of such computers is called a BotNet.

To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.

At a predetermined time, the worm will cause all of these zombies to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers.

E-commerce sites, domain name servers, web servers, and email servers are all vulnerable to these types of attacks. IT managers must take steps to protect their systems - and their businesses- from irreparable damage.

Strategies for Protection
The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.

Firewalls
Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy. But public websites and ecommerce servers cannot know in advance who will be accessing them and cannot 'prescreen' users via an access list. Certain protocols can be blocked by firewalls, but most DoS attacks utilize authorized ports (e.g TCP port 80 for a web server) that cannot be blocked by a firewall without effectively blocking all legitimate HTTP traffic to the site, thereby completing the hacker's task.

Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known), but most DoS attacks today are distributed among hundreds or thousands of zombies, each of which could be sending legal packets that would pass firewall scrutiny. Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.

Router Access Control Lists
Likewise, access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks. In a Distributed DoS (DDoS) Attack, thousands of innocent looking connections are used in parallel. Although router access lists can be used to eliminate offending packets once they are identified, routers lack the processing power and profiling heuristics to make such identifications on their own.

In addition, complex access lists can cause processing bottlenecks in routers, whose main function is to route IP packets. Performing packet inspections at layers 2, 3, and 4 tax the resources of the router and can limit network throughput.

Anti-Virus Software
End systems cannot be considered secure without anti-virus software. Such software will scan all inputs to the system for known viruses and worms, which can cause damage to the end system and any others they may infect. Even after a virus is known and characterized, instances of it are still circulating on the Internet, through email, on CDs and floppy disks. A good anti-virus subscription that is frequently updated for the latest protection is invaluable to any corporate or individual computer user.

But even anti-virus software is not enough to catch certain attacks that have been cleverly disguised. Once a system is infected with a new strain, the damage can be done before the virus or worm is detected and the system is disinfected.

Application Protection
Such packages include software that watches for email anomalies, database access queries, or other behavior that may exploit vulnerability in the application. Because it must be very specific - and very close - to the application it is protecting, application protection is typically implemented as software on the host. Dedicated servers would benefit from well-designed application security software that will maintain the integrity of the code and detect anomalous behavior that could indicate an attack. Certain malicious code can attempt to overwrite registers on the end-system and thereby hijack the hardware for destructive purposes.

Intrusion Detection Systems
Intrusion Detection Systems (IDS) are designed to 'listen' to traffic and behavior and set an alarm if certain conditions are met. Some IDS implementations live in the host, while others are deployed in the network. The IDS sensor monitors traffic, looking for protocol violations, traffic rate changes or matches to known attack 'signatures'. When a threat is detected, an alarm is sent to notify a (human) network administrator to intervene.

All IDSs use software, but some run on general purpose computers, while others make use of purpose-built hardware.

Host Based Intrusion Detection and Prevention Systems (HIPS)
Some intrusion detection systems are designed as software running on general purpose computing platforms. Not to be confused with application security software (mentioned above), which runs on the end system and focuses primarily on layer 5-7, software based intrusion systems must also ocus on layers 2-4 of the protocol stack. These packages rely on the CPU power of the host system to analyze traffic as it comes into the server. General purpose computers often lack the performance required to monitor real-time network traffic and perform their primary functions. Creating a bottleneck in the network or on the server actually helps the hacker accomplish his goal by restricting access to valuable resources.

End-systems provide the best environment for signature recognition because packets are fully reassembled and any necessary decryption has been performed. However, signature based intrusion detection has its limitations, as described below.

Content Based Intrusion Prevention Systems
The next step in the evolution of Intrusion security leads to Intrusion Prevention Systems (IPS). Unlike Intrusion Detection Systems, which require manual intervention from an administrator to stop an attack, an IPS will automatically take action to prevent an attack once it is recognized. This can cut down response time to near zero, which is the ultimate goal of intrusion security.
Intrusion Prevention must be intelligent, however, or the remedy may actually accomplish the hacker's goal of denying resource to legitimate users.

Prevention mechanisms can also be harmful if detection is subject to false positives, or incorrect identification of intrusion. If the prevention action is to disable a port, protocol, or address, a false positive could result in denial of service to one or more legitimate users.

DDoS Mitigation Systems
An alternative to signature recognition is rate-based analysis. Rate-based systems must provide detailed analysis and/or control of traffic flow. A baseline of traffic patterns is established, usually during a learning mode in which the device only 'listens' without acting on any alarm conditions. A good system will have default parameters set to reasonable levels, but the 'listening' period is required to learn the traffic behavior on various systems. The listening period should be 'typical,' in the sense that no attacks or unusual traffic patterns should be present. For example, Saturday and Sunday are probably not good days to build a baseline for a corporate server that is much busier during the workweek. Periods of unusually high or low traffic also make bad listening intervals, such as Christmas vacation week, unusually high traffic due to external events (press releases, sales promotions, Super-bowl halftime shows, etc.).

