DDoS Defenses Evolve Along With the Threat
With distributed denial of service attacks coming from criminal and even political organizations, what's the best way to keep your systems safe from DDoS attacks? Security mechanisms continue to evolve, but are they enough?
The attack was called off and many lauded Amazon for its ability to ward off the DDoS that had been prevalent on the Internet during early- to mid-December, part of Anonymous' Operation: Payback campaign to "raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks' ability to function," according to a December 10 press release purportedly from the group.
It is widely believed that Amazon.com was able to easily fend off the DDoS attack from Anonymous because of its already-massive infrastructure, and the bad timing on the part of the attackers. In December, so much traffic was coming into the Amazon.com site due to the rush of holiday traffic, that any spike in traffic from a DDoS was simply lost in the crush of all the other traffic.
Regardless of what actually happened on Dec. 9, one thing is very clear: most of the network administrators out there don't work for Amazon.com, and thus any DDoS attack, small or large, poses a serious risk for any online business activity. So how do you go about preventing great harm if a DDoS attack comes your way?
There are, of course, the more well-known prevention methods that any network administrator should be doing already.
DDoS prevention methods you should already be using
Disable any unused services, to minimize the number of open ports and to reduce the chance someone could come in and exploit a known vulnerability. Along those lines, patch everything. Keeping your software as up-to-date as possible will also minimize vulnerability. Firewalls can help, too, but only to a point: They can stop flooding attacks coming in from "odd" ports, but there's no preventing web-based traffic from rolling right in. Also, if you disable IP broadcasting, you can block ICMP-based attacks, such as ICMP packet magnification ("smurf") or ping of death attacks.
These are the general methods that will keep your network generally protected against all but the most sophisticated DDoS. For specific DDoS defense, the most successful techniques have been the use of some sort of IP packet filtering.