DDoS Mitigation - Best Practices

Computer network security is a challenge as old as the Internet itself. The sophistication and infamy of network-based system attacks has kept pace with the security technology and hackers only feel more challenged by the latest heuristics designed to foil their efforts. Some attackers exploit system weaknesses for political purposes, disgruntled about the state of software or hardware in the market today. Others target specific systems out of spite or a grudge against a specific company. Yet others, are simply in search of the infamy of bringing a high-traffic site to its knees with a denial of service (DoS) attack. In such an attack, the hacker attempts to consume all the resources of a networked system so that no other users can be served. The implications for victims range from a nuisance to millions of dollars in lost revenue.

Consequences of Attacks

Any computer can be infected, and the consequences can range from a nuisance pop-up ad to thousands of dollars in costs for replacement or repair. For this reason, Anti-Virus (AV) software for all PCs should be a mandatory element of any network security strategy. But whether you measure cost in terms of lost revenue, lost productivity, or actual repair/restore expenses, the cost of losing a server to an attack is far more severe than losing a laptop or desktop. Servers that host hundreds or thousands of internal users, partners, and revenue-bearing services are usually the targets of hackers, because this is where the pain is felt most. Protecting these valuable assets appropriately is paramount.

In early 2000, the industry saw a new kind of 'worm' attack, in which hundreds or thousands of (sometimes unsuspecting) systems were employed to simultaneously bombard a target host, paralyzing its productivity. Several high traffic sites such as Amazon.com, Buy.com, CNN, Yahoo, and eBAY were affected by these Distributed Denial of Service (DDoS) attacks. Because each attacking system looks innocent, advanced techniques are required to separate the 'bad' traffic from the 'good' traffic. This chapter will touch on some of today's proposed solutions to protect against DDoS.

Distributed Denial of Service Attacks
In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to dozens, hundreds, or even thousands of other computers. These computers are known as 'agents' or 'zombies', because they will act on behalf of the hackers to launch an attack against target systems. the network of such computers is called a BotNet.

To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.

At a predetermined time, the worm will cause all of these zombies to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers.

E-commerce sites, domain name servers, web servers, and email servers are all vulnerable to these types of attacks. IT managers must take steps to protect their systems - and their businesses- from irreparable damage.

Best Practices for DDoS Attack Mitigation
The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.

Cloud Based DDoS Mitigation
If you can afford it, ensure that your Internet Service Provider gives you a clean pipe using cloud based DDoS mitigation. If you use multiple links, ensure that both links are protected.

There is always a signficant amount of residual DDoS that will flow through. That's why you need a DDoS mitigation system in your network to handle the remainder of the attack.

IntruGuard helps cloud service providers with solutions for DDoS attack mitigation as well.

If your service provider doesn't provide DDoS attack mitigation services, you must take care of your own network to avoid collateral and other damages.

Edge Router Access Control Lists
Access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks.

Robust edge routers provide a robust data center infrastructure. They are the key to a solid foundation. Their high performance makes them sustain large DDoS attacks without performance loss. Juniper Routers provide the ability to perform packet-filtering and black-hole routing combined with Traffic Flow Filtering capability
data center administrator today use primarily two methods to mitigate attacks once they have been discovered by the NOC; packet filters, and black-hole routing. Packet filters, also referred to as firewall filters or access control lists, are set in the edge routers to rate limit or discard traffic being sent to or from specific IP addresses. Packet filtering in edge routers is useful when you know the cause and the source of DDoS and can apply it without affecting legitimate traffic.

Black-hole routing in edge routers has been used in the past for DDoS mitigation. But it effectively denies all traffic towards the victim. This is one of the major shortcomings in black-hole routing. It is still a good weapon to keep in reserve when nothing else seems to work.

Traffic Flow Filters in edge routers are a better alternative to black-hole routing. They cleanly separate the filtering and forwarding information. This simplifies the operation and limits the risk of configuration mistakes. Using BGP, all inter AS routing information is exchanged between service providers. MP-BGP is exclusively used to exchange VPN routing information, and many service providers use iBGP for intra AS routing updates as well. This helps the service providers to user BGP running on edge routers to exchange traffic flow filter for DDoS mitigation.

DDoS Mitigation Using DDoS Mitigation Hardware Appliances

Visibility in the network is the next important key to DDoS mitigation. The administrators need to know what services are running on their network, where the most traffic is, where the excess bandwidth is, whether there is a worm outbreak, whether there is a non-mission-critical large file download causing outage to mission-critical services, and so on. Administrators need to identify the network slowdown causes. For network planning purposes, they need to gain visibility into inventory, dependency and usage of the network. They must be able to leverage visibility into the network to improve consolidation, segmentation and disaster recovery planning projects. This will help them budget cost allocation for network resources.

