DoS Attacks and Continuity of Operations
The focus of this article is the Denial of Service (DoS) attack, what it is, and what can be done to mitigate the attack from affecting normal operations.
So what is a DoS attack?
It is simply an attack that happens towards an intended target which can affect any type of service. Typically this is done at a specific server or at a specific company.
"Ultimately, DDoS protection is a moving target and tracking the best ways of dealing with it will change as the attack types change.”
- Sean Wilkins
This type of attack is done through the use of malicious Transmission Control Protocol (TCP), User Datagram Protocol, and Internet Control Message Protocol (ICMP) traffic.
Now in today's large bandwidth networks it is not that effective to launch an attack on a company only using one location as it is much easier to trace and is hard to obtain enough bandwidth in order to affect the target.
This is how the Distributed Denial of Service (DDoS) attack came about; as the name states a DDoS attack is distributed over a number of different physical locations.
These types of attacks are typically launched from computer robots (bots) which are exploited computers which have an Internet connection.
These bots are then directed by central controllers to do the tasks assigned. These tasks vary but can include initiating a DDoS attack on a specified target.
Now when the combined bandwidth of thousands of bots comes into play, any company can have their Internet connectivity partially or completely blocked.
So what are the solutions to this problem?
You could make it so that machines aren't vulnerable to exploitation, but this is like asking that water not be wet. Vulnerabilities can be limited, but ultimately it relies on the education of the users.
Because the traffic originators can't be easily controlled, a method must be used in order to mitigate the effect of the attack and gather as much information as possible from it in order to locate the exploited machines and their controllers.
Typically, the methods used to mitigate the attack are "blackhole” routing and access control lists.
What happens with "blackhole” routing is that a provider routes all traffic from a given source or destination network to a non-existing network, which effectively drops all traffic to or from the source or destination.
This is typically deployed by Internet Service Providers (ISP) in order to limit the affect of an attack on the other customers on their network.
In the case of a DDoS attack blocking one source is not going to fix the problem as there can be thousands of sources, so it tends to be used based on the destination address or network.
The problem with this technique is that it essentially does what the attacker is trying to do by bringing down the target network.
Now the other technique that has been used is the use of access control lists.
These are lists which are configured on the routing equipment which can be used to control which traffic is allowed in and out of a given network element, be it a router or switch (layer 3 enabled) or both.
Now the main problem with these is they are typically static and must be configured during an attack to be at all successful, but even then the sheer number of sources to be blocked makes it not very effective.
There are a number of solutions out there which have been introduced in order to best deal with DDoS attacks.
The two that seem the most popular are DDoS mitigation through anomaly detection and Border Gateway Protocol (BGP) traffic flow filtering.
The way that anomaly protection works is that it looks for signs of a specific attack (not just DDoS attacks).
If the system believes that an attack may be happening it automatically reroutes the traffic to a secondary appliance which is used to verify the findings and screen the attack traffic before allowing the valid traffic into the network.
BGP traffic flow filtering is essentially an extension of the "blackhole” and ACL ideas but with additional intelligence.
When a provider notices an attack, it is able to track the attack down to the specific source and destination address or network as well as the specific protocols and ports which are being used.
This information is then relayed to the provider (or providers) BGP routers which in turn only "blackhole” the traffic with these specific characteristics.
This technology does rely on a large BGP infrastructure which supports traffic flow filtering, the standard which has been developed for this is written in RFC 5575 - Dissemination of Flow Specification Rules.
Ultimately, DDoS protection is a moving target and tracking the best ways of dealing with it will change as the attack types change.
At this time these solutions should be able to mitigate a large number of the current attacks and limit the number of future attacks.
The second part of this is the continued education of the computer user; to completely give up on the end user is not a fruitful option as any computer secured is one less that is exploited.