Once a baseline is established, rate-based systems watch for deviations from the known traffic patterns to detect anomalies. Good systems will allow an administrator to override the baseline parameters if events causing traffic surges are foreseen, for example, a server backup scheduled overnight.

While signature-based systems are scrutinized for false-negatives, or failing to identify an attack, rate-based systems should be scrutinized for false positives, or misidentifying legitimate changes in traffic patterns as attacks. Whether setting alarms or taking preventative action, rate-based systems must be well-designed to avoid unnecessary overhead.

Equally important for rate-based systems are their analysis tools. Administrators should be able to view their traffic patterns on a variety of levels, and use this information to tune their network resources.

Characteristics to look for in a DDoS Mitigation System
Security is unquestionably a concern for anyone whose business depends on their ability to access or provide digital information. A layered security approach involving people, operations, and technology is the best way to protect networked systems. Intrusion Prevention Systems are emerging as a key element of this technology category. Here are some characteristics to look for when choosing a DDoS mitigation system:

Throughput vs Goodput
Much debate surrounds the topic of performance in an DDoS mitigation system. Since the DDoS mitigation system is supposed to block traffic, one could argue that performance is measured by the number of packets dropped. But an DDoS mitigation system that only catches 90% of the packets it should have caught can hardly be called 'good enough.'. A more intuitive definition of throughput for an DDoS mitigation system is 'the rate at which legitimate traffic is passed through while the detection/prevention mechanism is fully functional.'. If this is less than the throughput without an DDoS mitigation system, then the DDoS mitigation system is introducing a performance bottleneck into the network. The consequences of this limitation could be severe since many attacks are designed to flood the network with traffic and overwhelm attached devices and servers. An DDoS mitigation system that will choke during a DDoS attack is not worth its price.

Granularity
The more granularities of configuration an DDoS mitigation system offers, the more detailed detection and prevention can be done. A good DDoS mitigation system will offer the flexibility to block entire protocols as well as rate limit individual ports. The DDoS mitigation system should also be able to detect basic protocol violations such as identical source/destination address, illegal TCP state transitions, sequence number errors, and port scanning.

Dynamic Prevention
An DDoS mitigation system should be able to implement prevention features without requiring human intervention. But simply closing down protocol or port access may not be acceptable for an e-commerce or web server. Offending ports or users should be managed with as much granularity as possible to avoid blocking legitimate users. Source Tracking, or the ability to identify the source of an attack or abuse, is an excellent feature for prevention and analysis.

Further, the ability to dynamically estimate future traffic patterns based on learned traffic history is a valuable feature of a Rate-Based IPS. Most server traffic patterns vary throughout the day or week, showing signs of 'seasonality' that reflect the ebb and flow of load times. Hard-coded rate-limits can often limit legitimate increases in traffic such as caused by file transfers, heavy website traffic in response to new content or promotion, or end-of-quarter access to a financial database. A rate-based IPS that can provide dynamic assignment of thresholds can adapt to this type of seasonality which will keep critical networked systems and services available when they are needed.

Traffic Analysis Tools
Because the DDoS mitigation system sees all the traffic passing through it, a good set of analysis tools should be available to show peak utilization, seasonality in traffic patterns (throughout the day, week, month, or year), and attack profiles. Granularity should be available from minutes to months.

Affordability
Security is important, but budgets are a very real limiting factor in how security is implemented. Fortunately, new advances in DDoS mitigation system technology have made good security very affordable. The price should allow protection of critical services without being prohibitive.

Conclusion
Designing a security strategy for networked assets can be a daunting task. New threats demand new types of security elements. Traditional firewalls and content filters play an essential role in any network strategy, but neither can adequately defend against rate-based attacks such as those that were caused by MyDoom, SQL Slammer, Witty, and Code-Red. Anti-virus software is essential for all individual systems, but the most valuable assets are the multi-user networked systems and the services that run on them. Only rate-based protection can neutralize the threat of Denial of Service attacks against critical network systems and services. Among rate-based solutions, those offering continuous learning and dynamic estimation of traffic patterns provide the most adaptive protection against seasonality and normal traffic variability. These systems are now available and extremely affordable, putting true zero-hour prevention within the reach of all network budgets.