This approach not only improves the performance of the physical network, but it gives administrators the flexibility and insight they need to introduce new services and create new revenue opportunities. Visibility into the network helps administrators by providing a clear understanding of the nature of all traffic flows crossing the network, through inspection of the packets on the network.

IntruGuard’s IG2000 helps monitor and control network activity, helping administrators optimize the network

for long-term service improvements and mitigate short-term problems before they impact service levels. It collects usage statistics on a continuous basis, offering real-time visibility into all aspects of the network. This helps network administrators understand the past and the present, as well as make intelligent forecasts on future behaviors to preempt potential network issues. The devices can report on abnormal phenomena as they happen and automatically mitigate them and maintain service levels.

The IG2000 provides visibility of the network traffic at the highest level of granularity in the industry. Packet rates in two directions to different network segments for various network Layer 2, 3 and 4 header parameters are available for visualization and control of bandwidth or access.

With this kind of granularity shown over historic and current data, the administrator and operations person can easily spot deviations. The system maintains a dynamic baseline based on past average, trends and seasonality for each of the preceding and can easily take actions to prevent overages.
This visibility and past and present reporting is useful for compliance reporting such as Sarbanes Oxley (SoX).

A full year’s worth of traffic and event information is archived in the system for reporting purpose.
After granular visibility comes the automated mitigation. IG2000 provides automated mitigation from slow, fast, stealth, non-stealth, spoofed and non-spoofed attacks. These include such common attacks as SYN flood, botnet floods, port floods, fragment floods, ICMP floods and so on. Besides mitigating attacks, the systems report the attack events and their details via easy-to-use GUI, SNMP traps or email/pager notifications. Easy-to-interpret management reports summarize the past incidents at a macro level.

This DoS mitigation exceeds the PCI DSS Level 3 vulnerability requirements for compliance reporting besides meeting and exceeding all requirements for scans such as dark address scans. In addition, requirements related to all header and state anomalies are met and exceeded.
A large DDoS attack can easily overwhelm most mission critical servers and firewalls, it is clear that presence of a clean pipe solution helps the subsequent infrastructure which includes the network and node protection infrastructure.

Firewalls
Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy.

Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known). Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.

Their ability to hide private networks using Network Address Translation (NAT) is extremely valuable in network security architecture.

Intrusion Detection, Prevention (IDP) Systems

Using IDP, the administrators can secure the data center network from sophisticated attacks and improve the overall security stance of the network.

IPS technology applies a deeper level of application understanding to the traffic to make access control decisions based on the intent of that traffic. Deployed at the traditional security perimeter, a Juniper Networks Deep Inspection firewall focuses on preventing application-level attacks aimed at commonly used protocols. As a true IPS, Deep Inspection eliminates application-level ambiguities, performing de-fragmentation, reassembly, scrubbing and normalization, to convert network packets to the application-level message being transferred between the client and the server. It then looks for protocol conformance and extracts data from identified application "service fields" where attacks are perpetrated and applies attack pattern matches. It then decides to accept or deny the traffic based on high impact protocol anomalies or any given attack pattern in one of these application service fields. Unlike some IDS offerings masquerading as an IPS, Deep Inspection can take any one of seven different decisive actions against an attack to stop application-level attacks at the Internet gateway so they never reach their destination. For high speed perimeter and internal network environments where performance and attack protection demands dictate that an integrated solution is the ideal approach. With integrated, best-in-class Intrusion Detection and Prevention (IDP)—stops worms, Trojans, Spyware, malware and other emerging attacks from penetrating and proliferating across the network.

Conclusion
Designing a security strategy for networked assets can be a daunting task. New threats demand new types of security elements. Traditional firewalls and content filters play an essential role in any network strategy, but neither can adequately defend against rate-based attacks such as those that were caused by MyDoom, SQL Slammer, Witty, and Code-Red. Anti-virus software is essential for all individual systems, but the most valuable assets are the multi-user networked systems and the services that run on them. Best practices for DDoS mitigation takes a holistics approach to network security with multiple layers of appliances working together along with an enterprise security policy that covers all threats. Only rate-based protection can neutralize the threat of Denial of Service attacks against critical network systems and services. Among rate-based solutions, those offering continuous learning and dynamic estimation of traffic patterns provide the most adaptive protection against seasonality and normal traffic variability. These systems are now available and extremely affordable, putting true zero-hour prevention within the reach of all network budgets.